Your message dated Tue, 11 Jun 2019 06:49:02 +0000 with message-id <e1haaac-000cvc...@fasolo.debian.org> and subject line Bug#929916: fixed in libreswan 3.29-1 has caused the Debian Bug report #929916, regarding libreswan: CVE-2019-12312 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 929916: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929916 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libreswan Version: 3.27-4 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Forwarded: https://github.com/libreswan/libreswan/issues/246 Control: fixed -1 3.28-1 Hi, The following vulnerability was published for libreswan. CVE-2019-12312[0]: | In Libreswan before 3.28, an assertion failure can lead to a pluto IKE | daemon restart. An attacker can trigger a NULL pointer dereference by | sending two IKEv2 packets (init_IKE and delete_IKE) in 3des_cbc mode | to a Libreswan server. This affects send_v2N_spi_response_from_state | in programs/pluto/ikev2_send.c when built with Network Security | Services (NSS). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12312 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12312 [1] https://github.com/libreswan/libreswan/issues/246 [2] https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libreswan Source-Version: 3.29-1 We believe that the bug you reported is fixed in the latest version of libreswan, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 929...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated libreswan package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 11 Jun 2019 07:24:44 +0100 Source: libreswan Architecture: source Version: 3.29-1 Distribution: experimental Urgency: medium Maintainer: Daniel Kahn Gillmor <d...@fifthhorseman.net> Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net> Closes: 929916 930338 Changes: libreswan (3.29-1) experimental; urgency=medium . * New upstream release - fixes CVE 2019-10155 and CVE-2019-12312 (Closes: #930338, #929916) * refresh patches * d/watch: avoid development releases Checksums-Sha1: 9a897e46ef384bce3b54dcac95d0fbfaeec00f36 2001 libreswan_3.29-1.dsc 492cd1cf18c06e47b2864a57a355a7f5393f80cc 3848730 libreswan_3.29.orig.tar.gz b192b07cfbe1ae25f1f487aba9f2a4d44b6a1443 862 libreswan_3.29.orig.tar.gz.asc 8503c2190e8290f26200eb2e7380876e518c87a4 18484 libreswan_3.29-1.debian.tar.xz 91881ebecbd06a313f060c3fe4c263bd89cfcc1f 10110 libreswan_3.29-1_amd64.buildinfo Checksums-Sha256: db03223700a0683d119428e7a3b3c74c2979f75b2666a71071bc1bb9cd631854 2001 libreswan_3.29-1.dsc d60e4160f43272b6307b697a13f79f56b5ec2bca61d83097ddadd8586a58ab3e 3848730 libreswan_3.29.orig.tar.gz 60af75e5178b0667d00075aa84ff0b14562906417538d59d25a38ff70393880e 862 libreswan_3.29.orig.tar.gz.asc a5fff20d7aedd8045cff8a560d584186e66df492c09cb8d6f80045cd92a87f48 18484 libreswan_3.29-1.debian.tar.xz 228ba94b6e2499ce7fb53cb659d55c9c9d778f9d7036fc092fcfc40354f4e6a1 10110 libreswan_3.29-1_amd64.buildinfo Files: f44b572f8fc05c15d29f6396738bc965 2001 net optional libreswan_3.29-1.dsc 5b35b39a04f63a8e528b965aad515c01 3848730 net optional libreswan_3.29.orig.tar.gz 37ba796f047b2be272f574eba451d8ab 862 net optional libreswan_3.29.orig.tar.gz.asc d416fb2b31cf646279bc536cf6600379 18484 net optional libreswan_3.29-1.debian.tar.xz 502f510e42a489b8488fb1b5f6b7dac2 10110 net optional libreswan_3.29-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTJDm02IAobkioVCed2GBllKa5f+AUCXP9NdgAKCRB2GBllKa5f +Gn+AQDHcxrEGjzLB5upUlhbuePIdjakBRJ1v/2Ftut/GVMjIQD/QhVCgVJ8nC4T 8ZwY18zy0XlcJxKuavgfUB5RBWxkewg= =8ccY -----END PGP SIGNATURE-----
--- End Message ---
