Your message dated Sun, 02 Feb 2020 14:39:41 +0000
with message-id <[email protected]>
and subject line Bug#949611: fixed in libsolv 0.6.24-1+deb9u2
has caused the Debian Bug report #949611,
regarding libsolv: CVE-2019-20387
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
949611: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949611
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libsolv
Version: 0.6.36-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libsolv.
CVE-2019-20387[0]:
| repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-
| based buffer over-read via a last schema whose length is less than the
| length of the input schema.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20387
[1]
https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libsolv
Source-Version: 0.6.24-1+deb9u2
We believe that the bug you reported is fixed in the latest version of
libsolv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <[email protected]> (supplier of updated libsolv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 30 Jan 2020 18:49:35 +0100
Source: libsolv
Architecture: source
Version: 0.6.24-1+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Mike Gabriel <[email protected]>
Changed-By: Mike Gabriel <[email protected]>
Closes: 949611
Changes:
libsolv (0.6.24-1+deb9u2) stretch; urgency=medium
.
* debian/patches:
+ CVE-2019-20387: Add 0001_CVE-2019-20387.patch. Resolves heap-based
buffer over-read in repodata.c (Closes: #949611).
+ Trivial rebase of patches 1004, 1006 and 2001.
Checksums-Sha1:
97febca618e10f93796af7d74f2ffa2d30fa7a30 2506 libsolv_0.6.24-1+deb9u2.dsc
503846ebbe7824000a2b3922e0a431625f0124b1 14732
libsolv_0.6.24-1+deb9u2.debian.tar.xz
4394fcdc2be7d37ea2db7c0c3b68caf973542af4 9470
libsolv_0.6.24-1+deb9u2_source.buildinfo
Checksums-Sha256:
d4c940c36323bc39bfadf379782307a8c368662aa706f28d8d9fc670d080c0ac 2506
libsolv_0.6.24-1+deb9u2.dsc
dce858f6f56c85f174e4b71dc317a7a285d41a4303c17e0e946714d5f5bded9e 14732
libsolv_0.6.24-1+deb9u2.debian.tar.xz
6cd6860383429eec559cef61433e2925e0fec4d30297ccafd379f6b190b0aef2 9470
libsolv_0.6.24-1+deb9u2_source.buildinfo
Files:
f85989ee9f5c51bb72fda19af0b5c779 2506 admin extra libsolv_0.6.24-1+deb9u2.dsc
2070613c3f703236ea2f3957d989e828 14732 admin extra
libsolv_0.6.24-1+deb9u2.debian.tar.xz
a7f36ee3226c12a44658ce91caa3665f 9470 admin extra
libsolv_0.6.24-1+deb9u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl4zZXQVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsx7oUP/RsJaMN7zbkwlSiCeO+kjcJYZH6I
paufHcsbJeoCAQn8uZeuaXRV35IvIE4hvKn+Htuwuj29wKvUYOlQbZN20W20NKC7
aw4sx8IPGdjUTEUt3bN1U9yKSMIJijZxkGWXUSJayBHRv+SfPL6xkUMhpFuqJeXS
qDO3HKdsOK3qFlaBLt0/ZxNkKgc3zKrUAiIUazxfreiJRRemJ3/fMdJK1LqIJOnP
XWQiLYD4mLtMJjITrmDvPxbYkYCsLgiSo9z7GGNgaPVlFAoTCxOrkGHjfQF87TUZ
RINaybawgf8qEeGZn5xJM0da3m1aesIX+0b52xHpy9nv/ifq7phSBIaUiV1qNumO
9lWvRm9aqrBmL0+JOc9RlJeRM0XOrq+WODMWepW4lJ9xZv8C19c1f46pDpCPac/c
sKES5aUbwX12D5djk0jmsXRZ+TzsYe6tsfWgQbm0qIkvae5YjlGkOnHB9BzAdWOu
OwjBbqTeFd5CSsj0tuAcJLQ+X5yAd5yleteCOtP1iIEKBeWD7pDRUFOxWaivfb1b
Wdf4EnJdwoe50kWXIWA7w+oMqbam4enukUpaDeFmK9sNQREy6slRdg1ZNfkNBUqw
KxtGebp1PLryA2/JJKHGL3ikgXZpx2kOD09Ju8JRUFtNlgHzWk7D3kqMB5dbJuD4
+ftiP95LaCpiL90Z
=Ymfe
-----END PGP SIGNATURE-----
--- End Message ---
