Your message dated Sat, 09 Nov 2019 20:35:16 +0000 with message-id <e1itxs0-000hhv...@fasolo.debian.org> and subject line Bug#942401: fixed in ncurses 6.1+20181013-2+deb10u2 has caused the Debian Bug report #942401, regarding ncurses: CVE-2019-17594 CVE-2019-17595 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 942401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: ncurses Version: 6.1+20190803-1 Severity: important Tags: security upstream Hi, The following vulnerabilities were published for ncurses. CVE-2019-17594[0]: | There is a heap-based buffer over-read in the _nc_find_entry function | in tinfo/comp_hash.c in the terminfo library in ncurses before | 6.1-20191012. CVE-2019-17595[1]: | There is a heap-based buffer over-read in the fmt_entry function in | tinfo/comp_hash.c in the terminfo library in ncurses before | 6.1-20191012. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17594 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17594 https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html [1] https://security-tracker.debian.org/tracker/CVE-2019-17595 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595 https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: ncurses Source-Version: 6.1+20181013-2+deb10u2 We believe that the bug you reported is fixed in the latest version of ncurses, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 942...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sven Joachim <svenj...@gmx.de> (supplier of updated ncurses package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 02 Nov 2019 19:16:19 +0100 Source: ncurses Architecture: source Version: 6.1+20181013-2+deb10u2 Distribution: buster Urgency: medium Maintainer: Craig Small <csm...@debian.org> Changed-By: Sven Joachim <svenj...@gmx.de> Closes: 942401 Changes: ncurses (6.1+20181013-2+deb10u2) buster; urgency=medium . * Cherry-pick tic fixes from upstream patchlevels 20191012, 20191015 and 20191019 (Closes: #942401). - Check for invalid hashcode in _nc_find_type_entry and nc_find_entry (CVE-2019-17594). - Check for missing character after backslash in fmt_entry (CVE-2019-17595). - Check for acsc with odd length in dump_entry in check for one-one mapping. - Check for missing character after backslash in write_it. - Modify tic to exit if it cannot remove a conflicting name, because treating that as a partial success can cause an infinite loop in use-resolution. Checksums-Sha1: ed7904b940476997b7fefa844f5bd917eec14ece 4179 ncurses_6.1+20181013-2+deb10u2.dsc 2f6d909f968686b2cd51ddd899fe2c4a6f898bda 61664 ncurses_6.1+20181013-2+deb10u2.debian.tar.xz 2ac80702e01a33dc92babc7982fda3f9004bb7ba 5633 ncurses_6.1+20181013-2+deb10u2_source.buildinfo Checksums-Sha256: 8318631ff3298951a93d6dd6c20bd47c9e5fdaaf30578d541bd6404bdd5317ea 4179 ncurses_6.1+20181013-2+deb10u2.dsc 4574ec11ce2577e76f30f8d40cc2a9ebf94d8208f47247021da88b7b09e77df9 61664 ncurses_6.1+20181013-2+deb10u2.debian.tar.xz 4a1a288a94105e741273602640584d005137ae8ff8750efe1af03c9561c54f9c 5633 ncurses_6.1+20181013-2+deb10u2_source.buildinfo Files: 98b8b2b7ab90f586868ad80c4c5f8daa 4179 libs required ncurses_6.1+20181013-2+deb10u2.dsc 3f10bbd22130474b1719151f030a997d 61664 libs required ncurses_6.1+20181013-2+deb10u2.debian.tar.xz fab24601fb35f8f6ab384f5114b4defa 5633 libs required ncurses_6.1+20181013-2+deb10u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKF8heKgv5Jai5p4QOxBucY1rMawFAl29yOcACgkQOxBucY1r Max8Mw/8Dd/XowXSpNPEd4fcv4dyAq9ro6/gVyUgXKhM3xeiSjp1QRiWPZYCvxmt ZPhl1ds6FGCmmvRd5ivG7cdNekTySYQ2v7Z79R8Kg+GKvuBcrFytCEDDHYI945bW F+Sj7YqNpU3S9p9fQ79B1Zd6UOd5Cfsmc+u39PXNxGEI72TGYhblskJtUKU3c84p wB63r3u23+OjUmAr3NKAXiLkpxdbvVv64qhQng1T7aANHNpK87xSS/pWhFddIt7a wkHNGi1uUg1UDn3LcT5TwZUznK8kOrFi271i1mSjE5jT69hnjouc1LC3Tn/2mime clBSw5a0xawyD7QaU7xuFUC+oGrT+UTyE3jqy1zZZLhTQkpY9ek3Wd1hZ7Q6elE1 6p17cm2iWGT+r3S+rtDl7AHW1R5QXACMt7KcnCNWARlFlZUK5VkgaL+A5oclsJgN 6Xv1ePtiXm0C5undGmnaZgpkJzCpfNw1msrgfeZ/xB8cIq6xdltkjNhNYNjhEFJq +Ikthhv8ujT016iv3hlXcGHL91S5g0YtL7LUwRADedITmb3T++76Zs6wUyT2LxbT vJpX7JJrYI+jdImiJI4BvvM1A5X8KpXqtAx+Gn+A4aTZaKZv8Y9ESgSt9f4vRAeZ 3/CdfmK+9FKK2wtLRQSvNyC8Qzow7AA3kM2mnvo1x+I+njp3C3M= =SU/Z -----END PGP SIGNATURE-----
--- End Message ---
