Your message dated Fri, 28 Feb 2025 10:36:43 +0000
with message-id <[email protected]>
and subject line Bug#1095838: fixed in fastdds 3.1.2+ds-1
has caused the Debian Bug report #1095838,
regarding fastdds: CVE-2025-24807
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1095838: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095838
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: fastdds
Version: 3.1.0+ds-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/eProsima/Fast-DDS/pull/5530
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for fastdds.
CVE-2025-24807[0]:
| eprosima Fast DDS is a C++ implementation of the DDS (Data
| Distribution Service) standard of the OMG (Object Management Group).
| Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0,
| per design, PermissionsCA is not full chain validated, nor is the
| expiration date validated. Access control plugin validates only the
| S/MIME signature which causes an expired PermissionsCA to be taken
| as valid. Even though this issue is responsible for allowing
| `governance/permissions` from an expired PermissionsCA and having
| the system crash when PermissionsCA is not self-signed and contains
| the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5,
| 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-24807
https://www.cve.org/CVERecord?id=CVE-2025-24807
[1] https://github.com/eProsima/Fast-DDS/pull/5530
[2] https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-w33g-jmm2-8983
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: fastdds
Source-Version: 3.1.2+ds-1
Done: Timo Röhling <[email protected]>
We believe that the bug you reported is fixed in the latest version of
fastdds, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Röhling <[email protected]> (supplier of updated fastdds package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Feb 2025 11:54:35 +0100
Source: fastdds
Architecture: source
Version: 3.1.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Robotics Team <[email protected]>
Changed-By: Timo Röhling <[email protected]>
Closes: 1095838
Changes:
fastdds (3.1.2+ds-1) unstable; urgency=medium
.
* New upstream version 3.1.2+ds
- Fix CVE-2025-24807: Permissions CA is not verified (Closes: #1095838)
* Refresh patches (no functional changes)
* Bump Standards-Version to 4.7.2
* Wrap and sort Debian package files
Checksums-Sha1:
20dce043b02a20928e324fd607c0bb65717ab96d 3420 fastdds_3.1.2+ds-1.dsc
d6012e45160b5e4c7adca0a11247446847932ea9 2757664 fastdds_3.1.2+ds.orig.tar.xz
d57ef737006974564a14dbb25c20f59c06ecf1e0 17760 fastdds_3.1.2+ds-1.debian.tar.xz
Checksums-Sha256:
bca5e040ca1cce7f012502104ace1a4e22e26d3719482b93f2af7741b86294f5 3420
fastdds_3.1.2+ds-1.dsc
c2f3e69c88214f5a48c4b7254cad14e2a1e4583be510b8874a43ee4dbb9ddeef 2757664
fastdds_3.1.2+ds.orig.tar.xz
2b7c1a5b29bbda9fb5b1eddac8c34a114d55a6aaf726db23c67e54ac51d06519 17760
fastdds_3.1.2+ds-1.debian.tar.xz
Files:
fde690bf159e923023339703d3f49256 3420 libs optional fastdds_3.1.2+ds-1.dsc
0d04a6c5f87779ec54d5f9ac74d75d9a 2757664 libs optional
fastdds_3.1.2+ds.orig.tar.xz
b2b15db1eb4db56133dcfb52317be433 17760 libs optional
fastdds_3.1.2+ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEmwPruYMA35fCsSO/zIxr3RQD9MoFAmfBjZUUHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQzIxr3RQD9MrvRQ/7B+lPVf+jGmgnl51ByEaqPqqtq2Sv
AX3IKdhj4MaikHkYtKXcLdCYp8fbZVabZBkwg+WBo0xhuiIXRhRKEoLa6mchMnXK
LCCLsnoq8DGmiI8iFkdFQ2OXgzBSRE22hu9PjNxJUSDiBzc80SoPYUDbIQ/ckIjC
7n7oQWtSNGrl4Mu2hi4Ce+plDaON5k/rwdx6rOXlrt/vVordtTj8yF5Tt1Y5kVXO
X7CFnY0AJ98XfSZtmhBBYmH+BtMf0bXy6eWXnn8Ar3Hl6JQ7KkZHJCO3eGfMtRmj
/GIrp1KeP5ExnxMZw4Gbz1BRXf8QWLX+nBEituy5jCg1fPC0WPy+X+CbLjRyP8z9
T8d714Su1z2DtSPkEuGaM1W19t+CD+WkAAeGGxShPQPg9LTVCmzt0S/AbcvU0M8m
rerdxvYqteWWaysZhABVeR9KSJ2qaHq1D/PiDdsunFOfqSDOugURFXPp2rQQn0PA
tqJrV5btNPySQj1Pes7V2dIjARbZDCS7n1soRh8+DmPV1OqrfX23VD7SXrtMvQZy
H1d4lkFtbLuE1GS0oBLTXzBmWFVC0D+n4PLxHOMUD3QjvOYYHt0CWIdQz9t7EsZa
Lo1QbrPMyMNpjK+2CKNy+Ct0+sm3+q/E+PAIcUE9+zJGcU9A9Qh9BDFddXHDrthW
jGixq9haU8/6oHE=
=I7Ss
-----END PGP SIGNATURE-----
pgpsPDq_zhnDw.pgp
Description: PGP signature
--- End Message ---
