Your message dated Thu, 10 Oct 2013 17:48:34 +0000 with message-id <e1vukli-0006ma...@franck.debian.org> and subject line Bug#725938: fixed in libtar 1.2.20-1 has caused the Debian Bug report #725938, regarding libtar: CVE-2013-4397: Integer overflow to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 725938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725938 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libtar Severity: grave Tags: security upstream patch fixed-upstream Hi, the following vulnerability was published for libtar. CVE-2013-4397[0]: Integer overflow Upstream announcement is at [1] and the commit fixing this issue is at [2]. 1.2.20 upstream fixes this issues too. But see also [3]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4397 http://security-tracker.debian.org/tracker/CVE-2013-4397 [1] https://lists.feep.net:8080/pipermail/libtar/2013-October/000361.html [2] http://repo.or.cz/w/libtar.git/commit/45448e8bae671c2f7e80b860ae0fc0cedf2bdc04 [3] http://www.openwall.com/lists/oss-security/2013/10/10/8 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libtar Source-Version: 1.2.20-1 We believe that the bug you reported is fixed in the latest version of libtar, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 725...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Magnus Holmgren <holmg...@debian.org> (supplier of updated libtar package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 10 Oct 2013 19:20:49 +0200 Source: libtar Binary: libtar-dev libtar0 Architecture: source amd64 Version: 1.2.20-1 Distribution: unstable Urgency: high Maintainer: Magnus Holmgren <holmg...@debian.org> Changed-By: Magnus Holmgren <holmg...@debian.org> Description: libtar-dev - C library for manipulating tar archives (development files) libtar0 - C library for manipulating tar archives Closes: 725938 Changes: libtar (1.2.20-1) unstable; urgency=high . * [SECURITY] New upstream release. Fixes CVE-2013-4397: Integer overflow (Closes: #725938). * Bump Standards-Version to 3.9.4. Checksums-Sha1: 43dccd1a99eadcef7419656e6468333c4a0177f9 1240 libtar_1.2.20-1.dsc 8589154a4707033b3f2dd2d201918cd6a7064d5e 63542 libtar_1.2.20.orig.tar.gz 1bade84273df5236c43b8ed22a9012f4c3dbd212 4615 libtar_1.2.20-1.debian.tar.gz 346cc4ebd85b843e9122e16d5a5a440da13e8325 40814 libtar-dev_1.2.20-1_amd64.deb 0b1aea991000d15745270cec9e5bd1ebac28bc17 21468 libtar0_1.2.20-1_amd64.deb Checksums-Sha256: c73111a5a99645df8a65de49521b0ade6d213414c2983d8c20ee5cc485700fa3 1240 libtar_1.2.20-1.dsc 50f24c857a7ef1cb092e6508758b86d06f1188508f897f3e6b40c573e8879109 63542 libtar_1.2.20.orig.tar.gz 8d749cfc6dd8ec012355928b0a446582e6aaf1b57763acb6cec5fb50e6ad2b14 4615 libtar_1.2.20-1.debian.tar.gz efbacafc3de331e3add667012e936a767edb0b562f7133b656adf60e7ff46ec3 40814 libtar-dev_1.2.20-1_amd64.deb 28c396015944b2a1ac92b099d7b75862815909cd49d2e4b70e7557eefe146b23 21468 libtar0_1.2.20-1_amd64.deb Files: 4b36f0b2c7d22ecf8b6ba6c407554186 1240 libs optional libtar_1.2.20-1.dsc 6ced95ab3a4b33fbfe2dfb231d156cdb 63542 libs optional libtar_1.2.20.orig.tar.gz 55cedff3d6b0f811ab8fbf767d83a1d9 4615 libs optional libtar_1.2.20-1.debian.tar.gz cfa9f4d342ccb15630f8f0806ce5e707 40814 libdevel optional libtar-dev_1.2.20-1_amd64.deb d64f8f70a848998fca99fd7040688adf 21468 libs optional libtar0_1.2.20-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iEYEAREIAAYFAlJW5DQACgkQk7mRNn1h4+ZpewCg7kFhXxhSbjTD+wISFiwr54GJ q/kAn2vgUHaDUC50ZoML5p/fBWs6GAlg =DXwX -----END PGP SIGNATURE-----
--- End Message ---
