Bug#1010377: marked as done (V2Ray CVE-2021-4070 DoS by Authenticated VMess Server patch not applied)

[Debian Bug Tracking System]

Your message dated Sat, 21 May 2022 04:33:48 +0000
with message-id <e1nsgog-000584...@fasolo.debian.org>
and subject line Bug#1010377: fixed in golang-v2ray-core 4.34.0-7
has caused the Debian Bug report #1010377,
regarding V2Ray CVE-2021-4070 DoS by Authenticated VMess Server patch not 
applied
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1010377: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010377
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: v2ray

Version: 4.34.0-1

Control: severity -1 serious

This bug is submitted by upstream developers for a serious DoS bug within V2Ray that have been patched in upstream since 05 Dec 2021, and subsequently published but remain unpatched in Debian. The fix for this bug is included in v4.44.0 (https://github.com/v2fly/v2ray-core/releases/tag/v4.44.0).

It have been identified as:

CVE-2021-4070 (https://nvd.nist.gov/vuln/detail/CVE-2021-4070)

This vulnerability allows a VMess Server controlled by an attacker to crash a VMess Client by sending a specially crafted handshake response reply with an (optional) VMess SwitchAccount Command that is one byte shorter than expected. This vulnerability does NOT allow the attacker to retrieve any information from a client other than it used an unpatched version of the software and does NOT allow attacker to control the unpatched software or system. It is strongly recommended for all users to apply this security update at the earliest possible opportunity. We would like to thank geeknik for the responsible disclosure of this vulnerability.

Fix: https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c
--- End Message ---

--- Begin Message ---

Source: golang-v2ray-core
Source-Version: 4.34.0-7
Done: Roger Shimizu <r...@debian.org>

We believe that the bug you reported is fixed in the latest version of
golang-v2ray-core, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger Shimizu <r...@debian.org> (supplier of updated golang-v2ray-core package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 May 2022 13:14:29 +0900
Source: golang-v2ray-core
Architecture: source
Version: 4.34.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Roger Shimizu <r...@debian.org>
Closes: 1009818 1010377
Changes:
 golang-v2ray-core (4.34.0-7) unstable; urgency=medium
 .
   * debian/patches:
     - Cherry pick from upstream to fix issues:
       + Crashes when VMess Protocol is used (Closes: #1009818).
       + CVE-2021-4070 DoS by Authenticated VMess Server
         (Closes: #1010377).
Checksums-Sha1:
 e2a8cf621a24af9b93e45650c553f49021c33dd7 2595 golang-v2ray-core_4.34.0-7.dsc
 c0ff034d9d909dc74cbdf2625b54d56071b763ed 18768 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 6d5c75674150665da3b374643fd68705be0dc887 5713 
golang-v2ray-core_4.34.0-7_source.buildinfo
Checksums-Sha256:
 20efa952d56f7dc42e5838004ef15fab8a7ac8c1d66b019323da7f09430f0029 2595 
golang-v2ray-core_4.34.0-7.dsc
 4155cf2b379ffbc9575514d994e8aecc45151f763729979952769e0e3389a56e 18768 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 88c76616ab8936fb8265fc030b0ec8e447ac852b1f80a9f8c70394c37390509d 5713 
golang-v2ray-core_4.34.0-7_source.buildinfo
Files:
 a899ba4272bcb9f3e50da9f0372039df 2595 devel optional 
golang-v2ray-core_4.34.0-7.dsc
 9c1c221b0cb810ca6027b656b2512e5b 18768 devel optional 
golang-v2ray-core_4.34.0-7.debian.tar.xz
 6e5d5cdd8b358a482cc1bdb4adc7f63d 5713 devel optional 
golang-v2ray-core_4.34.0-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEECjKtvoA5m+cWOFnspHhrDacDNKgFAmKIZ2cQHHJvc2hAZGVi
aWFuLm9yZwAKCRCkeGsNpwM0qFcFEACpI5PfvdR8GfNdWSOVbawjigtN1ZVanXy8
TLpqEHEmrMWybF9cet7OWMMRCWFVsh1QXx3O8CGeuEu6QQ7aXUIqsGZyqJZmixqa
GrBcC0G/M7QtpzI93V7Wng++x/jlM4QjK+Kj6FLJNBqnRkD6i3GQd7et0RiOViAx
c0mF5ipUClwf5nuoSb+v1ZCGhh4Z7cjzfHNpsc5qme748o4JmyxLGcwivDLLFVBx
oG7ZsXa41kv3p1z/dD9gRc2oEdTHw9btR7Ap9MvFov+7h921HhXPF9yGmaVT8COq
2DR3VJGcvIcvCj1MSKuySJgp/ex4sOxH9eRmYBi4gOCjhXf3SLTJY8XJ209umKX7
1Ggbv0+RULRaNcgJd9y1v/FeZakYVbnQfglxbYAoaEo5OTd9xWptFQKFhtxUry5F
p6V1j1dIS0WQj6bfqWdMqH2zUQgaQrLab15FnHBiPaNp2lkYptSdTqV1hKpgAGm/
qZCHAtr734Pd4BGBBWH/NZ6S2d36xKpjcyMVN9oAZn3s5uHVapsIKYUIBilKfQHM
GkhNu9WKqn7aEn47Z32TTY0lXzoLBbNWtwoJRetrxRmMLiQRVRrBc2AV9SrG+Dku
jm/GB+APgehERx3SwfK8K6HcZ1uDl28beW1uV8bJjabbUTWQjfwGtxCo2HYVf/Wu
40yaf3HGLg==
=3r7j
-----END PGP SIGNATURE-----

--- End Message ---