Your message dated Sun, 17 Sep 2017 22:23:02 +0000
with message-id <e1dthxu-000c1v...@fasolo.debian.org>
and subject line Bug#875801: fixed in libofx 1:0.9.11-4
has caused the Debian Bug report #875801,
regarding libofx: CVE-2017-2816
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
875801: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875801
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libofx
Version: 1:0.9.11-3
Severity: grave
Tags: upstream security
Hi,
the following vulnerability was published for libofx.
CVE-2017-2816[0]:
| An exploitable buffer overflow vulnerability exists in the tag parsing
| functionality of LibOFX 0.9.11. A specially crafted OFX file can cause
| a write out of bounds resulting in a buffer overflow on the stack. An
| attacker can construct a malicious OFX file to trigger this
| vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2816
[1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libofx
Source-Version: 1:0.9.11-4
We believe that the bug you reported is fixed in the latest version of
libofx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <bob.dyb...@gmail.com> (supplier of updated libofx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Sep 2017 23:38:49 +0200
Source: libofx
Binary: libofx7 libofx-dev libofx-doc ofx
Architecture: source
Version: 1:0.9.11-4
Distribution: unstable
Urgency: medium
Maintainer: Dylan Aïssi <bob.dyb...@gmail.com>
Changed-By: Dylan Aïssi <bob.dyb...@gmail.com>
Description:
libofx-dev - development package for libofx7
libofx-doc - documentation for libofx7
libofx7 - library to support the Open Financial Exchange format
ofx - Open Financial Exchange programs
Closes: 875801
Changes:
libofx (1:0.9.11-4) unstable; urgency=medium
.
* Add an upstream patch to fix CVE-2017-2816 (Closes: #875801).
Checksums-Sha1:
493acfa77bb74104e338c2507d8f53a28c41a693 2118 libofx_0.9.11-4.dsc
628dd706271ec7a7046ec6f75e3a5f387dfa45e1 47012 libofx_0.9.11-4.debian.tar.xz
f217528a945fb6143dc2a81b7601afbbcf5947c0 8430 libofx_0.9.11-4_amd64.buildinfo
Checksums-Sha256:
216851d1656005cc039b2715799c27dfe992815bba89e90caa3ae67ec8bd3c76 2118
libofx_0.9.11-4.dsc
8e57a625fe615b890936b38dfcb51842c1c83e968f68f11920d3e3aa44ece3cb 47012
libofx_0.9.11-4.debian.tar.xz
ede45b17001a7da6db07bf062e41e42934ef937d9a3168d077d014cb3aa37bae 8430
libofx_0.9.11-4_amd64.buildinfo
Files:
f6401b5e0f1b925bad72c3e39ab8be9c 2118 libs optional libofx_0.9.11-4.dsc
1ccb9811f7ee97a6031de6decbe31165 47012 libs optional
libofx_0.9.11-4.debian.tar.xz
4ccd672368f2b7f466b730f8f0865a5d 8430 libs optional
libofx_0.9.11-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAlm+8D4VHGJvYi5keWJp
YW5AZ21haWwuY29tAAoJEGEu8WE+BQ9UxWQQAJdzlbJGKYE1KIZw/OlDdCExzbaj
gXWk9RRlmYhem4J9DedX1bdQnfSQ92EvELkQAvHm0gij5oV9rLLYMwcSuJLzaA2K
FQ+bvKgGKPdKsqv7cAY55LfF1BTsvXzUhj/QBzMJ/7z1OTmVnXB5anBHRHo2Rt1Q
OvfydUTxuMKhMoR7wZcBGDAnvdWUc0dEcCDie6vXcOx2OkcRPdos3y0S9gsKqQlE
nzyQWUBmts0ION4xlDCHsJo4T65xGZlzVlTqDbvbulbdGwDgeGHEGwQ7YeobuVRz
z4rHTtcfw0BAhWeNWhwpStWFHRW9qgHoXMxeh4Gy2CfYYLtaq62VA97n9B5WPWZu
L/nBv0RcN6iwhjLm5c8LmxfFbXdhqlRSbtUd9sgl4LNRTNFmlFXGrcctJFv5a7Hv
HKRrGOx9EvwtQFKJU8jJx7peuvlnHB6nCeN+OtomvpW/nSmfgdXlELAUVZqhkwK1
Pxj2zf3A6DCbpjUq4wr9dpMcxt/iz7Yw5UjeAPbRKwS/kper+4dTocXph91zwJY6
JSyg6shAMAf2VxGEWGt81io1Q5JQip+Jxf9bJp7TI3+S578cWTgRtos5KqyfL9tb
kYkCkNIwjcD4O9u93t+Mpj8DzmmWv5UAWGUnlYK5e8iJWiaEkax1zYVBy9LenErD
vAvz3LqzpE4Vdim2
=G/Fr
-----END PGP SIGNATURE-----
--- End Message ---
