Your message dated Mon, 20 Jan 2020 23:18:09 +0000 with message-id <e1itgj7-000ejn...@fasolo.debian.org> and subject line Bug#940871: fixed in openconnect 7.08-1+deb9u1 has caused the Debian Bug report #940871, regarding openconnect: CVE-2019-16239: Fix buffer overflow with chunked HTTP handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 940871: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940871 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openconnect Version: 8.02-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 7.08-1 Hi, The following vulnerability was published for openconnect. CVE-2019-16239[0]: | process_http_response in OpenConnect before 8.05 has a Buffer Overflow | when a malicious server uses HTTP chunked encoding with crafted chunk | sizes. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16239 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16239 [1] https://github.com/openconnect/openconnect/commit/875f0a65ab73f4fb581ca870fd3a901bd278f8e8 [2] http://lists.infradead.org/pipermail/openconnect-devel/2019-September/005412.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openconnect Source-Version: 7.08-1+deb9u1 We believe that the bug you reported is fixed in the latest version of openconnect, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 940...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated openconnect package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 Jan 2020 00:15:10 +0100 Source: openconnect Architecture: source Version: 7.08-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Mike Miller <mtmil...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 940871 Changes: openconnect (7.08-1+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Close HTTPS connection on failure returns from process_http_response() * Fix buffer overflow with chunked HTTP handling (CVE-2019-16239) (Closes: #940871) Checksums-Sha1: 35cd51bebd2a0e7ec790b04bac48cfc742da3483 2739 openconnect_7.08-1+deb9u1.dsc ac106457c6a94808096552b6dc2037ad4cce7858 1686133 openconnect_7.08.orig.tar.gz de32be3c609c46b7cd6faa9a272ca8ba18ac306f 177252 openconnect_7.08-1+deb9u1.debian.tar.xz Checksums-Sha256: a410295c8d3dd6770424a462430cab272171a2e52d1102be374a332dfcfaf039 2739 openconnect_7.08-1+deb9u1.dsc 1c44ec1f37a6a025d1ca726b9555649417f1d31a46f747922b84099ace628a03 1686133 openconnect_7.08.orig.tar.gz 286dc3aef7029997000a44c945e77b3892a43b051b2bc3ce855a4ee91d373d9f 177252 openconnect_7.08-1+deb9u1.debian.tar.xz Files: 5a6168e55b40131d340233655d432242 2739 net optional openconnect_7.08-1+deb9u1.dsc ca2ca1f61b8515879b481dcf6ed4366b 1686133 net optional openconnect_7.08.orig.tar.gz 3b57e04d4bf25e105855d450a901c7ba 177252 net optional openconnect_7.08-1+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl4jkphfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EtFoP/0lDXTgaQ7beyllhStJzNi+UwNON2bX2 ePkXXOHnpm/h5kzgmUfm3kG18lEVOWjvjQlJU32eMvg4val6BdIeDpk0NwQB7gkl F7s1j6oZ3u6q+2S9mTWSDvpnfaiCJLHVnvuSxV7K4mzpskPoYMl2Qg4mpLfhlAhz /YFtJQu4R6cTaAtFisbmjFNMSZKTLCpYiUr1kRmBcEJRXPIAoVzB66cltfdii5Vo /Q0EriJ+s/50Oz+yBXOwz5791TxlbVvb0v7wLNxuzuLMqYoN3lDk5saKgkyN4Q8c fNtlmECJOvMeKA6Ncnyq/nP9/LijC6JCUqzyljTzm0Ksf9K2P792dUHembDEIYo0 1m2pZ4RkEsmnJbMKs4l+BJIRxYfkyLFhhEAM9cpxSLUBZAulTF64FMOzgrRgWxHT Yh9UQ9GUmMZ9DniWVJeiAYSBTYBxpIG9MwVoReBJaZSAuLFjcPf7BI4Orr4PWL1z pDMVVNDQsidw43O0jUg1O7q1wNFvEBndO6vDEx4AmNHH1M01chaK+quWcVHNX/Yi Si/JFb/ZLgeRcwtdvWqLip2NC7WXmstccjbZ5iAcq3BDc93GLWvThwumYT7bzA57 PP0GafSK+SDo1mlJFqRIBgoTlyO1qlfurtL6df1KZmYZeL2sBvpqiJByEs+cqRs1 v82mU3k8s4P5 =4uzr -----END PGP SIGNATURE-----
--- End Message ---
