Your message dated Sat, 11 Jan 2020 20:51:23 +0000
with message-id <[email protected]>
and subject line Bug#946005: fixed in librabbitmq 0.10.0-1
has caused the Debian Bug report #946005,
regarding librabbitmq: CVE-2019-18609
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: librabbitmq
Version: 0.9.0-0.2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for librabbitmq.
CVE-2019-18609[0]:
| An issue was discovered in amqp_handle_input in amqp_connection.c in
| rabbitmq-c 0.9.0. There is an integer overflow that leads to heap
| memory corruption in the handling of CONNECTION_STATE_HEADER. A rogue
| server could return a malicious frame header that leads to a smaller
| target_size value than needed. This condition is then carried on to a
| memcpy function that copies too much data into a heap buffer.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18609
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18609
[1]
https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: librabbitmq
Source-Version: 0.10.0-1
We believe that the bug you reported is fixed in the latest version of
librabbitmq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Fladischer <[email protected]> (supplier of updated librabbitmq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Jan 2020 20:13:36 +0100
Source: librabbitmq
Architecture: source
Version: 0.10.0-1
Distribution: unstable
Urgency: high
Maintainer: Michael Fladischer <[email protected]>
Changed-By: Michael Fladischer <[email protected]>
Closes: 946005
Changes:
librabbitmq (0.10.0-1) unstable; urgency=high
.
* New upstream release, fixing CVE-2019-18609 (Closes: #946005).
* Refresh patches.
* Update symbols for librabbitmq4.
* Bump debhelper compatibility and version to 12 and switch to
debhelper-compat.
* Bump Standards-Version to 4.4.1.
* Run wrap-and-sort -bast to reduce diff size of future changes.
* Enable hardening build options.
* Rename Expat as name for license.
* Remove unused lintian overrides.
* Set Rules-Requires-Root: no.
* Use https:// for copyright-format 1.0 URL.
* Remove unused filename patterns from d/copyright.
* Set Build-Depends-Package in symbols file.
Checksums-Sha1:
556f48a30a6cd0e92c14f168baa6fb6f1d9d33ce 1736 librabbitmq_0.10.0-1.dsc
6e39256e23cbcddfd2290b4300afd239b710885b 145361 librabbitmq_0.10.0.orig.tar.gz
3fcacd81a42fb1f6ed3ae9b4b90b5f5e8681b269 9244
librabbitmq_0.10.0-1.debian.tar.xz
77ff30a6f23e3ecd76ecb1d7625b085a3cdddfb3 8524
librabbitmq_0.10.0-1_amd64.buildinfo
Checksums-Sha256:
5ee18de9a3e196a296cd293c54451268f398ede9a1b7aa6febdbea767df9067b 1736
librabbitmq_0.10.0-1.dsc
6455efbaebad8891c59f274a852b75b5cc51f4d669dfc78d2ae7e6cc97fcd8c0 145361
librabbitmq_0.10.0.orig.tar.gz
945e96eed8699f90d9e6f3acd1b0b8729e361bfe58501f7a831417a503908579 9244
librabbitmq_0.10.0-1.debian.tar.xz
98f966384e17d46b3601ffc19228bf309ec0eb96be39bebadfb27f24e1307e03 8524
librabbitmq_0.10.0-1_amd64.buildinfo
Files:
3e53f23cab46a6ef7ac8934ba94fef34 1736 libs optional librabbitmq_0.10.0-1.dsc
6f09f0cb07cea221657a768bd9c7dff7 145361 libs optional
librabbitmq_0.10.0.orig.tar.gz
f6689d3616621e69c2e80b173c09d5ff 9244 libs optional
librabbitmq_0.10.0-1.debian.tar.xz
c4cd27e7583f6be5ad580dfa3f1731d5 8524 libs optional
librabbitmq_0.10.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEqVSlRXW87UkkCnJc/9PIi5l90WoFAl4aK/MACgkQ/9PIi5l9
0WprLwf/UbHEYfjhH8JeY44Y3gg43sJCOpyh3O83mAG7MeCjXaMkK/iKO9lsRP+K
7u/o2ntz+WDgnq0Yn5CaWc9Cl3xk5T/pbMc5IYuVHWEEGl02+hZJ5kzHkHteoFW/
/K3YCfCWF4kAL5mYJTsM866jtgEeVJxRlbkHglExVv9amRAteAgpk4yQ6ifucq+L
PGvVjRiDUlRvC9DNvwufI8TjcHGRuTBb/PhUyXCKnGzds5XHR3rO1XKklHKnD9VA
ErEW2jsqZeVogPN0Znl/6YGz/Fc1xUrRR3PTgdM+8VXjwyMr22WaXzDTlDVlXXRY
nw9JAL1iCMuZdE8e7ihmD1gUP1O+Qg==
=sQKE
-----END PGP SIGNATURE-----
--- End Message ---
