Your message dated Sun, 04 Jun 2017 09:33:44 +0000 with message-id <e1dhruq-0009yw...@fasolo.debian.org> and subject line Bug#854727: fixed in zziplib 0.13.62-3.1 has caused the Debian Bug report #854727, regarding zziplib: Multiple vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 854727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854727 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: zziplib Severity: grave Tags: security Hi, multiple security issues have been found in zziplib by Agostino Sarubbo of Gentoo: http://www.openwall.com/lists/oss-security/2017/02/09/10 http://www.openwall.com/lists/oss-security/2017/02/09/11 http://www.openwall.com/lists/oss-security/2017/02/09/12 http://www.openwall.com/lists/oss-security/2017/02/09/13 http://www.openwall.com/lists/oss-security/2017/02/09/14 http://www.openwall.com/lists/oss-security/2017/02/09/15 http://www.openwall.com/lists/oss-security/2017/02/09/16 http://www.openwall.com/lists/oss-security/2017/02/09/17 http://www.openwall.com/lists/oss-security/2017/02/09/18 http://www.openwall.com/lists/oss-security/2017/02/09/19 http://www.openwall.com/lists/oss-security/2017/02/09/20 He points out that upstream seems dead: http://www.openwall.com/lists/oss-security/2017/02/09/21 Aside from that, there's also older, unacknowleged bugs from the Mayhem project in the BTS. So unless you want to pick up upstream maintenace yourself, we should rather remove zziplib from stretch. Cheers, Moritz
--- End Message ---
--- Begin Message ---Source: zziplib Source-Version: 0.13.62-3.1 We believe that the bug you reported is fixed in the latest version of zziplib, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 854...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Moritz Muehlenhoff <j...@debian.org> (supplier of updated zziplib package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 04 Jun 2017 09:03:20 +0200 Source: zziplib Binary: zziplib-bin libzzip-0-13 libzzip-dev Architecture: source amd64 Version: 0.13.62-3.1 Distribution: unstable Urgency: medium Maintainer: Scott Howard <show...@debian.org> Changed-By: Moritz Muehlenhoff <j...@debian.org> Description: libzzip-0-13 - library providing read access on ZIP-archives - library libzzip-dev - library providing read access on ZIP-archives - development zziplib-bin - library providing read access on ZIP-archives - binaries Closes: 854727 Changes: zziplib (0.13.62-3.1) unstable; urgency=medium . * Non-maintainer upload. * Fix multiple security issues (Closes: #854727). Thanks to Josef Moellers of SuSE for the patches! Checksums-Sha1: a737c57beee23a45b5008bfdabb7f6dbbf3415da 2036 zziplib_0.13.62-3.1.dsc 2c811446637e6457dd8dc67321bf7d960adf1a8a 12996 zziplib_0.13.62-3.1.debian.tar.xz 3b9cfadede8744b856b8e42a0c894b01a4889e40 5906 libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb