Your message dated Mon, 19 May 2025 19:34:59 +0000
with message-id <e1uh6gj-0062ba...@fasolo.debian.org>
and subject line Bug#1104932: fixed in finit 4.12-1
has caused the Debian Bug report #1104932,
regarding finit: CVE-2025-32022
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104932: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104932
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: finit
Version: 4.11-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for finit.
CVE-2025-32022[0]:
| Finit provides fast init for Linux systems. Finit's urandom plugin
| has a heap buffer overwrite vulnerability at boot which leads to it
| overwriting other parts of the heap, possibly causing random
| instabilities and undefined behavior. The urandom plugin is enabled
| by default, so this bug affects everyone using Finit 4.2 or later
| that do not explicitly disable the plugin at build time. This bug is
| fixed in Finit 4.12. Those who cannot upgrade or backport the fix to
| urandom.c are strongly recommended to disable the plugin in the call
| to the `configure` script.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-32022
https://www.cve.org/CVERecord?id=CVE-2025-32022
[1] https://github.com/troglobit/finit/security/advisories/GHSA-fv6v-vw8h-9x79
[2]
https://github.com/troglobit/finit/commit/3feff37ba51fa0a6a0a06f59682a0918aa5b04de
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: finit
Source-Version: 4.12-1
Done: Yangfl <mmyan...@gmail.com>
We believe that the bug you reported is fixed in the latest version of
finit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yangfl <mmyan...@gmail.com> (supplier of updated finit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 09 May 2025 23:26:56 +0800
Source: finit
Architecture: source
Version: 4.12-1
Distribution: unstable
Urgency: medium
Maintainer: Yangfl <mmyan...@gmail.com>
Changed-By: Yangfl <mmyan...@gmail.com>
Closes: 1104932
Changes:
finit (4.12-1) unstable; urgency=medium
.
* New upstream release
* Fix CVE-2025-32022 (Closes: #1104932)
Checksums-Sha1:
f03d343fe106bd44fbdbe7f60f5660da00541326 1982 finit_4.12-1.dsc
2d3a756f327483e6689309261ac8b064a13eea1a 741928 finit_4.12.orig.tar.xz
3b3dd4353faecb78d090b3841401aabea84e3e4c 5728 finit_4.12-1.debian.tar.xz
0123409758e0a0417eb6dcb86117ae491338b660 6950 finit_4.12-1_amd64.buildinfo
Checksums-Sha256:
34a32ca4cdd8173d3282e899355cdefafacbd0f46ae8c1387c6542b3546589a4 1982
finit_4.12-1.dsc
15559b6097bb09c5856bd1b1a31e563f4aa031b70293f0c3b3f3d56e68add993 741928
finit_4.12.orig.tar.xz
aad2012e497e7ee06515b05edbe5760036951107374bf36e636017fd8bd49153 5728
finit_4.12-1.debian.tar.xz
8f0065d4cdc88d771983796d6301526f92e25aa187303607b7d611c6d596f41d 6950
finit_4.12-1_amd64.buildinfo
Files:
d3e2a733d89e1380624eb6bb46fb0190 1982 admin optional finit_4.12-1.dsc
f7b1774cfcea825788d6ecc1260233fb 741928 admin optional finit_4.12.orig.tar.xz
62de528d32e11284779a958882789f29 5728 admin optional finit_4.12-1.debian.tar.xz
eaedb53c5c05d8545eaef3a80022cb42 6950 admin optional
finit_4.12-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmgrhKYACgkQwpPntGGC
Ws7C6RAAgR9zet2J2bDmd4a0TACrTOwJoSrUsmB4jVjVedW7/PJfkR0kldH29Mwr
hQwZUY/G/XMEg/XO55Twrkk7pqxQqbiilcLtBZ/nBIao8v54ZZms0ppa6E4VAh51
CDIPGl9OB9+EhY7wlwx+Ps+koBoHoAONT5cI1fobD7mpMSsoTlo6PzV5Kjp7rXfR
Dyty6udoXQ4YTBl5NQk6iO8kgZM2bdQSXenMcjWycIokg1YSpiwxEhkDPC5s1Ao7
CU3D+VIThONNyBnq5dL+pUIoJ8XYgCShhdJCMI98akzda7EjomQkbqWLPl/NKdH7
OAiVJMpC5Ery9xYh6lYlyp2Y+ZcNiwCS4xys3yU7v4PjpeHtdqxgTJPNg/+ixv6g
cg0ruGyCy8Ku0saf+LneR2UGfdDxVoygwe6RcuR4u/LWj0kkvFTYhfSyhEQu0Zz5
dVoAf9LFJ3HY/JqOhTPVSed1Dn/AKmlVeLBSdiJH2gk9dHM5m/WT8Y4RA7pmmQk0
Uuq5d/RJ5jAHtHiFs3Ey3u/ZiXNmEflEnOSyvbRu3NItcdjTvSK5csNyXm7k/JDI
qPeYw90agvMOvGuJ4u6yZjF6pIsqNHWoEO2YPbbuhalfOdOkFK6u+ZbktnqkeYsD
Om5hr5+rpRJSxW5Topzolj0kGlZHjtezdWa1P3aU66k2yo5e+Bs=
=wlKX
-----END PGP SIGNATURE-----
pgpREqriZaiJO.pgp
Description: PGP signature
--- End Message ---
