Your message dated Sat, 14 Mar 2020 12:34:41 +0000
with message-id <[email protected]>
and subject line Bug#953270: fixed in libusrsctp 0.9.3.0+20200312-1
has caused the Debian Bug report #953270,
regarding libusrsctp: CVE-2019-20503
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
953270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953270
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libusrsctp
Version: 0.9.3.0+20190901-1
Severity: grave
Tags: security upstream
Hi,
The following vulnerability was published for libusrsctp.
CVE-2019-20503[0]:
| usrsctp before 2019-12-20 has out-of-bounds reads in
| sctp_load_addresses_from_init.
Details in [1] and fixed upstream in [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20503
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1992
[2]
https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: libusrsctp
Source-Version: 0.9.3.0+20200312-1
Done: Jonas Smedegaard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libusrsctp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated libusrsctp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Mar 2020 13:03:35 +0100
Source: libusrsctp
Architecture: source
Version: 0.9.3.0+20200312-1
Distribution: unstable
Urgency: medium
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 953270
Changes:
libusrsctp (0.9.3.0+20200312-1) unstable; urgency=medium
.
[ upstream ]
* New development snapshot.
+ improve input validation for some parameters
closes: Bug#953270, thanks to Salvatore Bonaccorso
( CVE-2019-20503 )
.
[ Jonas Smedegaard ]
* Bump debhelper from old 9 to 12.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit.
* Drop unnecessary dh arguments: --parallel
* stop build-depend on dh-autoreconf autotools-dev
* copyright-check: skip fuzzer corpus
* use dh execute_after_* (not override_*)
* declare compliance with Debian Policy 4.5.0
* add symbols file
* copyright:
+ update tracking of a few renamed files
+ track 1 file with slightly different copyright/licensing
Checksums-Sha1:
1554913cf4b6ea034d7de0c5dd3af8d82fdae477 2169 libusrsctp_0.9.3.0+20200312-1.dsc
f617d924f90a2259901be71e16e374f43ea58e2c 484388
libusrsctp_0.9.3.0+20200312.orig.tar.xz
7930d43321c4e0aeeb663a034bd3ab70d7e54b0c 10912
libusrsctp_0.9.3.0+20200312-1.debian.tar.xz
dd5fa01871ba88ba53af5381a6b5ddc1b109cc2b 7721
libusrsctp_0.9.3.0+20200312-1_amd64.buildinfo
Checksums-Sha256:
f311b909ab84311ebdd2cebe8a96c5a5af86bd2f6d912066663bdd7e686e6d3c 2169
libusrsctp_0.9.3.0+20200312-1.dsc
76d74ca55c1ee19192ba9ae4bac6d13fa5f86993893cfc8fd706790280e7737e 484388
libusrsctp_0.9.3.0+20200312.orig.tar.xz
5cea1a0a0f4577657820c823b06019bb143e58caab76635279467fb3096f6fe2 10912
libusrsctp_0.9.3.0+20200312-1.debian.tar.xz
5b8f827395e686f4c4899ffdc5f76b7909326bf3eacc3c0e1442fa1afccce8e7 7721
libusrsctp_0.9.3.0+20200312-1_amd64.buildinfo
Files:
726fc0327658831895ffc899498e8295 2169 net optional
libusrsctp_0.9.3.0+20200312-1.dsc
8460c11fcc532f209ee12df19419b2a4 484388 net optional
libusrsctp_0.9.3.0+20200312.orig.tar.xz
c590235f7baff754da77755cd9381758 10912 net optional
libusrsctp_0.9.3.0+20200312-1.debian.tar.xz
00c3f2f2d7518e56841796077550460d 7721 net optional
libusrsctp_0.9.3.0+20200312-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl5syusACgkQLHwxRsGg
ASEo2hAAgUSsylmNHim26ZNuThpPQNqddL0SaQ/NZ4VED9H2P6F3SZyVeUeeTAJ6
Uwlk5E6W6L5Czff4QkKIwINA06a0sKVKmsu3UmbSRcvWwKVwtO48FRvA7FpjJFhW
/FiohrY/tAt+v26Yoy+LOlOC+IeA91I9CXcRbblxknVAmFfSQ9+XMM4eAZJ9Ru6N
DbwJnceIDzoVqu+roNyQszDpI/ORx1fIEszThWGUdpG6iPIVbO7RMEqLnhIub0vO
Yb9Qg8Li9c+wuN21ghvfCXO8m33IIqDNIinFO22zP/8LqP4y3vFFPwL8rKmQoZqV
cP0DNRl68zKVwNYSndpWbDXeeZDwRsLyqnXLGHrvCXtjDj6i+d4yRJFNatmakswn
6GLlf4QaSwkDfN0/ntNxKS6GJoFrSfQMC+pau9r9V6yF4OHqMgXkw7HlJYLI+ywA
rRbf8pn4+3zZX3QCkwSBjE1NwtPfoCx/DX2G6zNn3xRzsoe7dQh9JDleuE8tReH2
edfKl0wCXJhfLUBlb8Nc3e4L+vmKISZyZZqP1i8Yjs4DbdApWvZYWNenEbHraQSX
r5n7mTytMNlnqDFzaA19luhgD0/6EB0keTiEnTkYaORADx8Sdo6fF+i4eNUh+1L8
kiG7roCB+xGG5NprFWd6RpW2srM4lcaSrRJRmsrMo9430U1lVug=
=SjX8
-----END PGP SIGNATURE-----
--- End Message ---
