Your message dated Mon, 20 Jan 2020 23:17:16 +0000 with message-id <e1itgig-000dwb...@fasolo.debian.org> and subject line Bug#940871: fixed in openconnect 8.02-1+deb10u1 has caused the Debian Bug report #940871, regarding openconnect: CVE-2019-16239: Fix buffer overflow with chunked HTTP handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openconnect Version: 8.02-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 7.08-1 Hi, The following vulnerability was published for openconnect. CVE-2019-16239[0]: | process_http_response in OpenConnect before 8.05 has a Buffer Overflow | when a malicious server uses HTTP chunked encoding with crafted chunk | sizes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16239 [1] https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8 [2] http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openconnect Source-Version: 8.02-1+deb10u1 We believe that the bug you reported is fixed in the latest version of openconnect, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated openconnect package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Jan 2020 00:05:50 +0100 Source: openconnect Architecture: source Version: 8.02-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Mike Miller <mtmil...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 940871 Changes: openconnect (8.02-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Close HTTPS connection on failure returns from process_http_response() * Fix buffer overflow with chunked HTTP handling (CVE-2019-16239) (Closes: #940871) Checksums-Sha1: ce0d60f9cd2788558023bee5b8378a513af73475 2783 openconnect_8.02-1+deb10u1.dsc e36c8551a75cfef2721a2f432d1b69f1a83722bc 1876135 openconnect_8.02.orig.tar.gz 1ca8f3e7b18b996b7818912fa2c13efee4267cdf 15908 openconnect_8.02-1+deb10u1.debian.tar.xz Checksums-Sha256: d634b15712a9eae643c2d064626b37cd21363cd2146f58cdb5f8b4a4d385670c 2783 openconnect_8.02-1+deb10u1.dsc 1ca8f2c279f12609bf061db78b51e5f913b3bce603a0d4203230a413d8dfe012 1876135 openconnect_8.02.orig.tar.gz 2bbecf72fb8f6ca403dacc168461d5d46415da053b66618f80a1b828d12163ef 15908 openconnect_8.02-1+deb10u1.debian.tar.xz Files: 4803c9a22398ec9d0ebc4ff484a02bdf 2783 net optional openconnect_8.02-1+deb10u1.dsc e723c92b0d435df2a521549edbe1fe3e 1876135 net optional openconnect_8.02.orig.tar.gz fc2ceb3bd03d92cd9d032bf43c2ed23e 15908 net optional openconnect_8.02-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4jkHxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EE2kP/1EJ4RKw+Kyz4F4Uv9IEOcSxvmJ4NIcD wGYOL3FMIkhVo/8sxWruGPN+wmM0j/hFXNZdN6PfkRsnVSF18Lj5INzYVCF58t1h R7NI2rO8w6KxzWj5hCieoYfZew2+31OhR0yDbQ7WD5DSZI830Y1ZdtO8p7h9sosd mHlVRaMsBypymjltQel0a26OmLVMajpk2RLVKQZ0CAUB9ORzvM2sbkg07hQWZbDq U3ZgQYhJNU3aEyx/3Ikymthb5qTtJ+xBTTfajww/fZluymF136c2dKB/E28xBzTs UzYlfEIQx1wi2h1qoNdeifDadz+dFLWMHEPV8ilAma9GYYT9pX/h8kbHTQS/ffln 9c+hg4+PHoYGjCLWKzuSUAFzAnrIfloEbPQiiQdE9PCfQ+aRdsSR9l4DF1rlQrrd WEaeXSQr3Hmro5QX9SLUFtpfRUTGcf9twrHBoVAPEnSeJWF/cSLIq++lKJsc2q29 LxIQ6vt6h6Ws1qaxbygL/Aa6lRBA0H/Y/fQ9UV+7QiVBN7apzhzY1JgioGP+FJm1 7ZuLQHTThSDZoeYc8jxN7XDIsLwxUetkK2FSaWIGbIDq8n2w8qmxOk66u0eQV0P4 gfNmKdthPEqlK14q5IE4FoAZdolKi5Srp+e7cM0jqbuiqlSvHnOE/2pVru7S6OiX D7XVwoqvUb9U =p3Kg -----END PGP SIGNATURE-----
--- End Message ---
