Your message dated Fri, 14 Dec 2018 19:04:51 +0000 with message-id <e1gxslx-000ikb...@fasolo.debian.org> and subject line Bug#916308: fixed in haproxy 1.8.15-1 has caused the Debian Bug report #916308, regarding haproxy: CVE-2018-20102 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 916308: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916308 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: haproxy Version: 1.8.14-1 Severity: grave Tags: patch security upstream Hi, The following vulnerability was published for haproxy, the RC severity might be not correct, but trying to be on safe side here. CVE-2018-20102[0]: | An out-of-bounds read in dns_validate_dns_response in dns.c was | discovered in HAProxy through 1.8.14. Due to a missing check when | validating DNS responses, remote attackers might be able read the 16 | bytes corresponding to an AAAA record from the non-initialized part of | the buffer, possibly accessing anything that was left on the stack, or | even past the end of the 8193-byte buffer, depending on the value of | accepted_payload_size. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20102 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20102 [1] http://git.haproxy.org/?p=haproxy.git;a=commit;h=efbbdf72992cd20458259962346044cafd9331c0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: haproxy Source-Version: 1.8.15-1 We believe that the bug you reported is fixed in the latest version of haproxy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 916...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Apollon Oikonomopoulos <apoi...@debian.org> (supplier of updated haproxy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 14 Dec 2018 15:31:04 +0200 Source: haproxy Binary: haproxy haproxy-doc vim-haproxy Architecture: source amd64 all Version: 1.8.15-1 Distribution: unstable Urgency: high Maintainer: Debian HAProxy Maintainers <hapr...@tracker.debian.org> Changed-By: Apollon Oikonomopoulos <apoi...@debian.org> Description: haproxy - fast and reliable load balancing reverse proxy haproxy-doc - fast and reliable load balancing reverse proxy (HTML documentatio vim-haproxy - syntax highlighting for HAProxy configuration files Closes: 911933 916307 916308 Changes: haproxy (1.8.15-1) unstable; urgency=high . [ Vincent Bernat ] * d/rules: switch to pcre2. Closes: #911933. . [ Apollon Oikonomopoulos ] * New upstream version 1.8.15 - BUG: dns: Fix off-by-one write in dns_validate_dns_response() ( - BUG: dns: Fix out-of-bounds read via signedness error in dns_validate_dns_response() - BUG: dns: Prevent out-of-bounds read in dns_read_name() - BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() (CVE-2018-20102, closes: #916308) - BUG: dns: Prevent stack-exhaustion via recursion loop in dns_read_name (CVE-2018-20103, closes: #916307) - BUG/MAJOR: http: http_txn_get_path() may deference an inexisting buffer Checksums-Sha1: 