Your message dated Wed, 01 Jun 2022 18:19:18 +0000
with message-id <[email protected]>
and subject line Bug#1011457: fixed in snowflake 2.2.0-1
has caused the Debian Bug report #1011457,
regarding snowflake: CVE-2022-29189 CVE-2022-29190 - infinite loop and
excessive memory usage in vendor pion DTLS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1011457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011457
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: snowflake
Version: 1.1.0-2
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerabilities were published for snowflake, via the
github.com/pion/dtls/v2 package included into debian/vendor/
CVE-2022-29189[0]:
| Pion DTLS is a Go implementation of Datagram Transport Layer Security.
| Prior to version 2.1.4, a buffer that was used for inbound network
| traffic had no upper limit. Pion DTLS would buffer all network traffic
| from the remote user until the handshake completes or timed out. An
| attacker could exploit this to cause excessive memory usage. Version
| 2.1.4 contains a patch for this issue. There are currently no known
| workarounds available.
CVE-2022-29190[1]:
| Pion DTLS is a Go implementation of Datagram Transport Layer Security.
| Prior to version 2.1.4, an attacker can send packets that sends Pion
| DTLS into an infinite loop when processing. Version 2.1.4 contains a
| patch for this issue. There are currently no known workarounds
| available.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-29189
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29189
[1] https://security-tracker.debian.org/tracker/CVE-2022-29190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29190
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: snowflake
Source-Version: 2.2.0-1
Done: Ruben Pollan <[email protected]>
We believe that the bug you reported is fixed in the latest version of
snowflake, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ruben Pollan <[email protected]> (supplier of updated snowflake package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 26 May 2022 15:50:00 +0200
Source: snowflake
Architecture: source
Version: 2.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Privacy Tools Maintainers
<[email protected]>
Changed-By: Ruben Pollan <[email protected]>
Closes: 1011457 1011458
Changes:
snowflake (2.2.0-1) unstable; urgency=medium
.
* New upstream release.
* Update vendored code solving CVE-2022-29189, CVE-2022-29190,
CVE-2022-29222. (Closes: #1011458, #1011457)
* Remove proxy patch included in upstream.
Checksums-Sha1:
abe5c0a88a60b9599617396e6576f5796dae7c0c 2262 snowflake_2.2.0-1.dsc
02a96ed5bc3b2055dc305956b70da7a1d683b8eb 148757 snowflake_2.2.0.orig.tar.gz
71891af98715f691ec2265373aed701230be44a9 405248 snowflake_2.2.0-1.debian.tar.xz
1c5346f7db3540a3bbc4abbb082a1f93b601e27c 8921 snowflake_2.2.0-1_amd64.buildinfo
Checksums-Sha256:
8c7149c123f1054c25d3e6aeb5e16127aae172895cb1b2a0631fcd5bd64709ea 2262
snowflake_2.2.0-1.dsc
2310fc18fb5197007d9c49577604af5fad1b5e1826a8136aa7930dddace7860c 148757
snowflake_2.2.0.orig.tar.gz
cf6f3a4b4bab1be2b0f838ec1ad6ee3b9aa19713bb15b7220ede17db6014290d 405248
snowflake_2.2.0-1.debian.tar.xz
2123306ed636445962e5ff4a1cb62143ac9f5a1206e7aef2d9d3bfc6ebe40d05 8921
snowflake_2.2.0-1_amd64.buildinfo
Files:
cb188b23a637c0ad974aa384c79c7a6c 2262 golang optional snowflake_2.2.0-1.dsc
d4f36bfb7ca2c5c1d8bf3475fc5b1bda 148757 golang optional
snowflake_2.2.0.orig.tar.gz
a06d081f22a22ec8920cc4ef364e520e 405248 golang optional
snowflake_2.2.0-1.debian.tar.xz
4d57acc2654c3a788fdef0295f9e3926 8921 golang optional
snowflake_2.2.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEexZCBNCWcjsBljWrPqHd3bJh2XsFAmKXp64ACgkQPqHd3bJh
2Xtf4Qf/YPlljb0QNefJ317jKNvC6PgvRhzrV3gaK4YN0rJkKzhS/ukpS7FLEHMm
AVWzWX+cKA4pfIw3EPZNlBL+pa7jTgvYdCMiRec0XsuOkxVyURt3UqFaeEBtDdJe
hy3vFQePS1wuZsAZo+yG/ZGAQ7+JK4wm7dx7zdYS7hYSN5QO68m4KSVb5rlyHVFD
9OO4/jSaS+pIfYmhJiLM2b3TBpNmINP9Db/7GqPWvKOVxkss3vPDcgPmSwU0XLy0
P/bxv9ZuSVCQzt7k7UOFnyPsukkac6mwMK3rRwkuvTa/Q+9CRHzhTzkU4gaZKTP+
04XIWS9gkcS7xdpO4UcCcZ1xiQSMSQ==
=9f0W
-----END PGP SIGNATURE-----
--- End Message ---
