Your message dated Sun, 10 Mar 2024 17:43:07 +0100
with message-id <7cd759e0-2e04-4191-9789-61bd06429...@debian.org>
and subject line Re: azure-uamqp-python: CVE-2024-25110
has caused the Debian Bug report #1064051,
regarding azure-uamqp-python: CVE-2024-25110
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064051: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064051
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: azure-uamqp-python
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for azure-uamqp-python.
CVE-2024-25110[0]:
| The UAMQP is a general purpose C library for AMQP 1.0. During a call
| to open_get_offered_capabilities, a memory allocation may fail
| causing a use-after-free issue and if a client called it during
| connection communication it may cause a remote code execution. Users
| are advised to update the submodule with commit `30865c9c`. There
| are no known workarounds for this vulnerability.
azure-uamqp-python appears bundle azure-uamqp-c, so presumably it's
also affected?
https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-25110
https://www.cve.org/CVERecord?id=CVE-2024-25110
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: azure-uamqp-python/1.6.8-2
Whoops, I flubbed the bug number in the changelog, sorry!
On Fri, 16 Feb 2024 15:20:46 +0100 =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=
<j...@inutil.org> wrote:
> Source: azure-uamqp-python
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for azure-uamqp-python.
>
> CVE-2024-25110[0]:
> | The UAMQP is a general purpose C library for AMQP 1.0. During a call
> | to open_get_offered_capabilities, a memory allocation may fail
> | causing a use-after-free issue and if a client called it during
> | connection communication it may cause a remote code execution. Users
> | are advised to update the submodule with commit `30865c9c`. There
> | are no known workarounds for this vulnerability.
>
> azure-uamqp-python appears bundle azure-uamqp-c, so presumably it's
> also affected?
>
>
https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
>
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-25110
> https://www.cve.org/CVERecord?id=CVE-2024-25110
>
> Please adjust the affected versions in the BTS as needed.
>
>
--
Michael R. Crusoe
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
