Your message dated Fri, 15 Jan 2016 10:17:21 +0000
with message-id <[email protected]>
and subject line Bug#807112: fixed in libpng 1.2.50-2+deb8u2
has caused the Debian Bug report #807112,
regarding libpng: Incomplete fix for CVE-2015-8126
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
807112: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807112
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libpng
Version: 1.2.54-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for libpng. I turned out
that the fix for CVE-2015-8126 was not complete, cf. [0]. New versions
s fixing CVE-2015-8472 were released as 1.6.20, 1.5.25, 1.4.18,
1.2.55, and 1.0.65.
CVE-2015-8472[1]:
Incomplete fix for CVE-2015-8126
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://marc.info/?l=oss-security&m=144929077710907&w=2
[1] https://security-tracker.debian.org/tracker/CVE-2015-8472
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libpng
Source-Version: 1.2.50-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
libpng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated libpng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 07 Jan 2016 20:05:55 +0100
Source: libpng
Binary: libpng12-0 libpng12-dev libpng3 libpng12-0-udeb
Architecture: source
Version: 1.2.50-2+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 807112 807694
Description:
libpng12-0 - PNG library - runtime
libpng12-0-udeb - PNG library - minimal runtime library (udeb)
libpng12-dev - PNG library - development
libpng3 - PNG library - runtime
Changes:
libpng (1.2.50-2+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add patches to address CVE-2015-8472.
CVE-2015-8472: Incomplete fix for callers on png_set_PLTE. (Closes:
#807112)
* Add CVE-2015-8540.patch patch.
CVE-2015-8540: underflow read in png_check_keyword(). (Closes: #807694)
Checksums-Sha1:
9eb6758421f388efc66f8cc3f5b3faf2ec6936de 2036 libpng_1.2.50-2+deb8u2.dsc
a272ff50e3a069b13c5bd1dc8ed17c65dfba7868 21496
libpng_1.2.50-2+deb8u2.debian.tar.xz
Checksums-Sha256:
ba814b51b9faaac1c0d1c3637013dd37facf87ea9e47348be423747f20f1fb9d 2036
libpng_1.2.50-2+deb8u2.dsc
04b9bda0c27bc2d5628f8419e4674500b74d5cfc75219c5952c5c5b2de2f8106 21496
libpng_1.2.50-2+deb8u2.debian.tar.xz
Files:
11b559c29411e458d94d6d75bcab29cc 2036 libs optional libpng_1.2.50-2+deb8u2.dsc
29f4114a09887deb5faf0c52d22fcf05 21496 libs optional
libpng_1.2.50-2+deb8u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWjr9OAAoJEAVMuPMTQ89EiTUP/1G3xotqRbw9LPV2f63sZxtk
O9QwLQ3V3RWerf7EyStLnp9vAtHxiO6nMaau9nhFCICbv7s83qsikBzGVVSccJ9t
IL+zV8nn/PYxaF9ShGY6z45MyUVSw+uEvDOjdvPrS+R4kNAMsqrK515XTI801w+l
X/Cwbc/NR2QP6MQ5KXlLl7WGl8tRyZgCHCIOikwOi6EzcO4j4uy/TLaKamVjOsS9
FlYiwhq5EVH60h+XrcctWqSy3kNj7QiTdL0pX+xErAmpsNeNcYpz9h4muNZvKZeP
GFotAzftqURqoTSuxIuKqg6zADbeaGC1U5f0K73LdCcYWBhXwyalsSdcdh4QftL9
ENjoWbthg+yLWeJCEgkaBzeEOzwtEuYWum8nBPyr1zCQstizh7WdOb6QkwPTO16A
ULPOmYj2WQiyxZdA1el8aYpV9X7gTx51lTlL93NDLDNPQUSATJcYMDWX/NpFk3uK
tiKh6iSyBO9I3mh4tDsKdskzYCK134HpUkHX94JKZOqTomPi47YQ70aUuaP/vaHT
WyYEtQE5EhE07xYT2eJlh/IiQ6d3oeAunTGGnSsEbmQ2bej9cyWIiTmG//wSD6sO
crmj+1dwCPqYmeAX4WeThsrivgOPYKZOgEiUAlV2di569rr7DWg7SDQEuPjBr1dx
+0lkvIrceLrAKhpFvUWf
=ML86
-----END PGP SIGNATURE-----
--- End Message ---
