Bug#1073249: marked as done (booth: CVE-2024-3049)

[Debian Bug Tracking System]

Your message dated Sat, 28 Sep 2024 16:47:08 +0000
with message-id <e1suab6-002dhe...@fasolo.debian.org>
and subject line Bug#1073249: fixed in booth 1.0-283-g9d4029a-2+deb12u1
has caused the Debian Bug report #1073249,
regarding booth: CVE-2024-3049
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1073249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073249
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: booth
Version: 1.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/ClusterLabs/booth/pull/142
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for booth.

CVE-2024-3049[0]:
| A flaw was found in Booth, a cluster ticket manager. If a specially-
| crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an
| invalid HMAC to be accepted by the Booth server.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3049
    https://www.cve.org/CVERecord?id=CVE-2024-3049
[1] https://github.com/ClusterLabs/booth/pull/142

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: booth
Source-Version: 1.0-283-g9d4029a-2+deb12u1
Done: Adrian Bunk <b...@debian.org>

We believe that the bug you reported is fixed in the latest version of
booth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1073...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated booth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Sep 2024 17:03:44 +0300
Source: booth
Architecture: source
Version: 1.0-283-g9d4029a-2+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian HA Maintainers 
<debian-ha-maintain...@alioth-lists.debian.net>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1073249
Changes:
 booth (1.0-283-g9d4029a-2+deb12u1) bookworm-security; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2024-3049: wrong hmac might be accepted (Closes: #1073249)
Checksums-Sha1:
 fd5e13358e1330b49f7fe5026f42e1b94a89c364 2422 
booth_1.0-283-g9d4029a-2+deb12u1.dsc
 b55f0683dc967873d6fbba40d4b391ef4fa2184a 148731 
booth_1.0-283-g9d4029a.orig.tar.gz
 b50b392ef5ee8f90423dd7093faacbc993738636 9444 
booth_1.0-283-g9d4029a-2+deb12u1.debian.tar.xz
Checksums-Sha256:
 86541cc2c5518a1a65dc800027a756290f165679795e72b4d9a286c83a74beed 2422 
booth_1.0-283-g9d4029a-2+deb12u1.dsc
 ba131c98e34adb08a33773fd40e0ac17ab4ad7c844b2c95cdd81e94fd88d355c 148731 
booth_1.0-283-g9d4029a.orig.tar.gz
 3db8586d5455fe05dbb2ff661c5844a30e2558b80a8f6d7fc5032ff76d846b49 9444 
booth_1.0-283-g9d4029a-2+deb12u1.debian.tar.xz
Files:
 4b9b0cc6ba73ed1681f12d87563fdd96 2422 admin optional 
booth_1.0-283-g9d4029a-2+deb12u1.dsc
 97674bcc445a0f429fd7f679534a7a1b 148731 admin optional 
booth_1.0-283-g9d4029a.orig.tar.gz
 4a097f9e9f89efe544fee2c335dc2f97 9444 admin optional 
booth_1.0-283-g9d4029a-2+deb12u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmb0efMACgkQiNJCh6LY
mLGR7w//fLdhYpqCrT1drawlSJ5oPLyMcqWEIQbSMiej8lzQ4pKUXGzwXCli6LZE
RzRMt57il8xmkYJbqiqpWq8uTe/5UAMZgZxmB6J4Fb2q/1KZsClGrh2j2klQWa4i
ePj7X2XoQiW2/8x2vbiZmUrZyxPc8yVdpERNMF7D5zngI4bQ0+mTXuQyzT7VhDGK
l+TbGf7rBXVcJl7+0YBzv8bLNzK5Nv7ovdbS4AQUiCuYduD3DHjdcrrXl7Zr2Mf+
RxpqyiVJPb0Qyvco/hljzlXV3RyrEyE0InI7/LOichB9O4QWOQ6M/4wZBi0ZhTZl
8v9odrc5i5NV5JvP0OfE7Lsgo0cRUMgZuIMz8q01M8tkVWEA2mxiC/d4TYj9oUq5
YmUDJ3EIVZ7NOPEHHLoOrae4haTHSHGenijE7FI4i2cOWd3YUpokkgfcnFyzjfh8
XCVr/20JcA+ZnuvtttO1UFL4FcXjGjf4DUOklOZryHRo74uPa0uoPQq9oH/W1ILq
dn8xVUcYmZnI6diyx/UGOYJi2cSK0qODkSwl1EP+2BaUh4+lXyGUHn2muBlvUcdg
rEiQ/Jci14WdRZ1bXRIh2UX57rfa2M9qYiMkcWM9DI9bQb1hvpVamUcrw2f+Wm9F
S8dQBuLuiDEdidMN1DuCA3ZrONkrXhU4aR3jvPUdu2ykmpZ8CVw=
=tFul
-----END PGP SIGNATURE-----

pgpX9zdhNh5Ep.pgp
Description: PGP signature

--- End Message ---