Your message dated Mon, 03 May 2021 18:17:09 +0000
with message-id <[email protected]>
and subject line Bug#982904: fixed in mumble
1.3.0~git20190125.440b173+dfsg-2+deb10u1
has caused the Debian Bug report #982904,
regarding mumble: CVE-2021-27229
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
982904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mumble
Version: 1.3.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/mumble-voip/mumble/pull/4733
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for mumble.
CVE-2021-27229[0]:
| Mumble before 1.3.4 allows remote code execution if a victim navigates
| to a crafted URL on a server list and clicks on the Open Webpage text.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27229
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27229
[1] https://github.com/mumble-voip/mumble/pull/4733
[2]
https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mumble
Source-Version: 1.3.0~git20190125.440b173+dfsg-2+deb10u1
Done: Christopher Knadle <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher Knadle <[email protected]> (supplier of updated mumble
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 30 Apr 2021 22:24:25 +0000
Source: mumble
Architecture: source
Version: 1.3.0~git20190125.440b173+dfsg-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Christopher Knadle <[email protected]>
Changed-By: Christopher Knadle <[email protected]>
Closes: 982904
Changes:
mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium
.
* debian/patches:
- Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229
"Mumble before 1.3.4 allows remote code execution if a victim navigates
to a crafted URL on a server list and clicks on the Open Webpage text."
This patch only allows "http"/"https" URLs in ConnectDialog
(Closes: #982904)
Thanks to Salvatore Bonaccorso <[email protected]> for reporting the bug
and giving links to the fix.
Checksums-Sha1:
ffddd841eaa581d3ec9ecb45cb8693f6fb55f2db 2467
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.dsc
b6056729de1a1e14b80243b58fb41e4d9545ef10 7011554
mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
7acb33ae42d7b12ff01c27721f4f3ed3634c873e 40008
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.debian.tar.xz
827de5e0137153b1e8aad54b53ce89e094d938bd 5415
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1_source.buildinfo
Checksums-Sha256:
8d22dc1c8fa14f0a5730f789b909c5edb58b878b7d1d2b4e83fe41020f07f483 2467
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.dsc
3340d7915f42b86c82a175d524d34b7b7f4523c2fe459f80913775f72480c944 7011554
mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
4cb7f22453386aaa02c163fc78b855213e2870e75e2e6a842b0ddc47445c4019 40008
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.debian.tar.xz
5f80e0a08c2c0b9f3e98ecde29dde2b772c537cf7c043b444d21aa5ec71e3fee 5415
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1_source.buildinfo
Files:
7e6a7b879a3a8aa7377afd9c42872d38 2467 sound optional
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.dsc
086cef3df42034b2ff4951ed005cd8f5 7011554 sound optional
mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
d3bba122e581243fbe245bbd87fccd05 40008 sound optional
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1.debian.tar.xz
032386ff98e553a535c32e2740833dbb 5415 sound optional
mumble_1.3.0~git20190125.440b173+dfsg-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEe1KzyGmRW/4DhtV6ieLKD9m6RHAFAmCMvuIACgkQieLKD9m6
RHDO+xAAqA/n5hpOsO2B7Fr+6CYaHtzgKFUytEWU2jNrhVBtthY00Zm/QXulalq5
yxCRgmgNlVYcXdisGfvZ1T3VLJef0Jv5tQgVvq9N+K8kmLpsfUE7kqWh1P+AN6Yf
3Ssyczt+5kTp2Bha2f9YkU677uSDEtqkMrXcPvuL7sTwjik3Rrz1MWeznZIzV9+7
qsFnpHisK0ggntCQv6Z10UfR5bcyNnZrWdjad0JahLfWUDFyTkTP2f57CiGgnQNa
7YncrNxMjd9azQeZEejXEHblbUXfmiA9CJNHsHbfm1fLRiEQXJ9SyFiB8baYED9U
fmTfY1NjyBu8M4E0DM8ARQhrWTMSMpcgLrlu2CEaT/Hl/OsVDEptnRYDzOA+SjjY
4mSDzOGheCOvauYdH3qfIpR6noHZx+r5pMMD++0PhStG/ELc4HZkD3vVyvWQdMj3
SJmxS+nwMZIiA462HZkFuDDhMoedYClhu2HAvv4siQ2zMNBeovd+T7xDCo7mr+13
axtUXxU1QL7PyvSQ9V+A5TT4w8mbkl1kU0kaqOBpEKraBHge4uGRNvfvb+P3aqLM
QuUhvCpEF18a7ks64Yj89on2n4E5rOlDgn8E8uPQ1Hmmslg00gcNRrIddzTks507
D5X0YKRVrwfVM3W01lkDGXflADF0SZTtgsz4S7jEEkNf7lK6ePk=
=s9kB
-----END PGP SIGNATURE-----
--- End Message ---
