Your message dated Sun, 17 Mar 2024 17:02:40 +0000 with message-id <e1rltuc-00agdi...@fasolo.debian.org> and subject line Bug#1063484: fixed in libuv1 1.44.2-1+deb12u1 has caused the Debian Bug report #1063484, regarding libuv1: CVE-2024-24806 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libuv1 Version: 1.46.0-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for libuv1. CVE-2024-24806[0]: | libuv is a multi-platform support library with a focus on | asynchronous I/O. The `uv_getaddrinfo` function in | `src/unix/getaddrinfo.c` (and its windows counterpart | `src/win/getaddrinfo.c`), truncates hostnames to 256 characters | before calling `getaddrinfo`. This behavior can be exploited to | create addresses like `0x00007f000001`, which are considered valid | by `getaddrinfo` and could allow an attacker to craft payloads that | resolve to unintended IP addresses, bypassing developer checks. The | vulnerability arises due to how the `hostname_ascii` variable (with | a length of 256 bytes) is handled in `uv_getaddrinfo` and | subsequently in `uv__idna_toascii`. When the hostname exceeds 256 | characters, it gets truncated without a terminating null byte. As a | result attackers may be able to access internal APIs or for websites | (similar to MySpace) that allows users to have | `username.example.com` pages. Internal services that crawl or cache | these user pages can be exposed to SSRF attacks if a malicious user | chooses a long vulnerable username. This issue has been addressed in | release version 1.48.0. Users are advised to upgrade. There are no | known workarounds for this vulnerability. Note, that the advisory at [1] mentions that affected versions are only > 1.45.x. Looking at the git changes, is it not introduced after 6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in v1.24.0? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24806 https://www.cve.org/CVERecord?id=CVE-2024-24806 [1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libuv1 Source-Version: 1.44.2-1+deb12u1 Done: Dominique Dumont <d...@debian.org> We believe that the bug you reported is fixed in the latest version of libuv1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1063...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominique Dumont <d...@debian.org> (supplier of updated libuv1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 20 Feb 2024 18:28:54 +0100 Source: libuv1 Architecture: source Version: 1.44.2-1+deb12u1 Distribution: bookworm-security Urgency: medium Maintainer: Dominique Dumont <d...@debian.org> Changed-By: Dominique Dumont <d...@debian.org> Closes: 1063484 Changes: libuv1 (1.44.2-1+deb12u1) bookworm-security; urgency=medium . * add patch to fix CVE-2024-24806 (Closes: 1063484) Checksums-Sha1: 9588ae6ca442e22acaec2475194ec189901f9d4f 2029 libuv1_1.44.2-1+deb12u1.dsc ced06e69586ea4b3be56c2cc67caa5dc1718a70c 1308776 libuv1_1.44.2.orig.tar.gz 5061d77c2055b183b1bc3640f3f53eb9c24c53dd 21460 libuv1_1.44.2-1+deb12u1.debian.tar.xz 3d8acd17328c4b9935cca168e7bec194226fc46e 8840 libuv1_1.44.2-1+deb12u1_source.buildinfo Checksums-Sha256: 798be0a2bcbcd40bb85302f6ccbf02b240e1958d4ad9cf153b8101c3a82f21b9 2029 libuv1_1.44.2-1+deb12u1.dsc d79b4b06ef04be85fb890bf39d55942cc64c2e15fd14eaa32dae5dce94485484 1308776 libuv1_1.44.2.orig.tar.gz 14fc605e7d1520137416fd8c097b58a191be9b07bdbb406f7b39c7894b7d66a5 21460 libuv1_1.44.2-1+deb12u1.debian.tar.xz 6729f56c1a50bcf954f70ab4016e1c44047af50707e283e83d9d79b8651e70ac 8840 libuv1_1.44.2-1+deb12u1_source.buildinfo Files: 24577671198dca02c1a0da01b977dd35 2029 libs optional libuv1_1.44.2-1+deb12u1.dsc c154b7548028901c9ad70d2adfa5dae2 1308776 libs optional libuv1_1.44.2.orig.tar.gz 5767cebbb44a080de662a588a60cada2 21460 libs optional libuv1_1.44.2-1+deb12u1.debian.tar.xz 335d3ed99956c306769bf1a81bf53d5c 8840 libs optional libuv1_1.44.2-1+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAmXoo1IACgkQwx9P2Umr K2x4yQ//d9/UFdrIW4zOHRGOCviDrSbVDYbkvYululPUpn3VmEkW0G1JXAf/IK4f s9HPfQxCExtKE7CDyEOPQdmgT45I8nZ4HHHAfwWPJzSErLyxVx0Mf8sd8/v3VQga mDa3czCAKw4m9fMrXszpGxhOj1s9D6stz8xbIoPTrVMAVg6/NBWmIjBCgGR/c6/N LMamSn2UkrDx5N74QBtkToUCovMCC/CaGE8kCePIFjj1HyF6Bnd/dypySOqoTP7z F57kYzGx0blSn7vDrTHUCA/kENL7gVgWHiL9xZrir9eEdo3q9YYOff53ghU1nLIs 5qOcnp7/dlAi2pblWrvNZOGB5ALpzC8V2Q9cNcZ4EitQxu+q7z0eGo9qIPVtRLLN CkWhhhhv1P2xeDsVg2gf01gca4wnGanwBpK+6EKITT4OncOS8YQtMr12xV0h+hr9 sgwRANGYmIXPHdPqKCCwBfkJZwRypJwccHo92Px8AzLrhUwrMvld54J5zUBNUcmh Fi8sdWXGWc0RDa3ZvUhp7d4UEg9IpLRamBCVF2TXWrNWXOIQy372okLcxlO7ufGT /++q50/F0QmRASGZaPQih4sSdlAvHbk789FN4RH/9d+pxFUZ1hs0pZpfoFJvp8IA JAOKtBBcIHBQWrl08Wd4CfXYxS2UUvnxIOaPInV0mlup6fPRkx4= =ZSft -----END PGP SIGNATURE-----pgp4ASoqpMgXM.pgp
Description: PGP signature
--- End Message ---