Your message dated Sun, 11 Apr 2021 00:33:29 +0000 with message-id <e1lvo2b-000bti...@fasolo.debian.org> and subject line Bug#986135: fixed in libnet-netmask-perl 1.9104-2 has caused the Debian Bug report #986135, regarding libnet-netmask-perl: CVE-2021-29424: mis-parses IP addresses in some situations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986135: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986135 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libnet-netmask-perl Version: 1.9104-1 Severity: normal Dear Maintainer, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29424 https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ https://metacpan.org/changes/distribution/Net-Netmask#L11-22 Fix exists upstream, and should be trivially backportable. -- System Information: Debian Release: 10.9 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-14-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libnet-netmask-perl depends on: ii perl 5.28.1-6+deb10u1 libnet-netmask-perl recommends no packages. libnet-netmask-perl suggests no packages.
--- End Message ---
--- Begin Message ---Source: libnet-netmask-perl Source-Version: 1.9104-2 Done: gregor herrmann <gre...@debian.org> We believe that the bug you reported is fixed in the latest version of libnet-netmask-perl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated libnet-netmask-perl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 Apr 2021 02:08:34 +0200 Source: libnet-netmask-perl Architecture: source Version: 1.9104-2 Distribution: unstable Urgency: medium Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org> Changed-By: gregor herrmann <gre...@debian.org> Closes: 986135 Changes: libnet-netmask-perl (1.9104-2) unstable; urgency=medium . * Team upload. * Add patch 0001-SECURITY-Prevent-ambiguous-networks-from-being- accid.patch. This patch, taken from upstream commit 9023b40, fixes a security issue with IP addresses containing leading zeros which are interpreted as octal numbers. This is CVE-2021-29424, for details cf. also https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/. . From upstram Changes for 2.0000: - SECURITY: IPv4 addresses with leading zeros are no longer allowed. They will return a parse error like any invalid IP address. - SECURITY: 10.0.0, 10.0, and 10 address portions now by default return a parse error. This can be overridden … Cf. /usr/share/doc/libnet-netmask-perl/changelog.gz for details. . Closes: #986135 Checksums-Sha1: f3bd4a0f26fc56f015a3b7f644671d4a3599d519 2481 libnet-netmask-perl_1.9104-2.dsc d21bec4b9d1710717364ee569f01d62293682433 9176 libnet-netmask-perl_1.9104-2.debian.tar.xz Checksums-Sha256: dba40f288534203bb81eb3e8cec50abe857544ad2b709e5c53ff7227de99f424 2481 libnet-netmask-perl_1.9104-2.dsc b8806cd18d9f5920abecaeca1e5386bd4164f32236b287a0a7ab680d9385ea50 9176 libnet-netmask-perl_1.9104-2.debian.tar.xz Files: 808bbd86c9914e51062207e14c4339a9 2481 perl optional libnet-netmask-perl_1.9104-2.dsc 4f01ab458a25f18fec0f818f658bd0ca 9176 perl optional libnet-netmask-perl_1.9104-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmByP2tfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qga1ag//T1fZYl+FJQTUbAd6gmoEc+zc1KzqBEazbo/TStCBda1d+kJJogzoN7BU ZUXwSwFuBBStsWJ/pkVHCwRdIWoXRr/Ila53mwfdtnCNz1st3niTFDhCxLftTJuI s1TKAtAVE2mCng8trsXDyAHMOzPRn613K8MM2RD8HWOBSkHTBO0CIjW0NIFQ1Qtp 34QlrGan7EXPKLJ4uBMIlEooHh2V/kL0D7zgEfqrtTvtLmz6kgm4hVo4nUvh6I8/ j595KPhMwGARV3jqsXDeetxIRBY48TnpDsUMapbiTbmixlvPCvrInA9C2FdHzuwV CIkVr0VcAw1jzVTbO59zZNYHjG6nEH23NQ28tUsA7djP/oK4Y/LZr46grQ6ONN84 KppPmV8PUlAef4W6Qx1zYEXU7bM7dnB2PGQORcUvEEvhPf4D4zPzBorYkwxyrx/+ t+w+Y7uK3iQgskIZwLVIar5bblAxjpVHNusOE7V63sr0yCEzCjPy4oXPd1sYnWsT P2x+xjDEY3RL4xZdqIdIXk3QpByxCMPw+Yrcg/xC0sGxpVV2TVyGEnk8Y+hpOHrp fCVR3qt16Eay2EI9LIGpMTb+BAZbLkCQro0L0B1FozoGTr/vJ4bUbZ0UDLSfpiax CQ43tmf/opGUyQlAK6ZSPrvQb4ciwIAUP+ac49YaGC32uFJXeP4= =6pOL -----END PGP SIGNATURE-----
--- End Message ---