11a5246474beb0bd706e1362be293efc296bb4ac 2262 haproxy_1.8.15-1.dsc ed7dfe5c7fc39fbb3b54e981eb709fd8bcd87042 2076583 haproxy_1.8.15.orig.tar.gz 561cec2ca251abc0678db6679a1ac0a994119db5 66452 haproxy_1.8.15-1.debian.tar.xz bd085c38e96f8f46d832a9f1db217a7c04ec42e1 3319156 haproxy-dbgsym_1.8.15-1_amd64.deb 7f175c3e3951745d4ea7721823d6fc4adcd53f93 525524 haproxy-doc_1.8.15-1_all.deb d82628752d5b6f853c6c7648aa7e1ac659c9497a 8099 haproxy_1.8.15-1_amd64.buildinfo d3172b1fa1d3b37a5813c0186b33cd7c12d5f989 1298300 haproxy_1.8.15-1_amd64.deb 221dd1427b613a62917c8408a919e49e13780c65 175928 vim-haproxy_1.8.15-1_all.deb Checksums-Sha256: 265a0790d1083b7c8bc4c182f8b370837234837dff047d4177bd7fb98ade9072 2262 haproxy_1.8.15-1.dsc 7113862f1146d7de8b8e64f45826ab3533c7f7f7b7767e24c08f7c762202a032 2076583 haproxy_1.8.15.orig.tar.gz f48a7c574b3f32bf804f900ba232f43aa6017525f4375c78ad56ac1834286d1e 66452 haproxy_1.8.15-1.debian.tar.xz fc758755efbd017d52592b256f4f77bc6ed07777aa5eef4088b10a5fcb80c2d5 3319156 haproxy-dbgsym_1.8.15-1_amd64.deb f0632956491211a55d56e20dce12846a88b472e23eb4404eec8d31ba842d020b 525524 haproxy-doc_1.8.15-1_all.deb 6eb51e6533ecbd531f5689f8d2da34a85a8ce1f9d04d0e9c888f7eeb5ef5c450 8099 haproxy_1.8.15-1_amd64.buildinfo 4e1b4f14f1d30af659f8ba3c3f6fcea3ff823a482b1adb6b4f683937309d68d3 1298300 haproxy_1.8.15-1_amd64.deb 16aaa2d04c8f75592ecb20f99a0410bf4a33de304715d6b97e46f54e29472470 175928 vim-haproxy_1.8.15-1_all.deb Files: 4704f0e59db5228ce9d194adddff93c0 2262 net optional haproxy_1.8.15-1.dsc ae732cbce52b3e04112a32ef116a11de 2076583 net optional haproxy_1.8.15.orig.tar.gz dfc3630b6446f9d9bbd896f1094686d9 66452 net optional haproxy_1.8.15-1.debian.tar.xz db5e75af482b995d065af0369c86e94d 3319156 debug optional haproxy-dbgsym_1.8.15-1_amd64.deb 0980c9c03c31b527d05bf3526cb406a1 525524 doc optional haproxy-doc_1.8.15-1_all.deb c8996945408a53e627a962fa7642857d 8099 net optional haproxy_1.8.15-1_amd64.buildinfo e5ab2990975197aaed0bb6b8ad342841 1298300 net optional haproxy_1.8.15-1_amd64.deb 24b1d69167d434a84a282e7e27149986 175928 net optional vim-haproxy_1.8.15-1_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAlwTuQ8ACgkQ9RsYxyAk giSKEQ//fd4J4Ea1ZOziFGZbQOO0EOjH9iUdHFdLtraH3/m/XW69XaDJ1qnvhlGR /UJ5YPvaK4BpPJwsOJWcZovpBlN0UO5K6M8b9ck4mM1zgGf7OFXmeNx9ytsnJNf8 DbmsTOQAT8Hb9Ig+VBt+1WCT107b3x5YJJQjdfUsAad3f6FvFf3ApvnVxYKUoaXk J8r1xfnMaVq1Ai2PrUAfHm07ciy1vDj/D4alrQ/Tp8Fry19MR6j1ujxHGuqIlay8 17na31agX9b3lzwIaySzALUGjdaRyGCwhjPtoCoYaXeD0oBYvcA2lFqoueuCchjA 2zfjbyoo6C+BwEst67qV/8BKm7IFltCe3iLpI9oHTic2uV0uDhaLlfYHMlMBXCZ7 3kvVlENttg2z91iFVoCtRH/Ko3aJZet0rQlrkZCzAFHhfF9dvGGxH7sMi7v7Omme bqfC84Y2ae/TNiuVCpWc2N2bd4jHUSRkg0WOyowzygTTDdfhEj6FcU933D1h+NuZ e+xVg+yuk+MjEOpy8FLT8n2EjllTIAllBoTtFR9QjEs7mdiW3MNFZi2UaeY0raRt x5kFtPWYSmTcyvp+wORSnfabdgc5FfNtIQEDr2U5tkHaiYnC1WCkDSR2cJZRDgU5 4PycagTUKjeneUxQYN7OX1XB2G5KIz49kFV7gmiqZygeHghKU3E= =d+6k -----END PGP SIGNATURE-----
--- End Message ---
