Your message dated Mon, 19 Feb 2024 07:49:25 +0000
with message-id <[email protected]>
and subject line Bug#1063484: fixed in libuv1 1.48.0-1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libuv1
Version: 1.46.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for libuv1.
CVE-2024-24806[0]:
| libuv is a multi-platform support library with a focus on
| asynchronous I/O. The `uv_getaddrinfo` function in
| `src/unix/getaddrinfo.c` (and its windows counterpart
| `src/win/getaddrinfo.c`), truncates hostnames to 256 characters
| before calling `getaddrinfo`. This behavior can be exploited to
| create addresses like `0x00007f000001`, which are considered valid
| by `getaddrinfo` and could allow an attacker to craft payloads that
| resolve to unintended IP addresses, bypassing developer checks. The
| vulnerability arises due to how the `hostname_ascii` variable (with
| a length of 256 bytes) is handled in `uv_getaddrinfo` and
| subsequently in `uv__idna_toascii`. When the hostname exceeds 256
| characters, it gets truncated without a terminating null byte. As a
| result attackers may be able to access internal APIs or for websites
| (similar to MySpace) that allows users to have
| `username.example.com` pages. Internal services that crawl or cache
| these user pages can be exposed to SSRF attacks if a malicious user
| chooses a long vulnerable username. This issue has been addressed in
| release version 1.48.0. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after
6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24806
https://www.cve.org/CVERecord?id=CVE-2024-24806
[1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libuv1
Source-Version: 1.48.0-1
Done: Dominique Dumont <[email protected]>
We believe that the bug you reported is fixed in the latest version of
libuv1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominique Dumont <[email protected]> (supplier of updated libuv1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 14 Feb 2024 18:47:19 +0100
Source: libuv1
Architecture: source
Version: 1.48.0-1
Distribution: unstable
Urgency: medium
Maintainer: Dominique Dumont <[email protected]>
Changed-By: Dominique Dumont <[email protected]>
Closes: 1063484
Changes:
libuv1 (1.48.0-1) unstable; urgency=medium
.
[ Dominique Dumont ]
* new upstream version:
* Fix CVE-2024-24806 (Closes: #1063484)
* copyright: update with cme
* refreshed patches
* rm patch lp2046442-linux-don-t-use-io_uring-...
* refreshed symbols file
Checksums-Sha1:
40843c69ae68ea19eb615153a119b188eddb937e 1986 libuv1_1.48.0-1.dsc
bcc87b177634f3637315af2d6044731384b79142 1322696 libuv1_1.48.0.orig.tar.gz
138316fd7da6f3a060b347218dabb5123977b0bf 21368 libuv1_1.48.0-1.debian.tar.xz
a84fea478b4e8456077acfe1e2374b5f782cd646 8825 libuv1_1.48.0-1_source.buildinfo
Checksums-Sha256:
996d16066c08481bdd938fc83a421cc343afb0eace6de884d53caa625ba97ac9 1986
libuv1_1.48.0-1.dsc
95b66faf3c19b021eb475c0a04c4febfe0442efbd88bca3174d32a1f8957cb71 1322696
libuv1_1.48.0.orig.tar.gz
e119946f811d731e1150ae3d639f68ae31bd303429f04a95aae164439ecc10b3 21368
libuv1_1.48.0-1.debian.tar.xz
97e59bc729962a575a42ffb0b4a64976095907ce67e699ef3dc3b7d3e50cb646 8825
libuv1_1.48.0-1_source.buildinfo
Files:
f4af6aa8e6aba53b34d322c35b6c6e23 1986 libs optional libuv1_1.48.0-1.dsc
bf42b4cdae4b327bf9d91908961421a2 1322696 libs optional
libuv1_1.48.0.orig.tar.gz
f59502c9382d1019b6710e0fbc8f0834 21368 libs optional
libuv1_1.48.0-1.debian.tar.xz
b1192fdb3a887868f38b05850f1fd255 8825 libs optional
libuv1_1.48.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAmXTBz0ACgkQwx9P2Umr
K2wXJw//dsgErU3qDqUpXHB1DJUOrV5DdKVJpQ6dCYxK9P/rLqU17BDo1z0QAw7D
ieKeXnVH+yAhvZTymcHf7PxNJ5JKx4+vQJvV/HCwVe+heHlYpe2wqGwvNwbyjbHV
Nr1CekQV+i+NzzEIXob3kStZJV3Qy9tRxGL17jy1InV4QEhQP+DksaGVkxMUhmqR
2tH8/BE7cRTULxPrUhLGVpC3o6mqNm//7MFo4kk3ypCo70Q/rtHNY9+57uv8KRrB
Ak0lN4c4jqG0fjH0zF2C6se0zjmoUsswLx33mImFx0is4bM7YonZ/+3UMRVYiOjX
YkE2eOLQvkL2rch/yWm07NU4cXkCGBPy++vn0IrmcUFpgc09YDg2007vlV5b/bQH
xtAB6BZiPaum/q04Ud8URcJcF8BA1Lgy8AmgoZOOl1HUhouVxR8I/p4HYqugMk/I
r25JpmuCTG8AjMD2F/qgqTAJkIqBbz3VJ3pDonM3EcNakQun9UYj2IUoCkfH6J2s
oOk6BJ8O9soo4DNjVO0sooz3Pi7dudWQFsAmFZDrjSVfhPcZHWRbaTu1xFnC4Dx4
kIZXM4EJJB21SfFNN3mL1thgHY5+Nhmo8eVYKaoG56FoxkxlFb7MQYx0Hdh/iVy+
VgDiwV/9/MK2IPA0BmWE+oSAgzwXfXrnIyAuNJ1EENI1YBu3QDk=
=ju7f
-----END PGP SIGNATURE-----
pgpn_buB_O68A.pgp
Description: PGP signature
--- End Message ---
