Your message dated Tue, 26 Sep 2023 17:19:53 +0000 with message-id <e1qlbiz-009jgb...@fasolo.debian.org> and subject line Bug#1052176: fixed in rust-bcder 0.7.3-1 has caused the Debian Bug report #1052176, regarding rust-bcder: CVE-2023-39914: BER/CER/DER decoder panics on invalid input (RUSTSEC-2023-0062) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1052176: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052176 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: rust-bcder Version: 0.6.1-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/NLnetLabs/bcder/pull/74 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for rust-bcder. CVE-2023-39914[0]: | NLnet Labs’ bcder library up to and including version 0.7.2 panics | while decoding certain invalid input data rather than rejecting the | data with an error. This can affect both the actual decoding stage | as well as accessing content of types that utilized delayed | decoding. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39914 https://www.cve.org/CVERecord?id=CVE-2023-39914 [1] https://github.com/NLnetLabs/bcder/pull/74 [2] https://nlnetlabs.nl/downloads/bcder/CVE-2023-39914.txt [3] https://rustsec.org/advisories/RUSTSEC-2023-0062.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: rust-bcder Source-Version: 0.7.3-1 Done: James McCoy <james...@debian.org> We believe that the bug you reported is fixed in the latest version of rust-bcder, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1052...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. James McCoy <james...@debian.org> (supplier of updated rust-bcder package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 26 Sep 2023 13:03:46 -0400 Source: rust-bcder Architecture: source Version: 0.7.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Rust Maintainers <pkg-rust-maintain...@alioth-lists.debian.net> Changed-By: James McCoy <james...@debian.org> Closes: 1052176 Changes: rust-bcder (0.7.3-1) unstable; urgency=medium . * Team upload. * Package bcder 0.7.3 from crates.io using debcargo 2.6.0 * Fix various decoding issues that can lead to a panic on invalid data (Closes: #1052176, CVE-2023-39914) Checksums-Sha1: 288f6a01f3d6d27bf21a3a0403c4994ca1e32f98 2298 rust-bcder_0.7.3-1.dsc 87f6a8416fd2c04cc5aaeb93114baf3782bb786a 63569 rust-bcder_0.7.3.orig.tar.gz d2d24650613bb28523420d063985f972fcdd0791 3064 rust-bcder_0.7.3-1.debian.tar.xz ab0895c43fb5f7e52703da42158c3ff35ed97aa0 7582 rust-bcder_0.7.3-1_source.buildinfo Checksums-Sha256: 7b3003f0ea64474122fa8cb63fb3a74dfc0e6c0daa6b8c93b8f5c95f56a1ef81 2298 rust-bcder_0.7.3-1.dsc bf16bec990f8ea25cab661199904ef452fcf11f565c404ce6cffbdf3f8cbbc47 63569 rust-bcder_0.7.3.orig.tar.gz de56f882b5c77417abc34cf985c02062e7b17a83cbba203a4e7be35c0719b1d8 3064 rust-bcder_0.7.3-1.debian.tar.xz 3aa5e35d8fdd74c6e9e4f2b17639febb2bbd53db86749f8f415783ad1bc0b07a 7582 rust-bcder_0.7.3-1_source.buildinfo Files: e92d69f3e4201308da5a9646c9d7d645 2298 rust optional rust-bcder_0.7.3-1.dsc 8c96bb7f45ba327946ec46636a96c99d 63569 rust optional rust-bcder_0.7.3.orig.tar.gz 5055470e145b8ba2746878de2f781444 3064 rust optional rust-bcder_0.7.3-1.debian.tar.xz 3af9f855dae086d0d0bd9041730281af 7582 rust optional rust-bcder_0.7.3-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEkb+/TWlWvV33ty0j3+aRrjMbo9sFAmUTDvVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDkx QkZCRjRENjk1NkJENURGN0I3MkQyM0RGRTY5MUFFMzMxQkEzREIACgkQ3+aRrjMb o9sMoBAAlzl8pN1SL+M3d9ggrXQwLSUmipMb/90JiqaieG18IyaMIWF7ztM87xNO vWFmVZDnvWBZK3KN2qlb8a8OMWrfOlV5C7b4uhdQtBPJY+mQ4+mbpSREQ4Pw4A7c 3nnm3BchX5lKiPIyLTaOxtaU/sA/dO1ia+Y88JnzdPUwwY4Y3nIxbtc6N5CV/3Jo v/AhvBmZnWyh0HIR8z9XZd5E6+ocyvMKw81rLLk2Mc0iFGR1VwILffMjkCj38IRl JEPxOP1QAzBTRr9/VK9b8msWX1zmd9NXyaNhBH0dWuvuUwpmBWB9GreRVJb2vfh+ 9MjgIspunpHZza4eQQ8QhQkbkYn6Rc1FbnOIJsL0bdX4aUIU5wjyk49dk4VqAukz /DKT1781DoMCXfymiJe0iwXGGXcrpdczyPSnM1Y4jiy51TvzEYpQPELM4ntKgycO i8/E/AJ82mMLi0ZtTiitWM3JOG1RaSLJGlEivIGPmvcPh6NJWuOSMWU7edyVYMyJ AlNxbtKzabBhLn4EtVPkV+s9LRXcSWMRJ7hJSI0+4hK+2Be+HRTigknixeTYC5FZ e2DAnmTJo/NRJNSSNEh6h4dN6TmSIO3VuN9WcLGDffD6QEyJHdE0wHSYiWlju11f yZk3KmBkwH3xC54Pv4Fa35jY3gaJpoazdZ/Hu43VSMKzfwgb5uE= =sYTb -----END PGP SIGNATURE-----
--- End Message ---
