Your message dated Sat, 02 Dec 2023 15:32:18 +0000 with message-id <e1r9ryc-0037y9...@fasolo.debian.org> and subject line Bug#1054163: fixed in fastdds 2.9.1+ds-1+deb12u2 has caused the Debian Bug report #1054163, regarding fastdds: CVE-2023-42459 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1054163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054163 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for fastdds. CVE-2023-42459[0]: | Fast DDS is a C++ implementation of the DDS (Data Distribution | Service) standard of the OMG (Object Management Group). In affected | versions specific DATA submessages can be sent to a discovery | locator which may trigger a free error. This can remotely crash any | Fast-DDS process. The call to free() could potentially leave the | pointer in the attackers control which could lead to a double free. | This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, | and 2.6.7. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm https://github.com/eProsima/Fast-DDS/issues/3207 https://github.com/eProsima/Fast-DDS/pull/3824 https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42459 https://www.cve.org/CVERecord?id=CVE-2023-42459 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: fastdds Source-Version: 2.9.1+ds-1+deb12u2 Done: Timo Röhling <roehl...@debian.org> We believe that the bug you reported is fixed in the latest version of fastdds, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1054...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Röhling <roehl...@debian.org> (supplier of updated fastdds package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 24 Oct 2023 23:01:43 +0200 Source: fastdds Architecture: source Version: 2.9.1+ds-1+deb12u2 Distribution: bookworm-security Urgency: medium Maintainer: Debian Robotics Team <team+robot...@tracker.debian.org> Changed-By: Timo Röhling <roehl...@debian.org> Closes: 1054163 Changes: fastdds (2.9.1+ds-1+deb12u2) bookworm-security; urgency=medium . * Backport security fix - CVE-2023-42459 Bad-free when receiving malformed DATA submessage (Closes: #1054163) Checksums-Sha1: b6a141610d8aa53e39ecf37317288437c0d2e4d3 3027 fastdds_2.9.1+ds-1+deb12u2.dsc dfd5de1a211a655502eedda7cd154cdbe266338e 24400 fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz 0a4eefad7c1c125cb1bacf00ef913362d2308ae8 10780 fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo Checksums-Sha256: 5209c8e37915a57427046b385562e5d1901a21c09c56d22c2fe59c297f026e8a 3027 fastdds_2.9.1+ds-1+deb12u2.dsc c4b5dbf9cb5ad43d5d9883ca86767d378d0c4ece920c4fdcbd63e2ab9a3fe270 24400 fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz a45278da147024fb0eb5b39cd04067c06c14230d49f3b311a9b068ce94252ee0 10780 fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo Files: e7f8c5933cb7ae9a99a372b29157ba35 3027 libs optional fastdds_2.9.1+ds-1+deb12u2.dsc 2ef99c013d9ef595e8daf911dd22fe4e 24400 libs optional fastdds_2.9.1+ds-1+deb12u2.debian.tar.xz 88b2adfec5dc4340392139714d0755eb 10780 libs optional fastdds_2.9.1+ds-1+deb12u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmU6N3QUHHJvZWhsaW5n QGRlYmlhbi5vcmcACgkQ+C8H+466LVnU8wv/cGB4++Pa98lzHvD+6i5kZNYqsVRC CksO+mjiYl3xy4sgJQrxRTc7Z0TIoywtHuHJ7gYHJemxdN/0nGy7Zdn/KETVMegO EMDJA3svUJfECuLCjW1c7MIRkJb2X0mHmEaf03K/pOADJdMaC1nRJp1U43gQ18Fc AULa357rEHWoMCAeK3E9edNI4U1t9IKuIrJV81C6Et01NQeoSzwjVPJdkdl2AaHU O0xl4m4PGtHjk6uUIYpeeMObgDLvw86Jb/I2IhBMzcWhEX3jZJwCfUeIrzWoFfEq FpQ8nrj+1Ajd20vRmXW06DYdre9A+NRfCC1Ik9wz8LajyVNj/pPUoRthUEN7C75/ JorTObsWqT+8SVvFtBrgK7DnUv3PxKG01CTnt1ufjylpt8KvwGqRg2Qu9S3LGfmv xCTUSCQIcznrn/awqw4j3hXgpPVX2tfIDJ+aMQS3oTWb0myI61tl0tuOgAgpnvuK VbGOI9vynjfUweobGSzmF1bkgFNz7jHMRI+4 =lybu -----END PGP SIGNATURE-----
--- End Message ---
