Your message dated Sun, 02 Feb 2020 13:47:17 +0000
with message-id <[email protected]>
and subject line Bug#949611: fixed in libsolv 0.6.35-2+deb10u1
has caused the Debian Bug report #949611,
regarding libsolv: CVE-2019-20387
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
949611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949611
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsolv
Version: 0.6.36-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libsolv.
CVE-2019-20387[0]:
| repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-
| based buffer over-read via a last schema whose length is less than the
| length of the input schema.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387
[1]
https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsolv
Source-Version: 0.6.35-2+deb10u1
We believe that the bug you reported is fixed in the latest version of
libsolv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated libsolv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 Jan 2020 22:58:10 +0100
Source: libsolv
Architecture: source
Version: 0.6.35-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Mike Gabriel <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 949611
Changes:
libsolv (0.6.35-2+deb10u1) buster; urgency=medium
.
* debian/patches:
+ CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based buffer
over-read in repodata.c (Closes: #949611).
+ 1006_various-types.patch: Trivial rebase.
Checksums-Sha1:
de757820f7da4b4990a541dbd0badb4617f9f49e 2521 libsolv_0.6.35-2+deb10u1.dsc
6f05c5e6ce90fe14ec4262f15068ae347c52aff0 14860
libsolv_0.6.35-2+deb10u1.debian.tar.xz
c0d6c5579cb46355da61cd61ab43f448fe80e1f5 9474
libsolv_0.6.35-2+deb10u1_source.buildinfo
Checksums-Sha256:
ddd1c7a82ba5be535fa10045b773d6c3d424b4a443de985e0cbfdb35bd049ab8 2521
libsolv_0.6.35-2+deb10u1.dsc
7fcea14ccce59c2b628bc9739684f9a065ca5b3cdbebea91004f8b84b7786b03 14860
libsolv_0.6.35-2+deb10u1.debian.tar.xz
6fddad1fd015fe56215936798a554803ffbf0d30e4b0fd719e124dd55ac682e0 9474
libsolv_0.6.35-2+deb10u1_source.buildinfo
Files:
ede5024b9ca0a3674de5643a31ed816d 2521 admin optional
libsolv_0.6.35-2+deb10u1.dsc
ad229799dba3dc9f919873f3d6f92ca6 14860 admin optional
libsolv_0.6.35-2+deb10u1.debian.tar.xz
61ea81f96ede3b66d3676c60f8641555 9474 admin optional
libsolv_0.6.35-2+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4zZaoVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx69EQAJ6dLZAIZWBuQLjn0U1vxTQQcrll
UzgcH6ad1s6idkKmUK/Xnntb5v6R/cgsZLzHV7BjAwhJz+njmE5XK/XUrgQ2vTF0
rMwkomKTGZEHiiivR6NVc/wjtCEniZ/jRIBAfyPbEFRivDjT7Ziy60MujdHtnMQ4
RgxjF8dCZMkY2b7o/cop2OUOv1+77wwLLDWSMJjIy97BaK5DAe483nssxlogP09f
iJUQtcFPkwrKAhE67QiBVJ9CIq/f033LtNSxU2JnQQKxSfwPNxqKwA+gNuHQOOOc
o0VTUo4vLnpYubswQBkQ7vlGlJhQ6C44p7AdXHHFt+cVW3vMslTCasQzTTZODBJs
T+flTgP8qK2S4ibFwSEcS80hjlsR7kl7kLwZpAXt4E6g0k7eIsubD77ben2KgXVi
fe+j9rSVJBJvEaTvNQ/cLC68Ls5SUI0TkyMbnjmCTWkFgFNKS47v3TGVd6F6RXrY
EPMLtIDySRkV9aTJuGB+idBnYwV2H3w2QSj7UeQPp86dNIeHNDvbfFEZrwrAVGOy
pH9E2+NI+GmnYx26eDal4h02xlWt0KjPzaH7zyAdd5kVjnQmSbQ86mWIjcZ/ZoJY
0XFSmtpalEv4eCryHJV29IWzZe6iCpost3oz7NbHSBboq86bi0f+EjQdjwYsIyat
MxkuhIpqLaN3hFWg
=BPZP
-----END PGP SIGNATURE-----
--- End Message ---
