Your message dated Fri, 08 Mar 2019 11:20:15 +0000
with message-id <[email protected]>
and subject line Bug#923874: fixed in libu2f-host 1.1.9-1
has caused the Debian Bug report #923874,
regarding libu2f-host: CVE-2019-9578
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
923874: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923874
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libu2f-host
Version: 1.1.7-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for libu2f-host.
CVE-2019-9578[0]:
| In devs.c in Yubico libu2f-host before 1.1.8, the response to init is
| misparsed, leaking uninitialized stack memory back to the device.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9578
[1]
https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libu2f-host
Source-Version: 1.1.9-1
We believe that the bug you reported is fixed in the latest version of
libu2f-host, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Braud-Santoni <[email protected]> (supplier of updated libu2f-host
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 Mar 2019 11:59:52 +0100
Source: libu2f-host
Architecture: source
Version: 1.1.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian Authentication Maintainers <[email protected]>
Changed-By: Nicolas Braud-Santoni <[email protected]>
Closes: 892779 921818 923874
Changes:
libu2f-host (1.1.9-1) unstable; urgency=high (security fix)
.
* New upstream version 1.1.9
+ Fix CVE-2019-9578 (Closes: #923874)
libu2f-host previously leaked uninitialized stack memory to the device
+ Provide udev rules that work for systemd and SysV init (Closes: #892779)
+ Add a new product id for the JaCarta U2F devices, in udev rules
.
* debian/libu2f-udev.postinst: Do not display udevadm commands
Closes: #921818
.
* debian/copyright: Update copyright lines
Checksums-Sha1:
9a9c4be2268e5992a2724060ff8b0bf1eeb474f3 2415 libu2f-host_1.1.9-1.dsc
422d55d8bb211b3f2d8e6797006e7758c2f223f9 470996 libu2f-host_1.1.9.orig.tar.xz
c2df1fe069d85947975354e24de1a4836869a6ef 49444
libu2f-host_1.1.9-1.debian.tar.xz
b7f69ff0cec7c1f97a5be94566bed754f356b743 12802
libu2f-host_1.1.9-1_amd64.buildinfo
Checksums-Sha256:
3c480ab73f170cd91b831482da48eab03208e64a4a08101149a96f316f2c1fa5 2415
libu2f-host_1.1.9-1.dsc
37daef025be55c71998c16d81d2b0bb3f9aa55b736e4e964da0774a6891bd0c2 470996
libu2f-host_1.1.9.orig.tar.xz
6a4b6279e83e81823b61cb4792eecf5cace1eed57b8a8d2b785607cf028f0982 49444
libu2f-host_1.1.9-1.debian.tar.xz
a51c0d9131ac4b089f83882e377997c8e96a6c32f8954e49d50739eb2c8cd789 12802
libu2f-host_1.1.9-1_amd64.buildinfo
Files:
69de17b0598cf33a6365e1aa4f4d490e 2415 utils optional libu2f-host_1.1.9-1.dsc
21fec8a219c051ca2e89b2ad4ac6ce0b 470996 utils optional
libu2f-host_1.1.9.orig.tar.xz
f86e2e9c36e585a9071ff5f08ea0899e 49444 utils optional
libu2f-host_1.1.9-1.debian.tar.xz
41357b4a17b8072dcfeb5ed15ea46501 12802 utils optional
libu2f-host_1.1.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEU7EqA8ZVHYoLJhPE5vmO4pLV7MsFAlyCS9kACgkQ5vmO4pLV
7MvzGQ/9GtrdzSIhBPoMLoFS6SHv4OGCwQ3bKIHoEjS/7stEYQElI5M892J+dG0z
idvJAP8263KMXEeJ0BU+v/2KIzabdbNRy1+F6AQ2x1hxXeSRLef1aAdODHsnpH3A
kftFONBbc/FYW2RPWE/PGNJ9z4DubFNWMwlEflOpeYnh6vnkMy1PlA5WryRfn/uM
rmuqw8ZS1tjUpuwzBKARTX5/pDqZmwpMVy82apfCIhp3XYJ/xrIwtsBZYhC/dVJm
jjkKQnt+qF5A0GqDoycitBAqcyCaljy8CsSUd/d2pHKIO/1OTHtqu/ucohyTnakx
E4UR4sKHtM5HxtyeBSSa7iO7TVd8DsVqpMsFAaV6kQsvtQk8c5L5x+4gWQ3u/UUU
XeCn0EWYnnJCC/Ni85SPkksg+xQHXDt94wO/51jv+n1HCm7Dsyu9GicojmOlgHRS
vqqSbsSUA7u4r3GJMzL/G+S6QRTLBzY5+fiijGHanz5Vot/C+20TfobeUY+Vwv4l
9Ov/zdlk42FCBlVdilrMRIAQEn220aBV7knh3UKUyvKXeSPhOJFa+jdy55Bi+B9R
DJWAxaTAuiVFwOpDenahZcWjurpoI3dbFpyC3yJFZSm/UWzkmyFJETf98DPeom0V
9mzxbMFtOs6HXbivVvBunptJYZFvcVW2RKiX6kKx3J9wWtMHmUw=
=pW00
-----END PGP SIGNATURE-----
--- End Message ---
