Your message dated Wed, 11 Mar 2020 09:50:20 +0000 with message-id <e1jby0k-000dxj...@fasolo.debian.org> and subject line Bug#951372: fixed in golang-github-proglottis-gpgme 0.1.1-1 has caused the Debian Bug report #951372, regarding golang-github-proglottis-gpgme: CVE-2020-8945 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 951372: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951372 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: golang-github-proglottis-gpgme Version: 0.1.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/proglottis/gpgme/pull/23 Hi, The following vulnerability was published for golang-github-proglottis-gpgme. CVE-2020-8945[0]: | The proglottis Go wrapper before 0.1.1 for the GPGME library has a | use-after-free, as demonstrated by use for container image pulls by | Docker or CRI-O. This leads to a crash or potential code execution | during GPG signature verification. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8945 [1] https://github.com/proglottis/gpgme/pull/23 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: golang-github-proglottis-gpgme Source-Version: 0.1.1-1 Done: Dmitry Smirnov <only...@debian.org> We believe that the bug you reported is fixed in the latest version of golang-github-proglottis-gpgme, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 951...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Smirnov <only...@debian.org> (supplier of updated golang-github-proglottis-gpgme package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 11 Mar 2020 20:32:01 +1100 Source: golang-github-proglottis-gpgme Architecture: source Version: 0.1.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org> Changed-By: Dmitry Smirnov <only...@debian.org> Closes: 951372 Changes: golang-github-proglottis-gpgme (0.1.1-1) unstable; urgency=medium . * New upstream release. + fixed CVE-2020-8945 (Closes: #951372). * New patch to disable "TestContext_Encrypt" due to network access. * rules: commented SOCKET_PATH workaround. * Build-Depends += "gpg-agent". * Rules-Requires-Root: no. * Standards-Version: 4.5.0. * Added myself to Uploaders. Checksums-Sha1: 6be5aef4038c0f99a39f195be0b0fdd5cf35c50f 2323 golang-github-proglottis-gpgme_0.1.1-1.dsc 2042063acfe70f87551f8fde9b19c81f2b1fb758 18080 golang-github-proglottis-gpgme_0.1.1.orig.tar.xz e2b8ce276ebb576e3f94580b261403aa97599d38 3040 golang-github-proglottis-gpgme_0.1.1-1.debian.tar.xz cf4bd61ede14015ebb7370f5ce21b97caedefd3b 6398 golang-github-proglottis-gpgme_0.1.1-1_amd64.buildinfo Checksums-Sha256: e879601637afdb640b227c55935e5f8f5b3a1cc5ec504cc9830935dae72fbf93 2323 golang-github-proglottis-gpgme_0.1.1-1.dsc ff88c9f6cd78a7695d1edc3171e76327eb205a55f19d6dbe39a3e26ddcdbc38e 18080 golang-github-proglottis-gpgme_0.1.1.orig.tar.xz d12c8a239a15356db283318e2e68257c07469dde7bf012d6f19b9c3c0884da8d 3040 golang-github-proglottis-gpgme_0.1.1-1.debian.tar.xz 415e34e4df8a7f5b84c9cc5a9efd306e63fb933996a0eb9e90b7bdb41425be08 6398 golang-github-proglottis-gpgme_0.1.1-1_amd64.buildinfo Files: b3e1e2970028a2dce41b83ceaa05d403 2323 devel optional golang-github-proglottis-gpgme_0.1.1-1.dsc 12d7881763b0d8706c6ff5e2cdf16541 18080 devel optional golang-github-proglottis-gpgme_0.1.1.orig.tar.xz 72e1430a75d93d443a02c575a682f689 3040 devel optional golang-github-proglottis-gpgme_0.1.1-1.debian.tar.xz 153c16c58342b6421011676e9c3bdb99 6398 devel optional golang-github-proglottis-gpgme_0.1.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAl5osWYACgkQUra72VOW jRs05w/8D1b8qb/CyM6AYIasgkju8boiEUm6iQj+2sHxWkWXUouYOqJx+m+hDw3+ SlbqA9MraEV9OgTzA4/ix9toSxxbqTfxdSg2aFf3eeKHn4XqSC3To0SrOFXCZkEs b0SFMvzp2KPGJj9wbcxntUKI2elsiyCAOiry56/a8uQEV+Dpy4gElzHLTr9au2Pq J181jfSouUk7wENZJK3QhsSC5U1wn3H4mPOWV25marC1OCm+7fbGj+0QqJDMgNQN M3KhiOvO7k8g0j6losr3jbwOBZiIUvHa6ORT6yEzEbfRoQm6G1h/VxKnDxr+M2P3 +nQojE5+5S/4IvAHVe1ZMdFbQGJJ96lXCQhEuA+sj0KRjd92l0Td/THKhOHmISJ7 LnG/q74c7GiJ3CHTiXAsRLozodAcUYR8JCJDW66yVgOFDKW8EM/qL0gaCBcy/HXe da8U779/FByZZxeZdMrU4np9v7RZR4swyI5KS5DfulV0bna/mKw8J2DTZfj/w/CQ xRyUXq+z+3gh+QMFrqoRj1xM+BmtZeRZpyHPok5yg2WdUytX9Z7VftJ6PWtnnbKA 7Ghyrmp4xWVWijDKZNPgmaZJI2eYXY//q2KEfvftSuxQO3bfTs5Zydc1+ZABuH8p mjKWaMWjboNjExs73lUbfq5VXteFmaGOHIPlz5dbkmB0kiVWFsA= =SCiQ -----END PGP SIGNATURE-----
--- End Message ---
