Your message dated Mon, 04 Nov 2024 18:41:09 +0000
with message-id <e1t820j-0035ck...@fasolo.debian.org>
and subject line Bug#1086505: Removed package(s) from unstable
has caused the Debian Bug report #1059261,
regarding clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011
CVE-2022-44010
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059261: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059261
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: clickhouse
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for clickhouse.
CVE-2023-48298[0]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| This vulnerability is an integer underflow resulting in crash due to
| stack buffer overflow in decompression of FPC codec. It can be
| triggered and exploited by an unauthenticated attacker. The
| vulnerability is very similar to CVE-2023-47118 with how the
| vulnerable function can be exploited.
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795
CVE-2023-47118[1]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| A heap buffer overflow issue was discovered in ClickHouse server. An
| attacker could send a specially crafted payload to the native
| interface exposed by default on port 9000/tcp, triggering a bug in
| the decompression logic of T64 codec that crashes the ClickHouse
| server process. This attack does not require authentication. Note
| that this exploit can also be triggered via HTTP protocol, however,
| the attacker will need a valid credential as the HTTP authentication
| take places first. This issue has been fixed in version
| 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and
| 23.3.16.7-lts.
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
CVE-2022-44011[2]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| authenticated user (with the ability to load data) could cause a
| heap buffer overflow and crash the server by inserting a malformed
| CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.
https://github.com/ClickHouse/ClickHouse/pull/40241
CVE-2022-44010[3]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| attacker could send a crafted HTTP request to the HTTP Endpoint
| (usually listening on port 8123 by default), causing a heap-based
| buffer overflow that crashes the process. This does not require
| authentication. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.
https://github.com/ClickHouse/ClickHouse/pull/40292
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-48298
https://www.cve.org/CVERecord?id=CVE-2023-48298
[1] https://security-tracker.debian.org/tracker/CVE-2023-47118
https://www.cve.org/CVERecord?id=CVE-2023-47118
[2] https://security-tracker.debian.org/tracker/CVE-2022-44011
https://www.cve.org/CVERecord?id=CVE-2022-44011
[3] https://security-tracker.debian.org/tracker/CVE-2022-44010
https://www.cve.org/CVERecord?id=CVE-2022-44010
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Version: 18.16.1+ds-7.4+rm
Dear submitter,
as the package clickhouse has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1086505
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
