Your message dated Fri, 22 May 2020 23:18:39 +0000 with message-id <e1jcgw3-0002th...@fasolo.debian.org> and subject line Bug#960458: fixed in libreswan 3.32-1 has caused the Debian Bug report #960458, regarding libreswan: CVE-2020-1763 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 960458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960458 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libreswan Version: 3.29-2 Severity: important Tags: security upstream Control: found -1 3.27-6 Hi, The following vulnerability was published for libreswan. CVE-2020-1763[0]: | An out-of-bounds buffer read flaw was found in the pluto daemon of | libreswan from versions 3.27 till 3.31 where, an unauthenticated | attacker could use this flaw to crash libreswan by sending specially- | crafted IKEv1 Informational Exchange packets. The daemon respawns | after the crash. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-1763 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1763 [1] https://libreswan.org/security/CVE-2020-1763/CVE-2020-1763.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libreswan Source-Version: 3.32-1 Done: Daniel Kahn Gillmor <d...@fifthhorseman.net> We believe that the bug you reported is fixed in the latest version of libreswan, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 960...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated libreswan package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 22 May 2020 18:33:46 -0400 Source: libreswan Architecture: source Version: 3.32-1 Distribution: unstable Urgency: medium Maintainer: Daniel Kahn Gillmor <d...@fifthhorseman.net> Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net> Closes: 931858 958355 960458 Changes: libreswan (3.32-1) unstable; urgency=medium . [ Stephen Kitt ] * Remove the systemd dependency (Closes: #931858) . [ Daniel Kahn Gillmor ] * New upstream version, fixing CVE-2020-1763 (Closes: #960458) * refresh patches, dropping those already applied upstream * Standards-Version: bump to 4.5.0 (no changes needed) * move to dh 13 * drop unneeded lintian-override * d/copyright: drop annotations for removed source * move subcommand executables from /usr/lib/ipsec to /usr/libexec/ipsec * fix upstream spelling errors * added buildtime and runtime checks that the crypto works as expected * include upstream patch to address subtle NSS API variance * autopkgtest: add CAVP/ACVP tests * use dh_auto_build instead of $(MAKE) when building * enable cross-building (Closes: #958355) * d/tests/opportunistic: avoid dropping into a pager if run from a terminal Checksums-Sha1: 31826973bacaed30cdc237fb6448ab619083e41e 2028 libreswan_3.32-1.dsc d752c8df37c90733a01c24849d439733acd4e8f0 4141631 libreswan_3.32.orig.tar.gz a4d354143c609abf9f90075ef8ab6a5d71835095 858 libreswan_3.32.orig.tar.gz.asc e8060bafc8554ceb1ebc56a54cc1a4854db96fe3 16768 libreswan_3.32-1.debian.tar.xz 9c30c34b71114141e157c3df9190274fac38b9a2 10645 libreswan_3.32-1_amd64.buildinfo Checksums-Sha256: 1d8ecc44064f1f8d09d52139224ac38d8040c15ab3324075111d196b46078bb8 2028 libreswan_3.32-1.dsc 236b57fee8f562302c54f2b16d8a839a9039fcb5893668e61b398ec6b179432e 4141631 libreswan_3.32.orig.tar.gz 6ae46fa0ef215ea70828cf6ffe348c686f620201ec4277d2d91586d9d7fb854c 858 libreswan_3.32.orig.tar.gz.asc 6d86cc22d87a5095b911f2dc293bbcd95a0a0845f46f3900cfd4c6986140e8aa 16768 libreswan_3.32-1.debian.tar.xz ed7c7089b5ff04cbceea8de77f186aa7454960968802ec93806b8c822c07a21c 10645 libreswan_3.32-1_amd64.buildinfo Files: 3feda47abbdccbecd7482632c1dcc1ec 2028 net optional libreswan_3.32-1.dsc 754519242e69e4ac516b0e172a127d9b 4141631 net optional libreswan_3.32.orig.tar.gz f23a5a569a4af429c7c87289a88190d0 858 net optional libreswan_3.32.orig.tar.gz.asc 6a2cd8ec148421bb9e9da95124187309 16768 net optional libreswan_3.32-1.debian.tar.xz 1c8743388ad42e2f4c58ceba9f07c5a0 10645 net optional libreswan_3.32-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQQsv6x2UaqQJzY+dXHEDyVUMvKBDwUCXshbiwAKCRDEDyVUMvKB D00RAP9soAC4Hfj573FxwaPgWdq36wxH8pP1KVs50QePOmeoxQEAnupp7OV0vaa2 GCcdtUD+MSV49ArTXQppOTL5iWgASQ4= =OHwC -----END PGP SIGNATURE-----
--- End Message ---
