Your message dated Wed, 21 Sep 2022 20:04:18 +0000 with message-id <e1ob5xc-009viv...@fasolo.debian.org> and subject line Bug#1016976: fixed in connman 1.36-2.2+deb11u1 has caused the Debian Bug report #1016976, regarding connman: CVE-2022-32292 CVE-2022-32293 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1016976: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016976 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: connman X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for connman. CVE-2022-32292[0]: | In ConnMan through 1.41, remote attackers able to send HTTP requests | to the gweb component are able to exploit a heap-based buffer overflow | in received_data to execute code. https://lore.kernel.org/connman/20220801080043.4861-5-w...@monom.org/ https://bugzilla.suse.com/show_bug.cgi?id=1200189 CVE-2022-32293[1]: | In ConnMan through 1.41, a man-in-the-middle attack against a WISPR | HTTP query could be used to trigger a use-after-free in WISPR | handling, leading to crashes or code execution. https://lore.kernel.org/connman/20220801080043.4861-1-w...@monom.org/ https://lore.kernel.org/connman/20220801080043.4861-3-w...@monom.org/ https://bugzilla.suse.com/show_bug.cgi?id=1200190 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-32292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32292 [1] https://security-tracker.debian.org/tracker/CVE-2022-32293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32293 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: connman Source-Version: 1.36-2.2+deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of connman, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1016...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated connman package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Sep 2022 20:04:37 +0200 Source: connman Architecture: source Version: 1.36-2.2+deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Alexander Sack <a...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1004935 1016976 Changes: connman (1.36-2.2+deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * dnsproxy: Simplify udp_server_event() * dnsproxy: Validate input data before using them (CVE-2022-23096, CVE-2022-23097) (Closes: #1004935) * dnsproxy: Avoid 100 % busy loop in TCP server case (CVE-2022-23098) (Closes: #1004935) * dnsproxy: Keep timeout in TCP case even after connection is established (CVE-2022-23098) (Closes: #1004935) * gweb: Fix OOB write in received_data() (CVE-2022-32292) (Closes: #1016976) * wispr: Add reference counter to portal context (CVE-2022-32293) (Closes: #1016976) * wispr: Update portal context references (CVE-2022-32293) (Closes: #1016976) Checksums-Sha1: 4b415ca30b4a554a59b566236f7e62e99716ad49 2377 connman_1.36-2.2+deb11u1.dsc 8f29df34231c214c06ee6eca9ed7c233212b8d12 692616 connman_1.36.orig.tar.xz 880a95660f928bc9c4b494d8860ad01271775f5a 20920 connman_1.36-2.2+deb11u1.debian.tar.xz 677d1311322b008494b45a76390516109a5668db 7331 connman_1.36-2.2+deb11u1_source.buildinfo Checksums-Sha256: bcd701c51507610529ac58e12199209e3c01a009cf74411def6f9e9f719c7f27 2377 connman_1.36-2.2+deb11u1.dsc c789db41cc443fa41e661217ea321492ad59a004bebcd1aa013f3bc10a6e0074 692616 connman_1.36.orig.tar.xz 0e9e188c7e29c002c0957d664200cdd90bfaff2e4cc155909ecc54709fb5ba55 20920 connman_1.36-2.2+deb11u1.debian.tar.xz 27296ea458caf034d6963883d0bf9b6b1a769f447e002bf1f63c9f351b9ba054 7331 connman_1.36-2.2+deb11u1_source.buildinfo Files: bc75d63ae61dd5bddf2e4c5eaab02e8f 2377 net optional connman_1.36-2.2+deb11u1.dsc dae77d9c904d2c223ae849e32079d57e 692616 net optional connman_1.36.orig.tar.xz 2ee1c2fb0149160e2e8808416a149e96 20920 net optional connman_1.36-2.2+deb11u1.debian.tar.xz 945fe766bc56ccfad0d359d5b2dd60a5 7331 net optional connman_1.36-2.2+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmMTl51fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ey5cQAILtmwGZC6/UMfzkjfKAB48rzhDTrosN VOZE2SaqMDHUj0Uq8AnIovVIuQMTq0rB98o/yLFmMI9bsCfTlKKw9r/oqyoFPGJp MywiTmB3PIzcG0k6V42fBQFfFdFt/Bp4rtxH57bLfqaZ8VT9QcLM666oBai4crvu RnvDtCRB1/6FZwPXEeOSvW1ige0xqE6nTfyztIW02mHCq9Q3ycIzPFa4zfnGjapW Z7n+5XDXbXSfoGt/qyW8swZzYsw8zzi4UbrzYWbDPrIl9JTym8rWpaOOCNbVz9l0 AFmauh4BO2I+5+8oeCZxqsJw7h9BJBAJ/lXQCSh2XTITj+H/NRoZ8mrHkk+8mefJ WN4DH05oYYXKAzdpD1cVZmLSB4RWcL6wJG/dF8CMQeQ/s5FJrBOdQdQ0yCsmXI2l 6blSd1M3WjEMYgN48GPwcqAOT6MEqG3zVrYR0ZjsTq/1ekmp40EGloCWWaBkZ5P8 v6zioCipYNumu2ae7qOL2jnTEWhmOGUeyzPeHKA4Gxy4N0VXf3FFkwK+G2TS8G2V tD5d6T+9kV4mM956C2Yiv0FCjh89zTa/4KzL5lFjySgaoLl6eqo4M1Qc7kgV8a3u 686pDpULKGfJ0lrkCB0bN5atd4D4aPS60t97vvuarnt8j7nhVfMvxK7jD/ywTncL jQNsU3KM1mkB =5xdY -----END PGP SIGNATURE-----
--- End Message ---