dd76e12ca94cb5a3128a70f0a4f5633a317999a6 55352 libzzip-0-13_0.13.62-3.1_amd64.deb b4fd3dbdbf349449c3c8cd35a7a606fadc6647e0 111378 libzzip-dev_0.13.62-3.1_amd64.deb 2def4d1a4baf4e4404d5281b65f607979b43e7ed 4316 zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb dad4069fa23e2651d3eafd9076adedef40c3954c 41758 zziplib-bin_0.13.62-3.1_amd64.deb 8c7fc21840db27ca3321a1235f22fc0aa788ace0 6924 zziplib_0.13.62-3.1_amd64.buildinfo Checksums-Sha256: 16c375f6811dbe6672acd6ad7f9a296901316353582fd972f5ee87dd9bea6a7b 2036 zziplib_0.13.62-3.1.dsc 0d359f92a2f44d0f8f6ff3290fa3a4dd0446596e93251ab5f56b4db51e36bd66 12996 zziplib_0.13.62-3.1.debian.tar.xz d12404c92ac48be091907e2c925f029f3ab2774c9994b3c47bbe76435405f5b7 5906 libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb 3b182f9468c0f6a2cc9ccaec61bf59e960eb958df4debf9058c8f2c459219105 55352 libzzip-0-13_0.13.62-3.1_amd64.deb c58653430daed1d88a595741bc86620e8c4c0176839812374849ac37f33ca1d9 111378 libzzip-dev_0.13.62-3.1_amd64.deb 5901062e09eb5806f88482e38df810fe8b1ccca4932f0a1f5d78dfcf4a23f773 4316 zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb c32c08a1077eea97c9ee111687068bea1fce698c31ade37feb170fcd314e1c38 41758 zziplib-bin_0.13.62-3.1_amd64.deb 5337ab8639bdcf000a22396c80f9ec43e1c1605670d5ef6b9fc880a79a435e97 6924 zziplib_0.13.62-3.1_amd64.buildinfo Files: a8b31034c79d92ef3a2702435d974d7a 2036 libs optional zziplib_0.13.62-3.1.dsc 5f08520004e8e6e20aae23666083e542 12996 libs optional zziplib_0.13.62-3.1.debian.tar.xz 7d57d2f5d309acc9da7a3543a5a71010 5906 debug extra libzzip-0-13-dbgsym_0.13.62-3.1_amd64.deb 036fb6afb7891cdbf85831436be42406 55352 libs optional libzzip-0-13_0.13.62-3.1_amd64.deb c99ecd21cbe3a201e96390126341fe23 111378 libdevel optional libzzip-dev_0.13.62-3.1_amd64.deb dd63bdbf1d6bf6e93bead3099396f935 4316 debug extra zziplib-bin-dbgsym_0.13.62-3.1_amd64.deb 7b9e37c80df90b8edebe1ae0196114c6 41758 utils optional zziplib-bin_0.13.62-3.1_amd64.deb 73d9e93176ad3e46717ef277b2b1223e 6924 libs optional zziplib_0.13.62-3.1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlkzzSwACgkQEMKTtsN8 TjY43w//ZMmF/cmGKhm4YN4ewLjlF5mR7YLm4/lA5RMQ4ukD9I3I5XiRTRIiYlwl QNkoQlM5Hwcs4vyqIZy+YwJRTGiaMwe5gtOJiRwju0wWB+xbOpNdJ5SW9rnhtzCu CHX9Pw3J8fUudzJD2mAcKvTXeynWnAsiGN+OHIHo7o3wgSte0N3I1i1/87TDHshR XIq/h8K+c8pIXcCnXBnIwVvGtFvnBdIyVkrvuOlx9CLcWzCN9pJCS4AtoDmI3SEP q4t7ibV+SsztDsD8pJur7VImKjq4rbaE4hvmVp6uLGISnLrUv1OxFMQlCEkX5aui T16sZZMqAnQ1Zf8OhAxQ9+1MKN0+tpeyDPq65SWyUcNLUNSuQZetFK1sK3Empojn eySAv+4SNJVCOGrONs6jYz9336x90EylEQ5fW5r14pmjUSSqdISevIpI9gZ+sYvM mWDzGmHgxw75Jm9OpczZHTc6ewGqwY7snOjLwxBX9eOIRyl2hI/TVyVAJa1rFWvz zaQdkvbq6Cn+Pln+YK1h0nh9VGu9NfAdsqk/qULGSJD25KNNE4aDS79H3gbRNd0T YU+rcP6htB3/sORJHN3MlkLXKoncHKffYjnoWEyIsOPQbn6QBX/AqmVja2Yyp86d s63nNTJoSl0MdjxPR31QCDg8cJdjb74pMkJN/oYX4U1vWkBM3Oo= =Qwb6 -----END PGP SIGNATURE-----
--- End Message ---
