Your message dated Thu, 12 Mar 2020 23:20:52 +0000 with message-id <e1jcx8g-000c9m...@fasolo.debian.org> and subject line Bug#952649: fixed in uap-core 1:0.8.0-1 has caused the Debian Bug report #952649, regarding uap-core: CVE-2020-5243 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 952649: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: uap-core Version: 20190213-2 Severity: grave Tags: security upstream Hi, The following vulnerability was published for uap-core. CVE-2020-5243[0]: | uap-core before 0.7.3 is vulnerable to a denial of service attack when | processing crafted User-Agent strings. Some regexes are vulnerable to | regular expression denial of service (REDoS) due to overlapping | capture groups. This allows remote attackers to overload a server by | setting the User-Agent header in an HTTP(S) request to maliciously | crafted long strings. This has been patched in uap-core 0.7.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5243 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5243 [1] https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: uap-core Source-Version: 1:0.8.0-1 Done: Edward Betts <edw...@4angle.com> We believe that the bug you reported is fixed in the latest version of uap-core, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 952...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Edward Betts <edw...@4angle.com> (supplier of updated uap-core package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 12 Mar 2020 22:11:08 +0000 Source: uap-core Binary: uap-core Architecture: source all Version: 1:0.8.0-1 Distribution: unstable Urgency: medium Maintainer: Edward Betts <edw...@4angle.com> Changed-By: Edward Betts <edw...@4angle.com> Description: uap-core - User Agent Parser core - collection of regular expressions Closes: 952649 Changes: uap-core (1:0.8.0-1) unstable; urgency=medium . * New upstream release Closes: #952649 - CVE-2020-5243: Regular Expression Denial of Service * Switch from github master to github tag and add version epoch. * Update debian/watch to check for new github tag. * Update Standards-Version. * Set Rules-Requires-Root to no. * Use debhelper-compat instead of debian/compat. * Update copyright year. * Use git for debian packaging. Checksums-Sha1: 19f2cdbd317077cbaeea1598a3a934a65819ec18 1835 uap-core_0.8.0-1.dsc 935d8eb91a0331c6c6b99c8f32080726ac534fa0 827193 uap-core_0.8.0.orig.tar.gz feb6f6b9ac816888404debb4d9cd7ab58627491d 2060 uap-core_0.8.0-1.debian.tar.xz 5e0d7dc942616c12b6f5e378ddb42719ae3d86c6 41168 uap-core_0.8.0-1_all.deb 030cc2ba4f22b80c87ef0e3633665acd5ff92b04 5618 uap-core_0.8.0-1_amd64.buildinfo Checksums-Sha256: 2cf2c2ce577ed7145a38733518174d9824205948849fcc96a84714e9195cddf3 1835 uap-core_0.8.0-1.dsc 765adef5f2fc212cd49200a0f8487d2e91617bcdbc459bfa38bf439e7db08022 827193 uap-core_0.8.0.orig.tar.gz 65924dca042363b3ea423b1c74322fdbe7169e7cadd87f9369026a9e4202a75a 2060 uap-core_0.8.0-1.debian.tar.xz e915bf69ea7de389ce72dfdfb23c622b10983c2e8b151c88677a140137b2ca08 41168 uap-core_0.8.0-1_all.deb 556a741f3f4906c9552a478e842f6abb585de778d6f2c11de56189d48f37a148 5618 uap-core_0.8.0-1_amd64.buildinfo Files: 65ed7ae403888267bd129efc6dc6b14e 1835 web optional uap-core_0.8.0-1.dsc 4437d12b3ad5f59d7229cde2e2c73b43 827193 web optional uap-core_0.8.0.orig.tar.gz c75803c1b643c6840b94ffa42dfb0cef 2060 web optional uap-core_0.8.0-1.debian.tar.xz 9bb8dff2bd62c28ba894abe88779a5c7 41168 web optional uap-core_0.8.0-1_all.deb a717440739a54531362344c74df76a8c 5618 web optional uap-core_0.8.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE+4rPp4xyYInDitAmlgWhCYxjuSoFAl5qvxAACgkQlgWhCYxj uSpQug//RR0fRMcyRd+7YV68Tp7GUiOmMylfGYvhPm5RMMbLrkZZbYS+M0GBp6Bg DWaOB5A7CBJlh84DOWbAr38xlNh0EAvJtz4U3ZRxr+IfspJdGHqFu1aN4Hr3v3gb nIEmXjlGYsdEctcWry4atJrVQwjcR6SBgEFNs1HhHP1GP4qDibLmd9JwrQl2cx/H YMXUITdr3LUPEMnSCoDpoOubM4zmMh/FUB35va9u7b9AjABhuyp+Z1KihzLfhc1N pXxsEz0CKCTMJNWV7hvTDJ36qc61G200gUxzUNt2IH3wSz6HsUyZXLBv+MxGSuhz zRwX3Xl/saqdWbr9UhnczmynpPJ7e+WzRRFHzqnjwov3eTg8zodjK2meCW9ihpcE F57GIEJzskE7vuAHFoPvNX7SY4Lt+hQN4wanSSPBX1dGgjB85XS66zfqsrohnnsu Kq1dRzoUNOQxRQh0Lni8pZHUMYKM2tgVxggD7yBQ1tJMPbCJl0MeQTvvU80Yqsho Bk7LFAoY/CEGGLm2xpiGYN8UDzZKo92nBm940Ky4+hlYk1xqFwGUUJVWG5s+ijYz wlW+Ldc/yhybKqlCTUOz6ya7NNMAlSo9msVwNTEOus+JQTVe9P2BmasB771TUWYF L5iUupXWLE8vvrWeOoPtHDqzOgQB0U9ceSYlE4ulT89AwxEfMR8= =d0E1 -----END PGP SIGNATURE-----
--- End Message ---
