Your message dated Fri, 20 Sep 2019 22:19:48 +0000 with message-id <e1ibrfk-000b48...@fasolo.debian.org> and subject line Bug#939868: fixed in slirp4netns 0.4.1-1 has caused the Debian Bug report #939868, regarding slirp4netns: CVE-2019-15890 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 939868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939868 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: slirp4netns Version: 0.3.2-1 Severity: grave Tags: security upstream Justification: user security hole Control: clone -1 -2 Control: reassign -2 src:qemu 1:4.1-1 Control: retitle -2 qemu: CVE-2019-15890 Hi, The following vulnerability was published for slirp4netns. CVE-2019-15890[0]: | libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in | ip_reass in ip_input.c. I'm filling this with higher serverity as you proably would have expected, but for buster and older I guess we can follow this as no-dsa and schedule fixes via point releases or include in future DSAs. As unprivileged user namespaces are not enabled by default the former holds surely for slirp4netns itself. The bug is cloned as well for qemu. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-15890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15890 [1] https://www.openwall.com/lists/oss-security/2019/09/06/3 [2] https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204 Please adjust the affected versions in the BTS as needed, only looked at the respective unstable versions. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: slirp4netns Source-Version: 0.4.1-1 We believe that the bug you reported is fixed in the latest version of slirp4netns, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 939...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siret...@tauware.de> (supplier of updated slirp4netns package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 20 Sep 2019 07:58:27 -0400 Source: slirp4netns Architecture: source Version: 0.4.1-1 Distribution: unstable Urgency: medium Maintainer: Reinhard Tartler <siret...@tauware.de> Changed-By: Reinhard Tartler <siret...@tauware.de> Closes: 939868 Changes: slirp4netns (0.4.1-1) unstable; urgency=medium . * New upstream version 0.4.1 - Support specifying netns path (slirp4netns --netns-type=path PATH TAPNAME) - Support specifying --userns-path - Vendor https://gitlab.freedesktop.org/slirp/libslirp (QEMU v4.1+) - Bring up loopback device when --configure is specified - Support sandboxing by creating a mount namespace (--enable-sandbox) - libslirp: Fix heap overflow (Fixes: CVE-2019-14378) - Support seccomp (--enable-seccomp) - libslirp: Fix use-after-free (Fixes CVE-2019-15890, Closes: #939868) Checksums-Sha1: 0568720c7b7a444500227147d14a9a5a5d0feba7 2014 slirp4netns_0.4.1-1.dsc 02c890bc45bc3662d5f05a2f31e3ecedb03997e1 168785 slirp4netns_0.4.1.orig.tar.gz f67a2d9c86ec2f4dd071b82e7d237df96e4475a3 4808 slirp4netns_0.4.1-1.debian.tar.xz Checksums-Sha256: 848f486d9e1ac03106df04f9a500a11b0337774368ff93aec10cb73c95b724bb 2014 slirp4netns_0.4.1-1.dsc 75d2a7411cc2b3e341d8530228750bb1db06077b349d10fbdddbb582c27f8cfc 168785 slirp4netns_0.4.1.orig.tar.gz 76f246c836b4d3304512a834c0ad386523323898e61cae9238c53db769d2bd76 4808 slirp4netns_0.4.1-1.debian.tar.xz Files: d92ac459f597c3ad29ed7631da11f51d 2014 misc optional slirp4netns_0.4.1-1.dsc 2511da14fcacff3a4c5d6c501f04e20b 168785 misc optional slirp4netns_0.4.1.orig.tar.gz 4e4b207f1301a78dd0e470effd53a4d3 4808 misc optional slirp4netns_0.4.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAl2FTJsUHHNpcmV0YXJ0 QHRhdXdhcmUuZGUACgkQSadpd5QoJsuc4Q/+PVTePj/FiD84KG7BKwbghHY3Ikt5 dLIf1Ue07YYM4i/B4oGU6JjsfWCH78fR26fgTgUqtooSjNtX3zsSRPEfiX3/gfQG f6+DkwLEVvB+a9/2g3Y1iNiVarAbvd04mEQh8iGhyfWiYJLNC/ZHlF3x7Nl5Vj30 kKC9qGFnS7UYhbECgJ/jKtrP1agaFT7PWdemalYOIAM3lY0UkRVo1Ee0q6mP8p/A MIHpNVcXTqk+5yaKdfpuU/8uPuggLObr0F51ZpGMFy7HqosO1LxDE8tT3SoBETlj n5ASaNlwP5e6ipkF1Sf2wi7+uExiVd9Pc2AoxIw1M1H2XGGMTv3thdnG6Nnp3csZ KNXg3N6JlWFIk9mnn1AC3Zqk/Nlh4H63ZJ4EQ3wn8HuX4sy7ZHKr0yZ7L/yTUzh1 E1yADHHjNdW9nir7vSii5bY7/Qi2irXs9GC6RMrgZHuLN1OBxPf/9r7rhXmoZVde usoyiKefihF16EcUf0hFyu+cfSQneLMYEdeBfz3EiZgdh2ReFhTpwk5Luk2b4fwU B/Enf854UkzpuwijRZf/EEYTeZZlGA9Bd+C9Gyn8164SMp3wUkUbMo1mjKn9SmHI jom70qrzasPLI4rWdWImw+S1uYod9+BW6IhAQ/Cc+McCVBbi0+OtGuXq7MyHBRmP lZlxIn/vNlPSz9Y= =V7Yu -----END PGP SIGNATURE-----
--- End Message ---
