Your message dated Sat, 07 Sep 2019 15:18:29 +0000 with message-id <e1i6ctt-00059x...@fasolo.debian.org> and subject line Bug#933741: fixed in qemu 1:3.1+dfsg-8+deb10u2 has caused the Debian Bug report #933741, regarding qemu: CVE-2019-14378: heap buffer overflow during packet reassembly to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933741: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933741 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Version: 1:3.1+dfsg-8 Severity: grave Tags: security upstream Control: clone -1 -2 Control: reassign -2 src:slirp4netns 0.3.1-1 Control: retitle -2 slirp4netns: CVE-2019-14459: heap buffer overflow during packet reassembly Hi, The following vulnerability was published for qemu (respective the SLiRP networking implemenatation which is as well forked in slirp4netns). CVE-2019-14378[0]: | ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer | overflow via a large packet because it mishandles a case involving the | first fragment. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14378 [1] https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210 [2] https://www.openwall.com/lists/oss-security/2019/08/01/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qemu Source-Version: 1:3.1+dfsg-8+deb10u2 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 24 Aug 2019 15:56:15 +0300 Source: qemu Architecture: source Version: 1:3.1+dfsg-8+deb10u2 Distribution: buster-security Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Closes: 931351 933650 933741 Changes: qemu (1:3.1+dfsg-8+deb10u2) buster-security; urgency=medium . * slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input-CVE-2019-14378.patch Closes: #933741, CVE-2019-14378 (slirp heap buffer overflow) * qemu-bridge-helper-restrict-interface-name-to-IFNAMSIZ-CVE-2019-13164.patch Closes: #931351, CVE-2019-13164 (qemu-bridge-helper ifname overflow) * linux-user-sanitize-interp_info-for-mips-only.patch Closes: #933650 (some mips binaries fails to start) Checksums-Sha1: fbe9b5e9a4966a2ca5979fecada49767742669f2 6152 qemu_3.1+dfsg-8+deb10u2.dsc b6a6c31d146b13e14af253d6dc25f16ccad7d060 8705368 qemu_3.1+dfsg.orig.tar.xz 57f529797a1185d68ac567f71166293629594206 89496 qemu_3.1+dfsg-8+deb10u2.debian.tar.xz 9043e32a8ef8eae21e9a02f5b5ee59f98a3b8c7f 8322 qemu_3.1+dfsg-8+deb10u2_source.buildinfo Checksums-Sha256: 942a73dd54ab72e3fc2d1681e59f66c4a7e711c1cdad2cf84eb308fa25f59951 6152 qemu_3.1+dfsg-8+deb10u2.dsc 2f277942759dd3eed21f7e00edfeab52b4f58d6f2f22d4f7e1a8aa4dc54c80d7 8705368 qemu_3.1+dfsg.orig.tar.xz fcca1716c9ddf58e6e06d48e3ae809ce23877de327591851946802e87b8b7329 89496 qemu_3.1+dfsg-8+deb10u2.debian.tar.xz c5db2c6b674838341556cb61cae759806d4e53fe05625e5d7eec14543ba7473f 8322 qemu_3.1+dfsg-8+deb10u2_source.buildinfo Files: 4a4f7905815c2cfaaf671270fcb16c04 6152 otherosfs optional qemu_3.1+dfsg-8+deb10u2.dsc b17f33786c89d547150490811a40f0b2 8705368 otherosfs optional qemu_3.1+dfsg.orig.tar.xz 6e88bd2ae2c065643b7a21813191b257 89496 otherosfs optional qemu_3.1+dfsg-8+deb10u2.debian.tar.xz f55706a97a0bed42552d53a4dc50a487 8322 otherosfs optional qemu_3.1+dfsg-8+deb10u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl1rt/sPHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5ZXnUH/1PtvMR9VeH5GPGIKC9mShvkfoqGP/Y+R1BZ t7rU4GiAgECHCllZ1/wWqfRLtUUWWHpQ3H3PBIN9DjWO3pBI4rcuIpGXWs9fsFcr yaXa0WZRdDKwX2zYpKB1F9a5JjehEdkHgPAYquPwHqKsbFY6SY9eancy8pqaoQE+ eMZIPa5mMTzhkzL7iR2V12ArrKd9gFGrg0dPM7MzoAWS83+Ev6dZnU3QLUSDw/Y4 Cg/q/VXTrgCI+HPbMyyz1g6PH4Um1MoJOgXYLP3587T4Lri8FT8RnOJiCKPNBecv jY7HyDq//EkpU6FAvuq7/J3drpaESmlla/eCZKK2u8rzf8EiQtM= =xSGT -----END PGP SIGNATURE-----
--- End Message ---
