Bug#848213: apport: CVE-2016-9949 CVE-2016-9950 CVE-2016-9951

Thu, 15 Dec 2016 06:39:57 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Control: tag -1 +pending
Control: fixed -1 2.20.4-1

Hello Salvatore,

Thank you very much for the bug report.

On Thu, 2016-12-15 at 06:49 +0100, Salvatore Bonaccorso wrote:
> Source: apport
> Version: 2.16.2-1
> Severity: grave
> Tags: security upstream patch
> Justification: user security hole
> 

I am just curious how you came up with that version because it is quite old.
apport is only available through Experimental and its current version in
experimental is: 2.20.3-1


> Hi,
> 
> the following vulnerabilities were published for apport.
> 
> CVE-2016-9949[0], CVE-2016-9950[1], CVE-2016-9951[2].
> 
> Details are in the Launchpad bug[3].
> 


Thanks. Upstream has mentioned that all vulnerabilities are fixed in version
2.20.4, for which I've made an upload. It should clear ftp-masters queue soon.

Since this is an experimental only package, is there anywhere else, any action
is required ?


> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2016-9949
> [1] https://security-tracker.debian.org/tracker/CVE-2016-9950
> [2] https://security-tracker.debian.org/tracker/CVE-2016-9951
> [3] https://bugs.launchpad.net/apport/+bug/1648806
> 
> Regards,
> Salvatore
- -- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAlhSqd0ACgkQpjpYo/Lh
dWl8PxAAtUph2Gpe+D+uIn9T6xOgSseOb8165ch6K2hKlzpavXgCxaA/sp5ow/ze
k7UShUmuA6NnVi4VdHlaCPu2szbnGVaU8ZrS1QyHR5mIGdk2DGFSM4gsuzFZyOYM
ONikQaTCOOmneu1v9FV/FOW9tVfuU6sUQl2YwFrZzsigcgjA8nZUsFgLlsjUsYc7
qIHzdo1519wL88KUXhLi0KKb3wtuoqwaNrrN0C3iYfBdpEqj9AxtGj2o627jHJzL
ZqVqcBOT+lQoxJ6XtKCT9/zxNfFyo8cKP5OOQnXb/bu9yGQXC0FKg9w3ToAVrOJX
1yAnt5q53krY217h945dzXOYyk+s0jgWV/hKOOUWGk/zqd5wvHGsrXOYrWqkBSE7
UWg8wsNsiDvzx6x7XLLz4cJRHtepGR2f41A5my8AMVmZYBfaQX7tJ8io+/cVCSWN
THOFjO7nKh1PDS95zC2srofPSdQF1jVsF8U9VaoDwQoCAVSPODp8kxPo+/dh0kxQ
B7Yol9lUCUfC2pJ7ys/9BKZvvpPNQN1dyHaBVZ66v+MrU+3mhXpRW1RF7sfRJdue
M0nsE2uajDUy9B3JbZOTANGT1L5YppZDbESTWGeBsNxriYSlDFrOSNEZa6gigaut
UgYDjf8KpXQ+9XlZjsBahr5veFtI6cBdNn4oamxf2cMjaLsUWeA=
=b2ZE
-----END PGP SIGNATURE-----

Reply via email to