Your message dated Fri, 05 May 2017 18:03:45 +0000 with message-id <e1d6hzx-000fbq...@fasolo.debian.org> and subject line Bug#861834: fixed in libtirpc 0.2.5-1.2 has caused the Debian Bug report #861834, regarding libtirpc: CVE-2017-8779 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 861834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libtirpc Version: 0.2.5-1 Severity: grave Tags: security upstream patch Justification: user security hole Control: clone -1 -2 Control: reassign -2 src:rpcbind Control: found -2 0.2.1-6 Hi, the following vulnerability was published for libtirpc. CVE-2017-8779[0]: | rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through | 1.0.2-rc3, and NTIRPC through 1.4.3 do not consider the maximum RPC | data size during memory allocation for XDR strings, which allows remote | attackers to cause a denial of service (memory consumption with no | subsequent free) via a crafted UDP packet to port 111, aka rpcbomb. Note: that the rpcbind version needs to be build with a fixed version of libtirpc, as it needs some new code in libtircp. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8779 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8779 [1] http://www.openwall.com/lists/oss-security/2017/05/03/12 [2] https://github.com/guidovranken/rpcbomb/ Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libtirpc Source-Version: 0.2.5-1.2 We believe that the bug you reported is fixed in the latest version of libtirpc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 861...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated libtirpc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 05 May 2017 17:24:41 +0200 Source: libtirpc Binary: libtirpc-dev libtirpc1 Architecture: source Version: 0.2.5-1.2 Distribution: unstable Urgency: high Maintainer: Anibal Monsalve Salazar <ani...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 861834 Description: libtirpc-dev - transport-independent RPC library - development files libtirpc1 - transport-independent RPC library Changes: libtirpc (0.2.5-1.2) unstable; urgency=high . * Non-maintainer upload. * CVE-2017-8779: Memory leak when failing to parse XDR strings or bytearrays (Closes: #861834) Checksums-Sha1: 63862d4aa86d23b589dcb04ea53a3a186b5c52db 2010 libtirpc_0.2.5-1.2.dsc 084ed1395a6769401b33db3f7ec6e014aa0e72e5 15480 libtirpc_0.2.5-1.2.debian.tar.xz Checksums-Sha256: 12982c6a759655a63fd42f77584d64c38d3268a59d132bb66828be70903a7ce2 2010 libtirpc_0.2.5-1.2.dsc 6393f32b230b73964c0663f64e98a86dd3a0ba0d9963a94d1c5165570536944d 15480 libtirpc_0.2.5-1.2.debian.tar.xz Files: d879581a28c5c3936d68a12453dae620 2010 libs standard libtirpc_0.2.5-1.2.dsc b779d848161e79dd77500bfd5e1ff3f0 15480 libs standard libtirpc_0.2.5-1.2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkMmitfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E/xUP/28TnqtBgsTxNMEQZ9YaalZCNf78uHtN uGxbrTjC1OJqWkX3lM4jEgJFZgcTqNxJDnt70zjye+LbedK+7sCVwadhQY5ojACO 6x9I7VqeGIHA6MoS6cNHmY3sbRGT5+jsmtZpRtd+rsIeBOeDOcCGhskD0I6B+/c5 IdPYziG+PQSVT9DvJ3AbLOHNE4qBJo0wP37RLASgsL8PBKYZi57FfIxSYVnN71mc ve6nY4VXATrQpNAZNkpKOYLzKL9OzSCOWVtOVnARUZjEu10UY8IxfT7/YzqxB/qz FPuoS1C3RicVPrtLUcSywAn/jglNBRKAuUtJJ+dPVsxI/bTMixnaRUJ2bzw/uYju Kmr98CPnuQQn1lCR9ImWD4iqnViVjMbjwPXO72E4YVazzlkTAG/0kcfMnkDAOTE6 4xPd+LVIOCVKk6sNLSEDBblNH9/dCxoesPNoWDuCNvge3BJmZw6gThuD5+FM9+QZ 8Y8G0SFyDNUcR2SzD9F/uPk6tOU3E0h3r6zhgflNxC+p+gV2zmVU2xBy0xo0JNbN bT3TdvIsmzKdcXMwd0HvkrvQMdRCgKOwy2CgbFXl70szzOQUXwdGMaQFPtyoh3Oh MEOXDlz2RIttQD8D+XHC3ACkHeZ0wytsi/szjvhWIkQzF8PZZgSfC/AFy0XFpMdR a5FX3WDl1TRF =yJyP -----END PGP SIGNATURE-----
--- End Message ---
