Your message dated Tue, 24 Mar 2009 19:53:35 +0000
with message-id <[email protected]>
and subject line Bug#518468: fixed in psi 0.11-9
has caused the Debian Bug report #518468,
regarding CVE-2008-6393: possible DoS
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
518468: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518468
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: psi
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for psi.
CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file transfer request with a negative value in a SOCKS5 option, which
| bypasses a signed integer check and triggers an integer overflow and a
| heap-based buffer overflow.
The blogpost[1] has some more information. At the moment, I guess the
security impact is fairly low and only results in a client DoS. Maybe
you could check this further, just to be sure?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393
http://security-tracker.debian.net/tracker/CVE-2008-6393
[1] http://jolmos.blogspot.com/2008/12/psi-remote-integer-overflow.html
--- End Message ---
--- Begin Message ---
Source: psi
Source-Version: 0.11-9
We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:
psi_0.11-9.diff.gz
to pool/main/p/psi/psi_0.11-9.diff.gz
psi_0.11-9.dsc
to pool/main/p/psi/psi_0.11-9.dsc
psi_0.11-9_amd64.deb
to pool/main/p/psi/psi_0.11-9_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Niehusmann <[email protected]> (supplier of updated psi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Mar 2009 15:28:11 +0100
Source: psi
Binary: psi
Architecture: source amd64
Version: 0.11-9
Distribution: stable-security
Urgency: high
Maintainer: Jan Niehusmann <[email protected]>
Changed-By: Jan Niehusmann <[email protected]>
Description:
psi - Jabber client using Qt
Closes: 518468
Changes:
psi (0.11-9) stable-security; urgency=high
.
* Fix for CVE-2008-6393, taken from upstream git repository.
This fixes a remote DoS vulnerability found and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
The original advisory is available at:
http://www.securityfocus.com/archive/1/499563
(Closes: Bug#518468)
Checksums-Sha1:
aa6f538a01c37a430380806fb56a92b63a4e87eb 1010 psi_0.11-9.dsc
05c5ca9c7b75f182c19e1de9456a87d8221f92c6 2315401 psi_0.11.orig.tar.gz
0bef5109bd6b01bf3ab95d2346aeacf577c517ea 11710 psi_0.11-9.diff.gz
51208828839003126ac40fc5d280ee549361bc78 2791050 psi_0.11-9_amd64.deb
Checksums-Sha256:
944d4fca8c52dde8e5b729928a793abbc2fdbe6ec434702fc4ff1cbb24d592ed 1010
psi_0.11-9.dsc
a7f44285e27f60fd76d086239fd19c1d2bc562aee97f1021bf2466f52c54f2e5 2315401
psi_0.11.orig.tar.gz
8f0384b05ec022e7f207084416307d31e7c9206ec03b222a98df43574c6e23e1 11710
psi_0.11-9.diff.gz
ff366f7e5b2f35f7618aca15f606255b917b31fce8dd684dfc919f852a5f87d7 2791050
psi_0.11-9_amd64.deb
Files:
ebc7d52229204de80bd31de70c7f7c59 1010 net optional psi_0.11-9.dsc
637941349f1c28ed88242d7e3e5abcbc 2315401 net optional psi_0.11.orig.tar.gz
d2c26bc079fc6a2661f3a23cc90d34e7 11710 net optional psi_0.11-9.diff.gz
5787e7983a52abfa5fdfa9433d0f8cee 2791050 net optional psi_0.11-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm1cRQACgkQXm3vHE4uylqPHwCgt0ubV1Yx7M5EvKhLc6TQ9WHu
H04AnjW5SvBRRvZr1OC5xMgHD0gMB4xD
=/w0m
-----END PGP SIGNATURE-----
--- End Message ---
