Your message dated Wed, 01 Jun 2022 18:19:18 +0000 with message-id <e1nwswa-000gjd...@fasolo.debian.org> and subject line Bug#1011458: fixed in snowflake 2.2.0-1 has caused the Debian Bug report #1011458, regarding snowflake: CVE-2022-29222 - fails to reject untrustworthy client certificates due to missing checks on private key to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1011458: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011458 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: snowflake Version: 1.1.0-2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: codeh...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for snowflake. CVE-2022-29222[0]: | Pion DTLS is a Go implementation of Datagram Transport Layer Security. | Prior to version 2.1.5, a DTLS Client could provide a Certificate that | it doesn't posses the private key for and Pion DTLS wouldn't reject | it. This issue affects users that are using Client certificates only. | The connection itself is still secure. The Certificate provided by | clients can't be trusted when using a Pion DTLS server prior to | version 2.1.5. Users should upgrade to version 2.1.5 to receive a | patch. There are currently no known workarounds. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29222 Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: snowflake Source-Version: 2.2.0-1 Done: Ruben Pollan <mes...@sindominio.net> We believe that the bug you reported is fixed in the latest version of snowflake, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1011...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ruben Pollan <mes...@sindominio.net> (supplier of updated snowflake package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 26 May 2022 15:50:00 +0200 Source: snowflake Architecture: source Version: 2.2.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Privacy Tools Maintainers <pkg-privacy-maintain...@lists.alioth.debian.org> Changed-By: Ruben Pollan <mes...@sindominio.net> Closes: 1011457 1011458 Changes: snowflake (2.2.0-1) unstable; urgency=medium . * New upstream release. * Update vendored code solving CVE-2022-29189, CVE-2022-29190, CVE-2022-29222. (Closes: #1011458, #1011457) * Remove proxy patch included in upstream. Checksums-Sha1: abe5c0a88a60b9599617396e6576f5796dae7c0c 2262 snowflake_2.2.0-1.dsc 02a96ed5bc3b2055dc305956b70da7a1d683b8eb 148757 snowflake_2.2.0.orig.tar.gz 71891af98715f691ec2265373aed701230be44a9 405248 snowflake_2.2.0-1.debian.tar.xz 1c5346f7db3540a3bbc4abbb082a1f93b601e27c 8921 snowflake_2.2.0-1_amd64.buildinfo Checksums-Sha256: 8c7149c123f1054c25d3e6aeb5e16127aae172895cb1b2a0631fcd5bd64709ea 2262 snowflake_2.2.0-1.dsc 2310fc18fb5197007d9c49577604af5fad1b5e1826a8136aa7930dddace7860c 148757 snowflake_2.2.0.orig.tar.gz cf6f3a4b4bab1be2b0f838ec1ad6ee3b9aa19713bb15b7220ede17db6014290d 405248 snowflake_2.2.0-1.debian.tar.xz 2123306ed636445962e5ff4a1cb62143ac9f5a1206e7aef2d9d3bfc6ebe40d05 8921 snowflake_2.2.0-1_amd64.buildinfo Files: cb188b23a637c0ad974aa384c79c7a6c 2262 golang optional snowflake_2.2.0-1.dsc d4f36bfb7ca2c5c1d8bf3475fc5b1bda 148757 golang optional snowflake_2.2.0.orig.tar.gz a06d081f22a22ec8920cc4ef364e520e 405248 golang optional snowflake_2.2.0-1.debian.tar.xz 4d57acc2654c3a788fdef0295f9e3926 8921 golang optional snowflake_2.2.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAmKXp64ACgkQPqHd3bJh 2Xtf4Qf/YPlljb0QNefJ317jKNvC6PgvRhzrV3gaK4YN0rJkKzhS/ukpS7FLEHMm AVWzWX+cKA4pfIw3EPZNlBL+pa7jTgvYdCMiRec0XsuOkxVyURt3UqFaeEBtDdJe hy3vFQePS1wuZsAZo+yG/ZGAQ7+JK4wm7dx7zdYS7hYSN5QO68m4KSVb5rlyHVFD 9OO4/jSaS+pIfYmhJiLM2b3TBpNmINP9Db/7GqPWvKOVxkss3vPDcgPmSwU0XLy0 P/bxv9ZuSVCQzt7k7UOFnyPsukkac6mwMK3rRwkuvTa/Q+9CRHzhTzkU4gaZKTP+ 04XIWS9gkcS7xdpO4UcCcZ1xiQSMSQ== =9f0W -----END PGP SIGNATURE-----
--- End Message ---
