Your message dated Tue, 24 Jun 2014 21:35:01 +0000
with message-id <[email protected]>
and subject line Bug#752497: fixed in gnupg 1.4.16-1.2
has caused the Debian Bug report #752497,
regarding gnupg: CVE-2014-4617: DoS due to garbled compressed data packets
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
752497: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752497
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gnupg
Version: 1.4.10-4
Severity: important
Tags: security upstream fixed-upstream
Hi
For reference it the BTS, gnupg 1.4.17 was released containing a fix
for a denial of service due to garbled compressed data packets[1].
[1] http://lists.gnupg.org/pipermail/gnupg-announce/2014q2/000344.html
[2]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=11fdfcf82bd8d2b5bc38292a29876e10770f4b0a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gnupg
Source-Version: 1.4.16-1.2
We believe that the bug you reported is fixed in the latest version of
gnupg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated gnupg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 24 Jun 2014 17:02:35 +0200
Source: gnupg
Binary: gnupg gnupg-curl gpgv gnupg-udeb gpgv-udeb gpgv-win32
Architecture: source all amd64
Version: 1.4.16-1.2
Distribution: unstable
Urgency: high
Maintainer: Debian GnuPG-Maintainers <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
gnupg - GNU privacy guard - a free PGP replacement
gnupg-curl - GNU privacy guard - a free PGP replacement (cURL)
gnupg-udeb - GNU privacy guard - a free PGP replacement (udeb)
gpgv - GNU privacy guard - signature verification tool
gpgv-udeb - minimal signature verification tool (udeb)
gpgv-win32 - GNU privacy guard - signature verification tool (win32 build)
Closes: 752497
Changes:
gnupg (1.4.16-1.2) unstable; urgency=high
.
* Non-maintainer upload with maintainers approval.
* CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
Apply upstream commit to stop a possible DoS using garbled compressed
data packets which can be used to put gpg into an infinite loop.
(Closes: #752497)
Checksums-Sha1:
ae7b458e3e6ba670e7dd384d802a4aa99949ca51 2357 gnupg_1.4.16-1.2.dsc
2f1a1841e115cb1795a2cab6e85bdb59a9a17777 26304 gnupg_1.4.16-1.2.debian.tar.xz
8cfc65694c2b6dffaec8b768a5eeaaab01e18b93 554394 gpgv-win32_1.4.16-1.2_all.deb
7fba7b099eac444d5fd0a2f2946c13d5160a0508 1133248 gnupg_1.4.16-1.2_amd64.deb
222124276101a422bb65328415acae5bf6ea3401 61808 gnupg-curl_1.4.16-1.2_amd64.deb
41e6b870f88b398b4cda90b2edb32e9053c729f7 203930 gpgv_1.4.16-1.2_amd64.deb
d4603906b919af8c1a01df78fb5df9481b3135bc 356804
gnupg-udeb_1.4.16-1.2_amd64.udeb
c069a9e11561e26beb0a176b844a3ab79eedf2fa 131706 gpgv-udeb_1.4.16-1.2_amd64.udeb
Checksums-Sha256:
e6b1ba501ec7cb65eea015b667ecd826a4fb2877941eea9c7072e4a99a7ed7c3 2357
gnupg_1.4.16-1.2.dsc
a96064cc3888830527e2b464cfab27c8c1381e03a1e02a9d5a7b8133db77aad9 26304
gnupg_1.4.16-1.2.debian.tar.xz
94044675a9ec32cf5cbb669847a4d8cc336ad4fa48752cd48c67ecf7c5339593 554394
gpgv-win32_1.4.16-1.2_all.deb
ba27e1381bac0dfada510b679d45ca5e65f5edc3d2a73b065c039c04abe54f00 1133248
gnupg_1.4.16-1.2_amd64.deb
42d0c033c5a7974a03e99c0076790a0cd0fee0fe24af3280194239e5383d1c31 61808
gnupg-curl_1.4.16-1.2_amd64.deb
7406eebc048ca853adfa69502ac0c3e54ebb14f39915ec86fa28199f53400ef2 203930
gpgv_1.4.16-1.2_amd64.deb
088f18240c4a9aebc017483f13090a08e0364e32ab3a49d2e6b008a2d2f66558 356804
gnupg-udeb_1.4.16-1.2_amd64.udeb
75c04d83a7b449398a809a64def9de52dfd27e4f1471d32a98d2622f32334b7e 131706
gpgv-udeb_1.4.16-1.2_amd64.udeb
Files:
158bf0295ca109d2e284ef5255424471 554394 utils extra
gpgv-win32_1.4.16-1.2_all.deb
27c36735cdda45c772f919cbdbf29741 1133248 utils important
gnupg_1.4.16-1.2_amd64.deb
85574af07dd1f28558848c9e11d74253 61808 utils optional
gnupg-curl_1.4.16-1.2_amd64.deb
b971fa9749cec80ee2587508347050fa 203930 utils important
gpgv_1.4.16-1.2_amd64.deb
0a1e6f94a0c2861abddbbf6f0d904d54 356804 debian-installer extra
gnupg-udeb_1.4.16-1.2_amd64.udeb
962f159660832265f1c336fdee0dfb67 131706 debian-installer extra
gpgv-udeb_1.4.16-1.2_amd64.udeb
e679c066263e43145e922012521eaec0 2357 utils important gnupg_1.4.16-1.2.dsc
36f11376efcf34caefcc63edba4af12e 26304 utils important
gnupg_1.4.16-1.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTqdPiAAoJEAVMuPMTQ89EbbQP/i2pSrShHdU/1p2hFdQ90pv1
u066M5hpQGhBij3qTdN0UO1P8JHsUvrruykURT7GP0W2m74RWOy/P75xLCYBlFSC
t5pMczBtU4LP+3daUkkp+7LI8Y/T7O93Alf73pmR388zqHEa+onKTamtgGdeJe9R
/6/SPxmjGxLjHWmSTXmmuSMC3NmyYHUrb/HOLcgrdqMR2kC7RJnXXqFX0Q8LBKyv
fjb8nzW/+6vP4lCWp7W6Ko3eqQdjYF+Bv8ctJSiM4tpCbWQ1jw2jx/vzFv38EiE9
RiRH8rN0pZXCK0FP2P4BjyvKpgLzHXmHXdtBhIQ8lU4GoG4cd2Convfn2qk5X6lf
qRwpscQkdhxe7r2o8jevaftYOHN9AqtNE5cRIOwhHvq9DLDPPqAeLrwh5o6hFK1r
fuXESfehTLajMpeM7FgZfA8g4hQjztTRXuIWDxwsmX5K3kgoE0E2QWRRlUHN3KxZ
7cXeB16PUDPDhPDz0pFTKwN1cupVrqiUrFRvIx053wraopUHm7PW+agnko7EGRPC
OLs0g+l9QqtwDB+hUKoLw4q1ljmQMzUqRZ02YRB2CS3+irWfWgvjfeon6IuHf0Aa
GYhAhlOsKGkI+fyn0zAHnFR0tEwyacxvPxgZepyOr8OI4dwmqzLvpJvFzL1D8El0
yJnbA8bHK+oEpM4cpFl0
=lNfs
-----END PGP SIGNATURE-----
--- End Message ---
