Your message dated Wed, 23 Oct 2024 18:53:57 +0200 with message-id <zxkqjrztt13ux...@eldamar.lan> and subject line Re: Accepted coreutils 9.5-1 (source amd64) into unstable has caused the Debian Bug report #1061138, regarding coreutils: CVE-2024-0684: heap overflow in split --line-bytes with very long lines to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1061138: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061138 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: coreutils Version: 9.4-3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for coreutils. CVE-2024-0684[0]: | heap overflow in split --line-bytes with very long lines Note, the severity is choosen as such to make sure the fix lands in trixie, but is slight overrated. If you feel strong on it feel free to downgrade. The issue can be reproduced with: { printf '%131070s\n' ''; printf 'x\n'; printf '%131071s\n' ''; } > in split -C 131072 ---io=131072 in and only affects trixie and unstable version of split. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0684 https://www.cve.org/CVERecord?id=CVE-2024-0684 [1] https://www.openwall.com/lists/oss-security/2024/01/18/2 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: coreutils Source-Version: 9.5-1 On Wed, Oct 23, 2024 at 02:55:19PM +0000, Debian FTP Masters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Format: 1.8 > Date: Wed, 23 Oct 2024 09:08:43 -0400 > Source: coreutils > Binary: coreutils coreutils-dbgsym > Architecture: source amd64 > Version: 9.5-1 > Distribution: unstable > Urgency: low > Maintainer: Michael Stone <mst...@debian.org> > Changed-By: Michael Stone <mst...@debian.org> > Description: > coreutils - GNU core utilities > Closes: 1033277 > Changes: > coreutils (9.5-1) unstable; urgency=low > . > * New upstream version (Closes: #1033277) > * drop cp -n patch > * drop non-essential attributes in upstream/signing-key.asc to reduce size > * update watch file to use https rather than ftp > Checksums-Sha1: > 86eaba8be2140072e5801ecf7d45017b58d4fc2e 2104 coreutils_9.5-1.dsc > 867fed7ce2ee15c5150a355a5f3a3b50578cf78d 6007136 coreutils_9.5.orig.tar.xz > 6c15dee96cd3190aa169d103cd546aae7e0f2724 833 coreutils_9.5.orig.tar.xz.asc > 69ebf092af2217b5d7458ecbe56e3209735a4aa7 21768 coreutils_9.5-1.debian.tar.xz > 9071e1f0b46e0884ced9e0da136c049e02abaa05 6838184 > coreutils-dbgsym_9.5-1_amd64.deb > 769cc6368e9a6ee76e647764864ea5cc414fb559 8357 coreutils_9.5-1_amd64.buildinfo > c1cfb65c80598adf104fb6e97805fcce324024ed 2920184 coreutils_9.5-1_amd64.deb > Checksums-Sha256: > 83558c321a5e7a39dcf538a5a425f03486fbd2e6d95941a17ed98d04ed5ea7af 2104 > coreutils_9.5-1.dsc > cd328edeac92f6a665de9f323c93b712af1858bc2e0d88f3f7100469470a1b8a 6007136 > coreutils_9.5.orig.tar.xz > b2843cd7c5972c7bc4d01fc34eb82e5a3ec84a199363288e3999304e3dddc805 833 > coreutils_9.5.orig.tar.xz.asc > fe704f7ba9b23cbc857e755bd3ec987228166b1342c1651f04bd16649b71d84d 21768 > coreutils_9.5-1.debian.tar.xz > 8db34910a1a658ff38c5368d3dc1e6e3357cca7fd26da2040bdcfdaf7b07fb2d 6838184 > coreutils-dbgsym_9.5-1_amd64.deb > cb0af963d1128ff29974558ba932fbf50780648dcf93f034d9ec54c76b93f71a 8357 > coreutils_9.5-1_amd64.buildinfo > ddc3497d2e0f3ca8ee416507d6e1a0a4b1e606a75d83a7078103c2719d923111 2920184 > coreutils_9.5-1_amd64.deb > Files: > 236bb17756205b19f31ea03d9dd78637 2104 utils required coreutils_9.5-1.dsc > e99adfa059a63db3503cc71f3d151e31 6007136 utils required > coreutils_9.5.orig.tar.xz > 4dc2a3da58aaac7575b23cd6c058e05e 833 utils required > coreutils_9.5.orig.tar.xz.asc > cc70707ddab46f5d221bcab8e90653a4 21768 utils required > coreutils_9.5-1.debian.tar.xz > e159289948ccb4d6330b93da8f389825 6838184 debug optional > coreutils-dbgsym_9.5-1_amd64.deb > b19f3a9af8674486113613b462fbd7ab 8357 utils required > coreutils_9.5-1_amd64.buildinfo > fa8ab65053ab4fce785b9d1465d1d4fb 2920184 utils required > coreutils_9.5-1_amd64.deb > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEAtUxX/EfGGGGDh4C9hqs3PoR/94FAmcY+IIACgkQ9hqs3PoR > /951Wg//deLXq2vs+/7g2KKXLdMh4P8VBLcyS7MQxxf5Pbc00pneRoxxQ17yn42/ > TZrW2FUdLiMYoKSmmjPSDdHnxEIm5XSWSnt/wyh9F5Eti2Vy3fRSkxAn0zIsmcWJ > +x2KO533CVkSuVk0JfnB3WYvAFRuPL6NNvzYyoJooWNvR2BQzgUkffqA9S1KsRHA > 9wNqMTlJUtsDcxe+BeakXM/Fc8WzuPlFggroqbKkMAtbc3x11QeHmGX/bRZXSCus > IrzKQUk9COZuEHUMwH6amJnmIhrFvNviczkpU/bquOLdXgzkrWyOUQgcIaB0kMgB > Fta9JG7rQfKiYL1hN/ZJ8HaM0jGsj5mn5aKBOzP44TvqtorafIiDtVwzYhOnsQET > S/IecwiZMC3thGQDIi2AnNbg9Jr+CiBL7BNRpl54jD08Gxu5O9c+KYKgIwBEXdma > PcsDt+FBGdl6HDxPoPShHYs9MeOMJNBcRN9go6yH8VdjXhqPvGQUvHidN1S4O+XS > E2xTRnV6g3BaX4LyMzbcygw8YsZb9xaRSJoU708NcaiNBoy/B271RikYhXgwLk4w > Em9doiBUTffjsToJ9G04aAPoKGb/321yEVJ1JVissRAEOr9exrMjW/544zwbczwu > gd3ghLyqPr3LDvg9fESPcIHvLzDjBeXXI+NuycPBdz2EcRF+HvM= > =eKA8 > -----END PGP SIGNATURE-----
--- End Message ---
