Your message dated Wed, 17 Apr 2024 12:34:24 +0000
with message-id <e1rx4ua-00ebxw...@fasolo.debian.org>
and subject line Bug#1068457: fixed in azure-uamqp-python 1.6.9-2
has caused the Debian Bug report #1068457,
regarding azure-uamqp-python: CVE-2024-29195
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068457
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: azure-uamqp-python
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for azure-uamqp-python.
CVE-2024-29195[0]:
| The azure-c-shared-utility is a C library for AMQP/MQTT
| communication to Azure Cloud Services. This library may be used by
| the Azure IoT C SDK for communication between IoT Hub and IoT Hub
| devices. An attacker can cause an integer wraparound or under-
| allocation or heap buffer overflow due to vulnerabilities in
| parameter checking mechanism, by exploiting the buffer length
| parameter in Azure C SDK, which may lead to remote code execution.
| Requirements for RCE are 1. Compromised Azure account allowing
| malformed payloads to be sent to the device via IoT Hub service, 2.
| By passing IoT hub service max message payload limit of 128KB, and
| 3. Ability to overwrite code space with remote code. Fixed in commit
| https://github.com/Azure/azure-c-shared-
| utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.
https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg
https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-29195
https://www.cve.org/CVERecord?id=CVE-2024-29195
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: azure-uamqp-python
Source-Version: 1.6.9-2
Done: Thomas Goirand <z...@debian.org>
We believe that the bug you reported is fixed in the latest version of
azure-uamqp-python, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1068...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated azure-uamqp-python
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 17 Apr 2024 14:08:51 +0200
Source: azure-uamqp-python
Architecture: source
Version: 1.6.9-2
Distribution: unstable
Urgency: high
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Closes: 1068457
Changes:
azure-uamqp-python (1.6.9-2) unstable; urgency=high
.
* Team upload.
* CVE-2024-29195: An attacker can cause an integer wraparound or under-
allocation or heap buffer overflow due to vulnerabilities in parameter
checking mechanism, by exploiting the buffer length parameter in Azure C
SDK, which may lead to remote code execution. Applied upstream patch:
CVE-2024-29195_Add-malloc-size-checks.patch (Closes: #1068457).
Checksums-Sha1:
da0868c3083fdc4eae499788754d3241fa30f678 2316 azure-uamqp-python_1.6.9-2.dsc
b70fda15971f4a2ebc0ef8298c1857b886fddbb6 11624
azure-uamqp-python_1.6.9-2.debian.tar.xz
840627ba390b18bef514eaef014f72660a0a173d 9095
azure-uamqp-python_1.6.9-2_amd64.buildinfo
Checksums-Sha256:
09039d63c22f81849fbbafe413dc423381ee019b47c68bffa765e6e799cf4a57 2316
azure-uamqp-python_1.6.9-2.dsc
b0eddda10d4e1197393603e560db78c5caa27cc58d2d91d8fefeddc4243c5bd5 11624
azure-uamqp-python_1.6.9-2.debian.tar.xz
31fd787e426531456f80a953e83339c36281350bf0073dbaad81dd557db097f6 9095
azure-uamqp-python_1.6.9-2_amd64.buildinfo
Files:
a19610664fc8fd4d090699f9b03f1062 2316 python optional
azure-uamqp-python_1.6.9-2.dsc
5140a3fdbb875f8eb29ae443e471c41b 11624 python optional
azure-uamqp-python_1.6.9-2.debian.tar.xz
ab7997a1ad2913b7afe38df2fe7582bd 9095 python optional
azure-uamqp-python_1.6.9-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAmYfvqUACgkQ1BatFaxr
Q/4+8A//f9Jw9orhdo8EmfqOy2io9zL1pXa3SFiz/93+G8EGLc+lwT6h7q+U2vyA
U0kNVQZAaybhG0N72Ujoiaf9on8RTSaJ12H6CSr9HhcT+a9WV0lRMsB6qT3H9N/W
2xysrsRTu9fZD7BXHnJH5KPbmE/1fsgEilQNmYv6taFUaYL+AOX9x8JJPyRgCkKw
uE8ODrTkhAbrMjvHswpJu3YfcsRfeEXCHgmkNoc1DMiGpguMS87b+jfGmpSWCGiX
OTpRStHk51AJcazYpoUUOS0C7Li82vyLIY1XiipjpzoNy9CHQjM7LsAc37BO2yr0
7v3Z6wLigyFk80+mLPy3JgIkut/47noSJyL2OgUdOOzt1kFeZMubbgDGu6m4fnLr
fAxvQWZ0VW7bSxHNxfPjhIrHY+cDIZtRIgGaBjmJAB79hQCZBvFBgnOmzxbd4W55
a2z3uW5UuMghWuxJ6RSQeQHOdRNquCJ/M/0zBx8BFRCbYCC+1G74D88610i98ktI
zHyy10qJsSr9MCSMAhd9o2xCQe1xMfMaATenIdCxaciQtj2KsekoFjk5i33aMZf9
KuU5jtCuneUgdzioE1+3oRquuXc1Lqk2t4MwEn4J+43L3JKJS6Ikz+y8yBwYD98J
xvM4QStJFjagJrxAz3mdd9tckRjROH8QtYBQtmN1VJCqeMoodOI=
=oTDG
-----END PGP SIGNATURE-----
pgpke_LgIZqmk.pgp
Description: PGP signature
--- End Message ---
