Your message dated Mon, 09 Mar 2009 21:19:50 +0000
with message-id <[email protected]>
and subject line Bug#518468: fixed in psi 0.12.1-1
has caused the Debian Bug report #518468,
regarding CVE-2008-6393: possible DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
518468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518468
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: psi
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for psi.
CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file transfer request with a negative value in a SOCKS5 option, which
| bypasses a signed integer check and triggers an integer overflow and a
| heap-based buffer overflow.
The blogpost[1] has some more information. At the moment, I guess the
security impact is fairly low and only results in a client DoS. Maybe
you could check this further, just to be sure?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393
http://security-tracker.debian.net/tracker/CVE-2008-6393
[1] http://jolmos.blogspot.com/2008/12/psi-remote-integer-overflow.html
--- End Message ---
--- Begin Message ---
Source: psi
Source-Version: 0.12.1-1
We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:
psi_0.12.1-1.diff.gz
to pool/main/p/psi/psi_0.12.1-1.diff.gz
psi_0.12.1-1.dsc
to pool/main/p/psi/psi_0.12.1-1.dsc
psi_0.12.1-1_i386.deb
to pool/main/p/psi/psi_0.12.1-1_i386.deb
psi_0.12.1.orig.tar.gz
to pool/main/p/psi/psi_0.12.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Niehusmann <[email protected]> (supplier of updated psi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Mar 2009 18:31:53 +0100
Source: psi
Binary: psi
Architecture: source i386
Version: 0.12.1-1
Distribution: unstable
Urgency: high
Maintainer: Jan Niehusmann <[email protected]>
Changed-By: Jan Niehusmann <[email protected]>
Description:
psi - Jabber client using Qt
Closes: 504644 518468
Changes:
psi (0.12.1-1) unstable; urgency=high
.
* New Upstream Version
This fixes remote DoS vulnerability CVE-2008-6393 found and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
The original advisory is available at:
http://www.securityfocus.com/archive/1/499563
(Closes: Bug#518468)
* Depend on qt << 4.5.0 as psi needs some patches to work with qt 4.5
* Psi currently doesn't handle missing ssl plugin gracefully. Therefore,
depend on libqca2-plugin-ossl instead of only recommending it.
(Closes: Bug#504644)
Checksums-Sha1:
cd13a3ce23ed4090cccd938604dae481f04ab6cd 1207 psi_0.12.1-1.dsc
9663d3f68e252da0762a9cc4059023fba0b28974 2504019 psi_0.12.1.orig.tar.gz
5a7983bbd5009f4e56eaf27800ce59194f2d9d58 10781 psi_0.12.1-1.diff.gz
78ae448f1041a6cd14e8de339981462706362de0 2908170 psi_0.12.1-1_i386.deb
Checksums-Sha256:
29d6946b0ad7e90531a4336a8fb069c674cc16d47e917c7759fa8a472697b629 1207
psi_0.12.1-1.dsc
3e0a1f0e01c3140b0f84c4553aeb41721f2e6ae3e6c9793eca75e47ab975b497 2504019
psi_0.12.1.orig.tar.gz
371174557c75293600bcdaa7b34c95dc1a21e0a2a5713d50c2f6d1533ef38cdd 10781
psi_0.12.1-1.diff.gz
54e9187a1ca11302ce5ac55e55cf53bfa05746bc7032e062849ad752ca66b7de 2908170
psi_0.12.1-1_i386.deb
Files:
f69dcdc49bcce922707e5aaca82a65bc 1207 net optional psi_0.12.1-1.dsc
8b98247aed1ec126dfe47c15cf6c0230 2504019 net optional psi_0.12.1.orig.tar.gz
f201e97ea5a6ca0f23e15bb34ba647ed 10781 net optional psi_0.12.1-1.diff.gz
4221ee4975f1fe55c0d6f2968baf1d42 2908170 net optional psi_0.12.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkm1foMACgkQgUvx9im0397LFgP9FGQVUUQ5t2U7ZEw4/afC6WTj
LLjuLIJrdfcTwY4rYZ2xdc5UhRVi/rVAWKLHC/zyfXnU9aABvN2tUuwyRuv64ErK
QUq/e+PwUhM3ko4ZPv3oVh/yRfM/WeUWdLCOoVyfJcXcBXVnfMW31SdlqeYdzDmG
RJw0kt+df6jbwtz1uXQ=
=eU2x
-----END PGP SIGNATURE-----
--- End Message ---
