Your message dated Mon, 18 Mar 2024 22:02:34 +0000
with message-id <e1rml3y-00gr9e...@fasolo.debian.org>
and subject line Bug#1063484: fixed in libuv1 1.40.0-2+deb11u1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libuv1
Version: 1.46.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libuv1.
CVE-2024-24806[0]:
| libuv is a multi-platform support library with a focus on
| asynchronous I/O. The `uv_getaddrinfo` function in
| `src/unix/getaddrinfo.c` (and its windows counterpart
| `src/win/getaddrinfo.c`), truncates hostnames to 256 characters
| before calling `getaddrinfo`. This behavior can be exploited to
| create addresses like `0x00007f000001`, which are considered valid
| by `getaddrinfo` and could allow an attacker to craft payloads that
| resolve to unintended IP addresses, bypassing developer checks. The
| vulnerability arises due to how the `hostname_ascii` variable (with
| a length of 256 bytes) is handled in `uv_getaddrinfo` and
| subsequently in `uv__idna_toascii`. When the hostname exceeds 256
| characters, it gets truncated without a terminating null byte. As a
| result attackers may be able to access internal APIs or for websites
| (similar to MySpace) that allows users to have
| `username.example.com` pages. Internal services that crawl or cache
| these user pages can be exposed to SSRF attacks if a malicious user
| chooses a long vulnerable username. This issue has been addressed in
| release version 1.48.0. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after
6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24806
https://www.cve.org/CVERecord?id=CVE-2024-24806
[1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libuv1
Source-Version: 1.40.0-2+deb11u1
Done: Dominique Dumont <d...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libuv1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominique Dumont <d...@debian.org> (supplier of updated libuv1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Mar 2024 18:40:12 +0100
Source: libuv1
Architecture: source
Version: 1.40.0-2+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Dominique Dumont <d...@debian.org>
Changed-By: Dominique Dumont <d...@debian.org>
Closes: 1063484
Changes:
libuv1 (1.40.0-2+deb11u1) bullseye-security; urgency=medium
.
* add patch to fix CVE-2024-24806 (Closes: 1063484)
Checksums-Sha1:
6a1df5c1f9a1d3d543200aa75e7d93f91043b946 2029 libuv1_1.40.0-2+deb11u1.dsc
a3db5938614dff25e8dad903e16f9d8eccb0266a 1274644 libuv1_1.40.0.orig.tar.gz
0ee865b3251995b3285a507af28b059b82097223 24400
libuv1_1.40.0-2+deb11u1.debian.tar.xz
145453d928bff89cefa9fe731851688c7c5e1717 8840
libuv1_1.40.0-2+deb11u1_source.buildinfo
Checksums-Sha256:
e01789770e96bb8d4e7b3c751d962c4cf6bb937af7d62814f5e57de53b064ab2 2029
libuv1_1.40.0-2+deb11u1.dsc
6e249e8d1b47078f43fdddc4274c84aa533879bd503aead7e1e2784815eec0d0 1274644
libuv1_1.40.0.orig.tar.gz
ab5be8b9b8e36085be9fee20896e88d87da253bf579168615f52045db58e01cd 24400
libuv1_1.40.0-2+deb11u1.debian.tar.xz
d255df82770e7099159f91d2e60cfc29f99fbbe0e7b64c3e7353b70099f8cbb9 8840
libuv1_1.40.0-2+deb11u1_source.buildinfo
Files:
2999d89145bb8c97bf79fa76980cb90a 2029 libs optional libuv1_1.40.0-2+deb11u1.dsc
3e3b89e938d360774e8c0a1e62ee6e5c 1274644 libs optional
libuv1_1.40.0.orig.tar.gz
778ad4f1c491bdfa5cafb58427d8ff96 24400 libs optional
libuv1_1.40.0-2+deb11u1.debian.tar.xz
eb58cde20a48215ab1e0a9b53039ab84 8840 libs optional
libuv1_1.40.0-2+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAmXorxEACgkQwx9P2Umr
K2wiChAAhunYXMDPXAG1SSa3i0iwUN+4/UYbARjf+CsNnPlDyCaU8LCBLwu+vZeY
94AxHgTrP8/nSnkQPGxrEacLq67ta4BZib6YMKmarWHNRVdPOLmcnOzuHSq0WQsl
/AMtyV3NwGRH/FgVozx6pw+c9fzUiMeD1IrUh3F+JDZDI+YatWZAgI8En+IYKPKb
4T735s9dhwpT8+ASp47Qj5P7JPVbuVXBt/6h07EfPpaUxuvLDvGn5SeUK8TJqcNC
k5bJtHKo1/veoabYSUB0fJtQL4kt+WFfFiA36Ay2xxrTeDjO0Joet7UVV7j53eiR
tjYnlMoSHm6qZjGnwd4sDxQsc922ImG9Vf4BkFUfzB8oc+3YHOYXG5oYbRFpr+GR
dcj8j3BTXsKhgNuUAiIsa5BWgUS7mcjEKq+cXKIqoRsVPhk5Tdxkqb4O6S0msV8q
C8bv22TG32WrP5Fkrya9h0EvwfycEmgBP/v7wsRtD0bqIJOISmMUM+H8lgllq7FT
4ZLgB1+DqTUgcl+sP2SlY/Sd9XyD3rTJI6HqcQmadHr0hU1VVq+k7qB80s0688ny
lHjmBdr5ZIAP3uptKtEnhKYsEgg8lvXa0EuafhpDFxu+NDlgFnzsTQfYxOUHgtVK
Y4tFjIBfzKRV/npGNHGcjNpF+dJdmLW/Ls0BtkmM7YlrRBOO8I8=
=B7Hm
-----END PGP SIGNATURE-----
pgpPUCty_0rnw.pgp
Description: PGP signature
--- End Message ---
