Your message dated Fri, 30 Nov 2018 20:59:40 +0000 with message-id <e1gspsy-0007sf...@fasolo.debian.org> and subject line Bug#914393: fixed in keepalived 1:2.0.10-1 has caused the Debian Bug report #914393, regarding keepalived: CVE-2018-19115 heap-based buffer overflow and DoS to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 914393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914393 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: keepalived X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for keepalived. CVE-2018-19115[0]: | keepalived before 2.0.7 has a heap-based buffer overflow when parsing | HTTP status codes resulting in DoS or possibly unspecified other | impact, because extract_status_code in lib/html.c has no validation of | the status code and instead writes an unlimited amount of data to the | heap. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-19115 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19115 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: keepalived Source-Version: 1:2.0.10-1 We believe that the bug you reported is fixed in the latest version of keepalived, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 914...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alexander Wirt <formo...@debian.org> (supplier of updated keepalived package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 30 Nov 2018 21:20:05 +0100 Source: keepalived Binary: keepalived Architecture: source Version: 1:2.0.10-1 Distribution: unstable Urgency: high Maintainer: Alexander Wirt <formo...@debian.org> Changed-By: Alexander Wirt <formo...@debian.org> Description: keepalived - Failover and monitoring daemon for LVS clusters Closes: 810347 830196 900260 902978 909697 914393 Changes: keepalived (1:2.0.10-1) unstable; urgency=high . * [3b99bf9] Update vcs headers to salsa * [f697779] New upstream version 2.0.2 * [c97cc19] Enable dbus instance and json output support * [27c6d55] syslog is now socket activated * [7e2267b] Move to dh11 * [d0bf9db] there is not systemd sequence in dh11 * [903a5a0] dh-autoreconf dep is not needed anymore with dh11 * [c4996bd] Priority extra got replaced by optional * [822da17] Remove obsolete patches * [1c36cdc] New upstream version 2.0.10 - Fix overflow in extract_status_code (CVE-2018-19115) Closes: #914393, #900260 - Improve garp refresh handling (Closes: #810347) - Improve config parser (Closes: #909697) * [990c014] Improve keepalived service (Closes: #902978, #830196) Checksums-Sha1: c611f5fb693d49f2aaac1ef1d6d7ebdfcd56b314 2054 keepalived_2.0.10-1.dsc c0b62f6d20a4a322e4bd67b4ae447bb842c28c4c 927631 keepalived_2.0.10.orig.tar.gz 5e3bc91f4bcbb39067e8a4283c82cb14f09896ba 10124 keepalived_2.0.10-1.debian.tar.xz ec9e27ed8ea868d1e35118fb6a81027cc4a0f6e8 7638 keepalived_2.0.10-1_amd64.buildinfo Checksums-Sha256: e9b03181b770cee745d6b27e9827b20d1e241b73cd8193d50d872bafa09006ba 2054 keepalived_2.0.10-1.dsc 40e0e55afed9ca313d621a9c5878579696fafb5504dab521aadaf20ba6e7f597 927631 keepalived_2.0.10.orig.tar.gz 882e4d76ec1dea0aa865f092956ced5be0950e419681700ad70162635d230c05 10124 keepalived_2.0.10-1.debian.tar.xz dfc65817bd9ead59fee18bf0adfa37b75e7fb024b4c7b4985cb1ad1d4762a0d9 7638 keepalived_2.0.10-1_amd64.buildinfo Files: ffc64cfd50834d6025f571617ff7131d 2054 admin optional keepalived_2.0.10-1.dsc ac93d7eb5b69a9fbf7494fcf27b39ccf 927631 admin optional keepalived_2.0.10.orig.tar.gz 5196b8fba5962d72eda10925c88c7f36 10124 admin optional keepalived_2.0.10-1.debian.tar.xz aef5c84d1e23a54ea8887639aba7aa2e 7638 admin optional keepalived_2.0.10-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEbjlmweHRXblz0FtJHkX4yp3iOxYFAlwBnx8ACgkQHkX4yp3i OxYEEA//dEXQ7ny9CCaadLccLkbkkAkSss0JvxOYl3eTQFWh+neIwC8Nv/zbGJpF cG4Mc5J1kTMAlv96gQq7JzdKY/qEc0z6LY+gi1oYLX6Um6/tO9cb4+dc/tz/PGY7 9l9+TfToByJ1J1T1biBv7T2vIwvF9umRctRmH5Sx7hBPSe+J/aut0zl8FgS+ezH6 DPPCL6Suwxiy8g9vjMdAcPKvHNyAq3ubW5YXKVhEvy+M2g4Q2Q7eqEsnQk0Odsb+ ArfyXPo4n7+v2zVZsQU9hdYObz9TFXfvOGAsXyPdcTCtyBkAdL7NKjBeZXhHfQ3X lJfEcz4fFjTjZRzD0w3BT4h7BOjvKEzClB4sLLESztsQkcPb2JjpZ/J3ZJhEN74n E1m3vhLku67RRY1cqsfVihL+vLa103e49aOp3505LSegmZH/oOx6sa8Pz0cBAJzk dwy5p7jCcbPp6oqjTSzRUxeMI4ksBhClAi3x63eECErWOLANGt0ov6AIr6RIZetR LIhk66qwZWT0iAEhw0LEWF59vSJwbdtQZOqHOnojZ7lYZMTEVn3fdYaNu01JuM2L yKQ+mjOVyw6zmFkftiqtcNv+1foWJkTkOk4+1lSrh/lOxOI8mS0Qws+ZfSl74X4Z hf4VFSULlEcyHpw5hz+nfAAzI/OmuggdHLnV5924osAUI71as5I= =IpF7 -----END PGP SIGNATURE-----
--- End Message ---
