Your message dated Sun, 19 Nov 2017 22:47:09 +0000
with message-id <[email protected]>
and subject line Bug#877442: fixed in libofx 1:0.9.10-2+deb9u1
has caused the Debian Bug report #877442,
regarding libofx: CVE-2017-14731
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
877442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877442
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libofx
Version: 1:0.9.11-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/libofx/libofx/issues/10
Hi,
the following vulnerability was published for libofx.
CVE-2017-14731[0]:
| ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via a crafted file, as demonstrated by an ofxdump
| call.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14731
[1] https://github.com/libofx/libofx/issues/10
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libofx
Source-Version: 1:0.9.10-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
libofx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <[email protected]> (supplier of updated libofx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Nov 2017 21:41:37 +0100
Source: libofx
Binary: libofx6 libofx-dev libofx-doc ofx
Architecture: source amd64 all
Version: 1:0.9.10-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Dylan Aïssi <[email protected]>
Changed-By: Dylan Aïssi <[email protected]>
Description:
libofx-dev - development package for libofx6
libofx-doc - documentation for libofx6
libofx6 - library to support the Open Financial Exchange format
ofx - Open Financial Exchange programs
Closes: 875801 877442
Changes:
libofx (1:0.9.10-2+deb9u1) stretch; urgency=medium
.
* Add upstream patches to fix:
- CVE-2017-2816 (Closes: #875801).
- CVE-2017-14731 (Closes: #877442).
Checksums-Sha1:
11909bc0514ae79c73b42db78b69ed5be7558a26 2121 libofx_0.9.10-2+deb9u1.dsc
4a33256416539444bcb4e95c5c080132b8da4716 46996
libofx_0.9.10-2+deb9u1.debian.tar.xz
a86a77879baaec142e87fc6f9db4d67603ff841f 111434
libofx-dev_0.9.10-2+deb9u1_amd64.deb
1a720814064d753275bc48aa7cab1cf29e0acd8a 333858
libofx-doc_0.9.10-2+deb9u1_all.deb
db9a49ef8a9037f18053e53aadefa345e1ed48cc 790924
libofx6-dbgsym_0.9.10-2+deb9u1_amd64.deb
5a7d1f4dea6d5d72963c9d57974200b6514f1bdd 144114
libofx6_0.9.10-2+deb9u1_amd64.deb
737593cd5d80a410a432f1cfe1c483013b056394 8933
libofx_0.9.10-2+deb9u1_amd64.buildinfo
4ea7bb6a50a3cfe2bfcc800a370a1ae98c12278f 242590
ofx-dbgsym_0.9.10-2+deb9u1_amd64.deb
4a4653c7292c87dcbcfdd25f8991f3f992bcc167 58756 ofx_0.9.10-2+deb9u1_amd64.deb
Checksums-Sha256:
5c3cfcc5fcbb74546af52e29db90116d35f7ada4c1bad1370b55835cf4359986 2121
libofx_0.9.10-2+deb9u1.dsc
145bffbf993f4a296f8b58d5616c697b5929cb127fbd22ae255b7a7baef0ce96 46996
libofx_0.9.10-2+deb9u1.debian.tar.xz
4499c43b6b6b868ac79d7929dfbd69868bc188930c1c8876e5a694ddf463dce9 111434
libofx-dev_0.9.10-2+deb9u1_amd64.deb
76e965f3b40689613b1d58eef845750a119c7025e395f0d2b6c639242fdc9ddf 333858
libofx-doc_0.9.10-2+deb9u1_all.deb
4cab86bd7c2cfb01589a38553d0a1b114fa8a3b4912c6a46725f84f66b8f9223 790924
libofx6-dbgsym_0.9.10-2+deb9u1_amd64.deb
13e86055e60df8a1e382ea4cd2afa01f62126e25e1d61a58d38dbccffdab0552 144114
libofx6_0.9.10-2+deb9u1_amd64.deb
2a9819bbd027f56373beffb0b6ca287ea8f82947db3685efa0e00f4479e08541 8933
libofx_0.9.10-2+deb9u1_amd64.buildinfo
7f6fd12bdfb97001d423611f067e799ac8fc5225c52391df0c2e750ea38abbda 242590
ofx-dbgsym_0.9.10-2+deb9u1_amd64.deb
6eb923a7f24d62db620040c62fd9d8a308c091d4d801e4c25d9dbaf77ecd9300 58756
ofx_0.9.10-2+deb9u1_amd64.deb
Files:
28c49e2a3adde8a1563c66fe84860172 2121 libs optional libofx_0.9.10-2+deb9u1.dsc
b6583ae7acef50ba81fcd5a355099d1e 46996 libs optional
libofx_0.9.10-2+deb9u1.debian.tar.xz
e63477eb3de0034d9c8ac0810820633a 111434 libdevel optional
libofx-dev_0.9.10-2+deb9u1_amd64.deb
293d0f677876eb0f21e764ba2cfc0706 333858 doc optional
libofx-doc_0.9.10-2+deb9u1_all.deb
c1cdc91d6afe615741fa278999ae39ef 790924 debug extra
libofx6-dbgsym_0.9.10-2+deb9u1_amd64.deb
584b99593dbbdd80cddbfbdc570ccf3e 144114 libs optional
libofx6_0.9.10-2+deb9u1_amd64.deb
f0f25c9915474e8f308633b5fc04b14f 8933 libs optional
libofx_0.9.10-2+deb9u1_amd64.buildinfo
1298a6643379b14928f341f5d0d5d35d 242590 debug extra
ofx-dbgsym_0.9.10-2+deb9u1_amd64.deb
1f356784be9b608659d49f5a8f1bf973 58756 utils optional
ofx_0.9.10-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCgAzFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAloRfdMVHGJvYi5keWJp
YW5AZ21haWwuY29tAAoJEGEu8WE+BQ9UUgsP/ilT829h5nOwOf+AXEXqJqRRnMav
4ZgIYpaTNjnhK4q2alNpkDJ3AVNE5HA68TyPRZY/QXK+guxvRUnu76GpltQopoHY
WBZw+l/l6lMkyLva2BW32J8HU/rrS+ckNOw7gKzB/Ddl6jrhmVkVCoNKiyMSkOuz
Kj/GLKQn5C8dt5acmGXMYlqkvIZMYBj8DJJQqIZAsHuMeXzNqNWQ3FuDny47UIsD
3ZMQ6kxK3nFJSdhNaJKDnxDNmyl7gG1hMfjxeKuD3t2L09bDMqyvt8XD57HIxBzO
1t3yXTFu+Nx5co/GFh6zF5NcP8duTIMUZvAm802Eyy5AJcU3aJ1WmgfB2BGDuEqS
SujmbAUSe65ATadkv9ou4UQoYB7cD9vlX6+iP+6xu0sp/Lz1Dq0EjqtkJovU3as/
bOJyTOREhWIGc7EAZvCvyHL0DgPQ66Mo/+G0ihCPKfYDu9tRXFvvTgrueyuQgs6V
fQ6Jaz+C2ste3JbXJTC2UtLysnmyvMP2Aqs8eMg3RMWi8eh8IlFa+MTonvfiL4ED
aqzu0xU1UmJ6HgRfKPAr4fQ1gB7ZKPUY3WuUUrLqNihDFDOwLPQnSUVqCYjCTCXk
65k0Lu4f4VD0Z/WFBMVirCAezFI9yQI5urWMwQ40SvwS4wxqM0csUoSmUAndh7vM
ecruOc6XCc5GK+m/
=Opu5
-----END PGP SIGNATURE-----
--- End Message ---
