Your message dated Tue, 02 Dec 2014 09:20:39 +0000 with message-id <e1xvjdp-0001bu...@franck.debian.org> and subject line Bug#770918: fixed in flac 1.3.1-1 has caused the Debian Bug report #770918, regarding flac: CVE-2014-8962/CVE-2014-9028: heap buffer overflows to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 770918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770918 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: flac Version: 1.3.0-2+b1 Severity: serious Tags: security From: http://lists.xiph.org/pipermail/flac-dev/2014-November/005226.html > Google Security Team member, Michele Spagnuolo, recently found two potential > problems in the FLAC code base. They are : > > > CVE-2014-9028 : Heap buffer write overflow > CVE-2014-8962 : Heap buffer read overflow > > For Linux distributions, the specific fixes for these two CVEs are available > from Git here: > > > https://git.xiph.org/?p=flac.git;a=commit;h=fcf0ba06ae12ccd7c67cee3c8d948df15f946b85 > > https://git.xiph.org/?p=flac.git;a=commit;h=5b3033a2b355068c11fe637e14ac742d273f076e > > and are simple enough that they should apply cleanly to the last official > release 1.3.0 and possibly even the previous one, 1.2.1. > > A pre-release (version 1.3.1pre1) for the next version which includes these > fixes and more is available here: > > http://downloads.xiph.org/releases/flac/beta/ > > A full release (version 1.3.1) will be available in the next couple of days. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (500, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17-rc5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_AU.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages flac depends on: ii libc6 2.19-13 ii libflac8 1.3.0-2+b1 flac recommends no packages. flac suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: flac Source-Version: 1.3.1-1 We believe that the bug you reported is fixed in the latest version of flac, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 770...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Fabian Greffrath <fabian+deb...@greffrath.com> (supplier of updated flac package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 01 Dec 2014 18:32:57 +0100 Source: flac Binary: flac libflac8 libflac-doc libflac-dev libflac++6 libflac++-dev Architecture: source amd64 all Version: 1.3.1-1 Distribution: experimental Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Fabian Greffrath <fabian+deb...@greffrath.com> Description: flac - Free Lossless Audio Codec - command line tools libflac++-dev - Free Lossless Audio Codec - C++ development library libflac++6 - Free Lossless Audio Codec - C++ runtime library libflac-dev - Free Lossless Audio Codec - C development library libflac-doc - Free Lossless Audio Codec - library documentation libflac8 - Free Lossless Audio Codec - runtime C library Closes: 770918 Changes: flac (1.3.1-1) experimental; urgency=medium . [ Jackson Doak ] * Disable silent rules * Enable hardening * Add symbols files . [ Fabian Greffrath ] * Adapt debian/watch file to reflect actual upstream versioning scheme. * Imported Upstream version 1.3.1 + Fixes CVE-2014-8962 and CVE-2014-9028 (Closes: #770918). + Support for 3DNOW! optimizations has been removed. + Localized RU documentation has been removed. * Drop patches applied upstream. * Backport patch from upstream GIT to fix another input validation bug. * Fix "privacy-breach-logo" and "privacy-breach-w3c-valid-html" lintian errors. * In debian/rules, remove the "override_dh_makeshlibs" rule for the symbols files to have effect. * Update, improve and convert debian/copyright to machine-readable format. * Bump Standards-Version to 3.9.6. Checksums-Sha1: a9769c536307978d806c32e23806520e2f455e3a 2256 flac_1.3.1-1.dsc 38e17439d11be26207e4af0ff50973815694b26f 941848 flac_1.3.1.orig.tar.xz 8b90322d24f5bad2d4e26773554431f1ae91d33b 19684 flac_1.3.1-1.debian.tar.xz 1aade478e896cdbb49299b81eaf4ddf691980a1e 153748 flac_1.3.1-1_amd64.deb 4722e04c0400422205cf0dfa4c8bfb402c16220c 214466 libflac8_1.3.1-1_amd64.deb b90faa71b35b4cde49a89e7573b6f528c1d47b00 353918 libflac-doc_1.3.1-1_all.deb db63c45748eab7e400b4128c715f92f7f6a2ea3d 269420 libflac-dev_1.3.1-1_amd64.deb 23174d09942bae036404a7016a08127a3c273f28 37816 libflac++6_1.3.1-1_amd64.deb b1e4bfddcb02579feaccf32d6217bbaae5f7779c 40740 libflac++-dev_1.3.1-1_amd64.deb Checksums-Sha256: 65c9bcdedd9d7cf2e8bdaa8de4c1468ad412e9cd79f195306f48e122ba7d19cf 2256 flac_1.3.1-1.dsc 4773c0099dba767d963fd92143263be338c48702172e8754b9bc5103efe1c56c 941848 flac_1.3.1.orig.tar.xz 3ca678fb4bf060035d72e0939d8dfc7ab7d1120311f5cf42b0760c478f7c835e 19684 flac_1.3.1-1.debian.tar.xz c9de047c864dfec3d9d46fa69b56e72cee7e9927fdb83c6a8328fc15820ede9f 153748 flac_1.3.1-1_amd64.deb 5af745174a4cb9a62c062ca3a4cf5db8d066a65be1ba308920099506f11b4188 214466 libflac8_1.3.1-1_amd64.deb 7f33fe15ce59c68fa7991a0c40272e45cf7770f2da81e92c308d59c96a844655 353918 libflac-doc_1.3.1-1_all.deb effec9d44f5cffc09c770216156e553f746ac0c507aec5e0382fdb051b39fbf1 269420 libflac-dev_1.3.1-1_amd64.deb 7ca4fb1b37b556ef579f9c53aa15f62bc72b318f103a095bc9af0fc3d74ab877 37816 libflac++6_1.3.1-1_amd64.deb 8f7eaa44d80c53b2ab06a820d045f794d031e51bdba4b13874718a8afdfe5e43 40740 libflac++-dev_1.3.1-1_amd64.deb Files: eae1ea8ed0d116a70d6114033987e180 2256 sound optional flac_1.3.1-1.dsc b9922c9a0378c88d3e901b234f852698 941848 sound optional flac_1.3.1.orig.tar.xz 54389084a5f28f60a4fddb8c2538be99 19684 sound optional flac_1.3.1-1.debian.tar.xz d664942c0263f3cd92cc732e707f54a6 153748 sound optional flac_1.3.1-1_amd64.deb ea828a9a7753b085f2080916bdd90b12 214466 libs optional libflac8_1.3.1-1_amd64.deb 67db3179ba20d76e7df9e1abbc3e530b 353918 doc optional libflac-doc_1.3.1-1_all.deb 18c5dfe548d8dc2f1c3b0dd21dcb7d8e 269420 libdevel optional libflac-dev_1.3.1-1_amd64.deb b7d6e7fb200ce5b0ec34a8eea790e78e 37816 libs optional libflac++6_1.3.1-1_amd64.deb 4a542aea84222fc8aec9c147d65660d1 40740 libdevel optional libflac++-dev_1.3.1-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUfXJRAAoJEMvqjpcMzVnfxowQAKDEt9m+m+xv8f7FC9K37eZe IWq+N2QaIw067VFkt6XL+3odgVMyIapOb9+1Bx7xx0ov9g5ZRcpYvtYw/q3xZtn8 eRMBeFB1XyPJhAH56bJnuFK34Vsttgc56FSLMZiyVMZfifmXkWphtQr8R2KDeZxd m4tQy33dRmnalhobVZloau2C+gHRhdSwf41SCEVMhHU9e73w/n+NCIzwwszrgss9 XxNGNp/rDJ9eJgPyZJbe+tYftA8rTrEXABDqDR7boG0fzuP2HzizJVZihNuGP7Ow g2zZYj3GPMf1EjKciuqWvMzjnuUYcFwBQZN9RypZReRJiYMVmykHWXXn4yEP3XnJ lewsuQj6qWm2ZrXxO9b5tQ966kHzInA036B+SFB72s2NosLCrQ/utQnaRlvep75A Fq+kMYeDBWPzXszLGUM2Qz+LXLxS3oaE8+cmSz8Gw/qeVka6HqqDEt2PvyBJMlnm AxXm9UVSG6/yrdM1Wie5hab8Z/SgxAO+9LhVmGgWnKwGA8OKg90UUAvKXNPdohfU Sp+MUXVC7J5qRwRPK/IdLdQDqDsdqDDhh5ijS8+rX4+ILNfKoTUR1fi201Jo8i6n 1TfQm33NfhJOW1R9GwWEaCxOEnSeg4D0dBcYTHSRpugmu9NMpJDI5Y1oGxkdAHxh Lm9vpyiBnr0/NeaGU6z9 =DU9H -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
