Your message dated Fri, 15 Jan 2016 10:18:21 +0000
with message-id <[email protected]>
and subject line Bug#807112: fixed in libpng 1.2.49-1+deb7u2
has caused the Debian Bug report #807112,
regarding libpng: Incomplete fix for CVE-2015-8126
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
807112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807112
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng
Version: 1.2.54-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for libpng. I turned out
that the fix for CVE-2015-8126 was not complete, cf. [0]. New versions
s fixing CVE-2015-8472 were released as 1.6.20, 1.5.25, 1.4.18,
1.2.55, and 1.0.65.
CVE-2015-8472[1]:
Incomplete fix for CVE-2015-8126
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://marc.info/?l=oss-security&m=144929077710907&w=2
[1] https://security-tracker.debian.org/tracker/CVE-2015-8472
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.49-1+deb7u2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jan 2016 20:07:15 +0100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source amd64
Version: 1.2.49-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Closes: 807112 807694
Changes:
libpng (1.2.49-1+deb7u2) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add patches to address CVE-2015-8472.
CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes:
#807112)
* Add CVE-2015-8540.patch patch.
CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694)
Checksums-Sha1:
4e9810cb55eabab54614004e37da1a320670ddb0 1987 libpng_1.2.49-1+deb7u2.dsc
7afa432b0f15dc820aa41f53050adaa2a69ccfa5 19640
libpng_1.2.49-1+deb7u2.debian.tar.bz2
e6d6b5dae34a2be8d3237d828e07c331aa738fba 190704
libpng12-0_1.2.49-1+deb7u2_amd64.deb
8fbd2103d193915cc663e6b37ac533a63229925d 267422
libpng12-dev_1.2.49-1+deb7u2_amd64.deb
8ebdc9aa738decc300bc19436ce954952fe314a0 954 libpng3_1.2.49-1+deb7u2_amd64.deb
c486a3e497c3250284d8c2b8f1502416e1e9f76d 64032
libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
Checksums-Sha256:
9386a11848d1913d4e091e29d069693ba0a232b85d2fb32112d3b0c000a09f5d 1987
libpng_1.2.49-1+deb7u2.dsc
76b2cf0247a62cb41eabc1a5ba4b6599ad73c56654700040bf23e7c6d8c627a7 19640
libpng_1.2.49-1+deb7u2.debian.tar.bz2
a2095d2fa94c890a507d7f3824f7d499b93722cf636fcd037db3ae59c46c8b5d 190704
libpng12-0_1.2.49-1+deb7u2_amd64.deb
599991eae3a8bf8623222ca0775a6c114c5a404254f4ebf5e91b3891fb0be848 267422
libpng12-dev_1.2.49-1+deb7u2_amd64.deb
6b7c0f865fea2de4d9ad862add64d77bc28a7f4f73ddcb68f4c3b011a13768de 954
libpng3_1.2.49-1+deb7u2_amd64.deb
6b0f0410a328c04a7b65a4294f7192fb71e20b4895bbed93c60951b574df6a7e 64032
libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
Files:
78fe01e240f292cf992c134fb3c6de62 1987 libs optional libpng_1.2.49-1+deb7u2.dsc
94fae174e9a922613ec9818faa60f526 19640 libs optional
libpng_1.2.49-1+deb7u2.debian.tar.bz2
326043809e1278bc4f57dd65a6465bbc 190704 libs optional
libpng12-0_1.2.49-1+deb7u2_amd64.deb
ab27dcc1957c6088d6d0b4821f27e120 267422 libdevel optional
libpng12-dev_1.2.49-1+deb7u2_amd64.deb
39cd19b67fdc0eb762c98c03d75ccb26 954 oldlibs optional
libpng3_1.2.49-1+deb7u2_amd64.deb
1687a6aa04cbc51d836e2496dc54240b 64032 debian-installer extra
libpng12-0-udeb_1.2.49-1+deb7u2_amd64.udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWjr5rAAoJEAVMuPMTQ89EugYP/R5pP/bzRB2BDGcnLI4lM8p5
mYixFrtwsKedeqtyh5f6VogpZuDPQB97qCDz1hu4YQJulGZEOi3090aeE4aTODJI
LeqalqxOtA4kspWGuyDGb8w0B9qIiozcsG2YEnY3v89mDCcJ7JuCB8ZTNyyHxEcZ
YCj1oR3PxPe/A9WPHIEs6m05TwLQ11W2Ns8MZCBvkTxXLD+mz2wjmlFUdP7GPOQm
UGqG1/kmMApeBfFmu030Nxw/4HO2GC63fbCawg1y2KlmkMdndCCkY1Z+w85yBl1w
2U9JGtRlHQTao9PlfIIx6WvUdlg2mSoj8dxBIg7rWDkI6Uukz3ZBGLSpX09o2JM2
iJzf8iqksWuRmBSi2GmKONN3BJGK6Slx/PurdSB9WjN5keUKa4g5tmhkk1VGAtWg
pLu7f+wFp1wbA+vnd0dBa1JOsCmpwRwizRSBgjg/0S3NFa5oUnB7LEy8PuqyewxD
FlyUULOP8kRcEQaAudDfLfZiP+K07P3Hg4ihM0dqvWLsMLSfnbL0pD8R6WEDPlfG
Wp1nbAXpBcyOm2isZwixeayjmHwP3RyuOkZKI/tFEf776xjGBQD0aL61wKiEXSmG
GJzGdQ6ciBtkDU/FOU8uZ5r/Ouu/1fpKFYcLwHlBSZ+3WU1izXbMg2OhwOiSUryf
rcyd/77PzH3NQDY7gdhC
=fdYD
-----END PGP SIGNATURE-----
--- End Message ---
