[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
This bug was fixed in the package dino-im - 0.0.git20180130-1ubuntu0.1 --- dino-im (0.0.git20180130-1ubuntu0.1) bionic-security; urgency=high * Cherry pick upstream security fixes (LP: #1866113) - SECURITY UPDATE: Fix check of source of a carbons message (CVE-2019-16235) - SECURITY UPDATE: Check roster push authorization (CVE-2019-16236) - SECURITY UPDATE: Fix check of source of MAM message (CVE-2019-16237) * Accept IV sizes of 12 in addition to 16 to enable reading messages sent from clients using 12-byte IVs again (LP: #1866115) -- Julian Andres Klode Wed, 04 Mar 2020 15:20:07 +0100 ** Changed in: dino-im (Ubuntu Bionic) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16235 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16236 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16237 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
I have installed dino-im from the PPA and tested: - Group chat - Catching up with history - Verification for bug #1866115 Everything seems to work fine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
You can find it built here: https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages ** Changed in: dino-im (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
** Changed in: dino-im (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
** Patch added: "dino-im_0.0.git20180130-1ubuntu18.04.1.diff" https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+attachment/5333617/+files/dino-im_0.0.git20180130-1ubuntu18.04.1.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1866113] Re: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237
Compiled in autopkgtest, installed into lxd container, and tested with the test case for bug 1866115 - which this also includes. The goal is to build in security, push to proposed to SRU verification, and then push to -security, as we need to get the IV acceptance change out fairly quickly so later dino versions can switch to sending 12-byte IVs w/o breaking compat with bionic users. Afterwards I'll try to SRU dino 0.1.0 stable release as that includes a ton more (mostly) fixes. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866113 Title: CVE-2019-16235, CVE-2019-16236, CVE-2019-16237 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dino-im/+bug/1866113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs