Your message dated Sat, 14 Feb 2015 22:18:30 +0000
with message-id <[email protected]>
and subject line Bug#778409: fixed in vigor 0.016-24
has caused the Debian Bug report #778409,
regarding Henry Spencer regular expressions (regex) library contains a heap
overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778409: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778409
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: vigor
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
--- End Message ---
--- Begin Message ---
Source: vigor
Source-Version: 0.016-24
We believe that the bug you reported is fixed in the latest version of
vigor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated vigor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 14 Feb 2015 21:17:07 +0000
Source: vigor
Binary: vigor
Architecture: source
Version: 0.016-24
Distribution: unstable
Urgency: medium
Maintainer: Colin Watson <[email protected]>
Changed-By: Colin Watson <[email protected]>
Description:
vigor - nvi with the evil paperclip
Closes: 778409
Changes:
vigor (0.016-24) unstable; urgency=medium
.
* Update Vcs-Browser URL for alioth cgit.
* Use libc's regex routines rather than the bundled ones, to avoid needing
to apply security patches independently (closes: #778409).
Checksums-Sha1:
e4799582b85e9e48152695faa1d3329d21f078f8 1973 vigor_0.016-24.dsc
9e98e3edd11098156589ed2df562169131d96b82 27828 vigor_0.016-24.debian.tar.xz
Checksums-Sha256:
19d0e282645c2dfdc2449a68ce646dad8f9c40ce1cdf8d31af7e8308fa03e463 1973
vigor_0.016-24.dsc
6d34bb78074cd2578859afc90634bcfb4514ce72561394fe62a6b536d714f284 27828
vigor_0.016-24.debian.tar.xz
Files:
7458e39bc017875d7c67bda54af676e6 1973 editors extra vigor_0.016-24.dsc
880afe1db94a5fd599bb7501c801591b 27828 editors extra
vigor_0.016-24.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Colin Watson <[email protected]> -- Debian developer
iQIVAwUBVN/FaDk1h9l9hlALAQg/OQ//WL73jWOWVOYURGMkwi8W+o4IxRuYUsCs
dsQnNi9z/IJuZ9UU5UY1VpCDEFbVLYDdLDlNrCiSgWONBssfsMzmb+13so88JJY/
za74XR/xnW3skzYY9GrPTBRg+SZkGUpCskufxWjhD9RLCQKE8Q/iSctWiFvwjVtS
Msdh+slZ1txKMRLXdQEbxKElI6dItrvhXDe8j8pNVWCf9rpuOKgqsivEou9aWCal
24lNUy1pRaZNB5EYBLFpjh0ZiKB0lamd8TkcIN54CX6D89I5iGmsxvuTAvLGqo2P
SCZ5+jXgltzERmzpv1nUannmZ8cBbAXEAkE1g4hwDexxTLuOa9N8JYDiWVi3Twlq
4pD0pi2+eUq+C/M9y1x7BKh9ia6SdOnvquYSVmFhGfVrUlybm/Mk8ZBOaT5iZV6I
kfeSrsBtYBSgp/7dKqNkbm+TiRX+DPcapB7QnVm2wkzFoKDThAYl2q+LATjbmn+d
KcbfVaeFkyMLS+ZO91Wwim2h9quGBcMGo8uG4foqN+AloWPshbvmqRv9dDYyEIPk
wvAH+PFGSjh4EsMw9LPX7DpOcqYYqJrgNobwCchLiap0ifGpU3+4z9kH9/GyP+tc
ta6yA1qZOu2d6X+mZVogW8BWC1fpRqDm4ZmULhKFqYn23dm8zioXXZegerx7+3ZX
x4V1gbymkLY=
=fwyC
-----END PGP SIGNATURE-----
--- End Message ---
