Your message dated Thu, 30 Jan 2020 17:36:20 +0000
with message-id <[email protected]>
and subject line Bug#949611: fixed in libsolv 0.6.36-2
has caused the Debian Bug report #949611,
regarding libsolv: CVE-2019-20387
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
949611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949611
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsolv
Version: 0.6.36-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libsolv.
CVE-2019-20387[0]:
| repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-
| based buffer over-read via a last schema whose length is less than the
| length of the input schema.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387
[1]
https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsolv
Source-Version: 0.6.36-2
We believe that the bug you reported is fixed in the latest version of
libsolv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated libsolv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 Jan 2020 18:13:11 +0100
Source: libsolv
Architecture: source
Version: 0.6.36-2
Distribution: unstable
Urgency: medium
Maintainer: Mike Gabriel <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 949611
Changes:
libsolv (0.6.36-2) unstable; urgency=medium
.
* debian/patches:
+ CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based buffer
over-read in repodata.c (Closes: #949611)."
* debian/control:
+ Bump Standards-Version: to 4.5.0. No changes needed.
Checksums-Sha1:
61467112af5195b8c3317a608f755fa7ed122dbb 2407 libsolv_0.6.36-2.dsc
97e50a06cc6de4edcb647bd082b98c8201bb7a57 20120 libsolv_0.6.36-2.debian.tar.xz
b882d327e917357d727d5f4b54069d49a3fb92ea 8873 libsolv_0.6.36-2_source.buildinfo
Checksums-Sha256:
dcd1ba283030b8338f7620a43fe425a7d416dbc3f4aa488c102d45cbe5cc583b 2407
libsolv_0.6.36-2.dsc
c9b47a56f222dcd8cc31a798f8f1462684ae77e3f86bc3c7045f57c4336fad37 20120
libsolv_0.6.36-2.debian.tar.xz
f3f8c7ffb3564aaf141d08446d47047046f81b7ad0fa42e01150b473d9c3d13e 8873
libsolv_0.6.36-2_source.buildinfo
Files:
056f0579ffed491614bd85e9accc0d69 2407 admin optional libsolv_0.6.36-2.dsc
9aef8fec8e6355eaf31067413db4296e 20120 admin optional
libsolv_0.6.36-2.debian.tar.xz
3bcba39dc5003b31536c417c4baac67d 8873 admin optional
libsolv_0.6.36-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4zEDAVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxQc4QAJwj7ri5PsWDWBiIpEhsS9ME3f+M
QwvTrzyVaRGNqobnaC+a++KyTbHUWbn+ApETgrvLIypkrJdTLlwUMR/ceotwqm4s
jh+lVj80P9K4AEiILdqTUChS//0wa9EBkB3GsfHNxb+nrthXS4ReRz5oPIYSggLc
D2dPvcK8WmNmTDKFJRMXQrfa/aIHIMbYZyHtCyuXVt7CdPrF6KnDkLhLhQ8Q9XPG
a+YDimiqbfA1OY2hW9S0yh7t7ZObu1P1wQzko3gGFu/Nx7Wxdw+FzoSpqPYAgpPF
xVAOJOb6XfzfE+3Dvcv74q+rSG+00I+kRXmPjGTucABxIDOp87Q1c/X0T+BXH+Pp
DSpwL8nYePWbcdxWv7CHI6jhEGnwJLZ6rfWt8m0ATQzcEA00kpb6EtsE2IoN9e0B
naTkafenNLdoEGfOpFwEy0TeMdgjGMVsNUktumiOBwfAuRN40tbkiuY+WutHO8YS
yCHFMqU/nErEBCWRM6e0DNzDTy69FUzKgVYe70liYcxCml9A9spESe7SmLvc9a7z
G341/PSFrP1cVygIu8toezZC3cXsmN+/F9uGFsKV+vSBFk1il/1mWzfGUTz67JZi
y45FaC4n952IUvj+eCDMCrWKzzGaENY/lEVWuHqTs3n/xKFyHeUPmQExbBAf548Y
YQxrrTohRv90NjpY
=SsYE
-----END PGP SIGNATURE-----
--- End Message ---
