Your message dated Tue, 21 May 2019 12:03:48 +0000
with message-id <[email protected]>
and subject line Bug#900182: fixed in libsass 3.5.5-3
has caused the Debian Bug report #900182,
regarding libsass: CVE-2018-11499: heap use-after-free
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
900182: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900182
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsass
Version: 3.4.8-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libsass.
CVE-2018-11499[0]:
| A use-after-free vulnerability exists in handle_error() in
| sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be
| leveraged to cause a denial of service (application crash) or possibly
| unspecified other impact.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11499
[1] https://github.com/sass/libsass/issues/2643
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsass
Source-Version: 3.5.5-3
We believe that the bug you reported is fixed in the latest version of
libsass, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[email protected]> (supplier of updated libsass package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 May 2019 13:32:29 +0200
Source: libsass
Architecture: source
Version: 3.5.5-3
Distribution: unstable
Urgency: high
Maintainer: Debian Sass team <[email protected]>
Changed-By: Jonas Smedegaard <[email protected]>
Closes: 900182
Changes:
libsass (3.5.5-3) unstable; urgency=high
.
* Add patches cherry-picked upstream
to fix heap-buffer-overflow and heap-use-after-free security bugs.
Thanks to Xavier Guimard. Closes: Bug#900182.
CVE-2018-11499 CVE-2018-19827 CVE-2019-6283 CVE-2019-6284 CVE-2019-6286.
* Set urgency=high due to security bugfixes.
Checksums-Sha1:
582f6816b6d69ab322c24310b8d560316b734ddb 2142 libsass_3.5.5-3.dsc
5551d557835febb2cef26aa54a690ebcc7a80ea9 8996 libsass_3.5.5-3.debian.tar.xz
3cc8f01f537d560cf9fe37995aa3f94ea299eb31 6283 libsass_3.5.5-3_amd64.buildinfo
Checksums-Sha256:
9474eefcdfd0c845f2fdf96bf788aecd1be78751de4886fa793b394a38793256 2142
libsass_3.5.5-3.dsc
bdcb15c5a97a262fb729e1668de1d505fa934fc9be74c06eb465fd6ed2f7c565 8996
libsass_3.5.5-3.debian.tar.xz
949a45785cc2ab1a572e96ebba9ec34e32ae9c771a49a9fe968eb6497417bd49 6283
libsass_3.5.5-3_amd64.buildinfo
Files:
8fc8305036252929bfc4efc8f1f63eac 2142 libs optional libsass_3.5.5-3.dsc
35970b647627ca6bea42f36fb47f2f4a 8996 libs optional
libsass_3.5.5-3.debian.tar.xz
22e268275ce4ab08020a00ecd6d6ab87 6283 libs optional
libsass_3.5.5-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlzj5QkACgkQLHwxRsGg
ASFGtRAAjLyeoVH/eUkPyW6+wihRGvbVRK36uJPJdbWFeMB0WDyW8X2Vb1l6LzkR
jJ2FJpJnG5Fx/Qpu5XRcrrIDYRhRSewc5ZH0ZYNoAnKkN9130ngWs9KT1MWzHAyL
0+tvCgpWSh59VfjFbIWi18Oe+hjwZfImucAF4Y9tq+5Ihrs0r9Wp3P9DjBtQLsjx
uN8uWF4gz5tq8QYmXnceg6cxwY7uTj/3KxMyVlrtE/Dn17EeEqwooiGJKdvWiVWF
oorADeeTk/ktOK6RW4jXxUIzyoxSXYPFlf9g7xDUC5K2DQo2oynp6+kR60DYaX9u
xfYhbo53vMxQBnAJTHYRvZC24FjEnRLObuRqH7awHH4AtoRyZt5OI7ElbYd0Exgm
R6O7No57kD0lm46DIvydPO+oIocIQMFlLECvIQ/9/mXOBV8EjIoF6LY+PXY34ojT
4f9E/nToqTdp+3044VB322X5lPaI2J2E5YOoXHgnTBCb/XFRnvd9BrU3fiYU3EIW
EKo9UxSXpPE8cv/RwniNSWW3GxjXW+1kWeBdlfxyrTIW+limIcYa3+ftC9bJMQIu
ejjPj9tYVbjYYt9Ybo63wovFUSL6VRqBbH7vgKRqrSsJ6RIajovnm79CgjhKF08d
lsOWyX3DV7tXlGoFhQxEzZrO9kjjl2DGz45eE7S+VgvMp1XB+Pk=
=tI3D
-----END PGP SIGNATURE-----
--- End Message ---
