Hi, Gunnar Wolf sponsored the upload to sid (thanks!) and I just prepared an upload for stretch-security. It is available in the branch debian/stretch on:
https://salsa.debian.org/auth-team/yubico-piv-tool.git If the security team finds it suitable, please upload directly. Best, nicoo PS: In case I need to be reached swiftly, IRC might be the most effective medium (nicoo on irc.oftc.net/#debian-security) On Tue, Aug 14, 2018 at 06:39:43PM +0200, Nicolas Braud-Santoni wrote: > Package: libykpiv1 > Severity: serious > Tags: security pending stretch buster sid > Justification: security > > libykpiv1 versions below 1.6.0 are affected by a buffer overflow, exploitable > by > malicious USB devices, that can lead to arbitrary code execution. > > I will upload the fixed upstream version later today, and coordinate with > the security team to get fixed in stretch and jessie-backports > > > Best, > > nicoo > > -- System Information: > Debian Release: buster/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages libykpiv1 depends on: > ii libc6 2.27-5 > ii libpcsclite1 1.8.23-3 > ii libssl1.1 1.1.0h-4 > > Versions of packages libykpiv1 recommends: > ii pcscd 1.8.23-3 > > libykpiv1 suggests no packages. >
signature.asc
Description: PGP signature
