Your message dated Thu, 26 Mar 2020 01:50:00 +0000 with message-id <e1jhhei-0003bi...@fasolo.debian.org> and subject line Bug#954959: fixed in libunivalue 1.1.1-1 has caused the Debian Bug report #954959, regarding libunivalue: CVE-2019-18936 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 954959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954959 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libunivalue Version: 1.0.4-2 Severity: important Tags: security upstream Forwarded: https://github.com/jgarzik/univalue/pull/58 Hi, The following vulnerability was published for libunivalue. CVE-2019-18936[0]: | UniValue::read() in UniValue before 1.0.5 allow attackers to cause a | denial of service (the class internal data reaches an inconsistent | state) via input data that triggers an error. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-18936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18936 [1] https://github.com/jgarzik/univalue/pull/58 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: libunivalue Source-Version: 1.1.1-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of libunivalue, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 954...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated libunivalue package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 26 Mar 2020 02:40:14 +0100 Source: libunivalue Architecture: source Version: 1.1.1-1 Distribution: experimental Urgency: high Maintainer: Debian Cryptocoin Team <team+cryptoc...@tracker.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Closes: 954959 Changes: libunivalue (1.1.1-1) experimental; urgency=high . [ upstream ] * new release(s) + UniValue::read(): Clear internal state upon error closes: bug#954959, thanks to Salvatore Bonaccorso; CVE-2019-18936 . [ Jonas Smedegaard ] * Compare with json-spirit in long description. * fix have libunivalue-dev depend on pkg-config * declare compliance with Debian Policy 4.5.0 * set urgency=high due to security-related bugfix Checksums-Sha1: d9af6b5d845bdb892fd37c32b6f1039581711712 2065 libunivalue_1.1.1-1.dsc 9a596601bf827bce6391636f8099703ff00d64c1 20281 libunivalue_1.1.1.orig.tar.gz 3c51df71fd1e9f461fb2c15c9e1e490ac0d54d28 7316 libunivalue_1.1.1-1.debian.tar.xz 19144e3d82bf5472c37ec2ba96fed35f36d540dd 6971 libunivalue_1.1.1-1_amd64.buildinfo Checksums-Sha256: f4de1d00c837f4381442ad48f52262043e64d3a3f9be09340a93f4b66bf1c100 2065 libunivalue_1.1.1-1.dsc 72760ce6cdaa7b3cc1d47c54ca3e3f494d213084796b4c7694c4aba85a447db2 20281 libunivalue_1.1.1.orig.tar.gz 40e086b3b3c0691ce23aa6e630d81ccba71c8252ec7cc38e1271e160df5cb8d6 7316 libunivalue_1.1.1-1.debian.tar.xz cd5ce97a7b1214fdf9388037ad55b6b1c8de4a780f4f185cb75b757c004475d4 6971 libunivalue_1.1.1-1_amd64.buildinfo Files: 77885046be632b176de15996b1a9dbfd 2065 libs optional libunivalue_1.1.1-1.dsc cbead9079b14837f91513d0831e38d5d 20281 libs optional libunivalue_1.1.1.orig.tar.gz 5caa0f7cf64f9207dcdeb9634aa1295f 7316 libs optional libunivalue_1.1.1-1.debian.tar.xz f055821727e8dcdc549a147382f1b387 6971 libs optional libunivalue_1.1.1-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl58CK4ACgkQLHwxRsGg ASGRHw//cmeNRkcFdUDoTQDSdKQILknPIs7pYBLiIyC5h5TF0A2NIYoqr8wywT6W 9So4GkZL8Wa4HzE139BFkd2+C8YPRMbvnn2F0i6wtPI4lVOdiqwxRWU9M2tyxJoi FmsVJL22J40HGP/N1q6NG4nWUe+7hkYFoUoen2vgOFo69tc6dKzVQI90/OxPNfty xBsOMh6Ov7VKjPqfW6QuLwIVpjNcOUxFXDlBJ9OAa6g594SXeIgtydxbQ7Xw2F+M xDZCyPHttKtHeoMhalOiBT7Ln2Vy9soh5JxAgW0Y3mhOGNLeka2J63vk3nQLcDyh 6Y5a8sjyOnEaCglBj6eNCN4jRndbZG4Vf5sR1oTl5GwPZNnJrC0ZUz4PUEFRs/1T IUrZhJDMYz5x1WFaGNm26U8Uko/7Bq+tBnjcBlD/LcWXw+HSgKp/r+0Ai2WXZpdW QBD7Wo4OFx8Q6FXVg8akCgLgmk4Dbz9HIBSv3hbOqX+atpandImUAKb8E2+LOcKJ Hap8PXgjOzwh7hrAOZ0i04qmbWU0dmhi0tisOomE3MoB33OhbA9c5r/IZZTMHUy3 pC8BGGZ+zhZZ9lbvOTPHYJ+JNDRiVbxWHMtS78kPay/eIcOfnZCnZZJoZgfB4i7f l19falNiWpYNkM3TYj4Rs59guS+atHBPLryc8btgy+CCCJIzZr4= =Spky -----END PGP SIGNATURE-----
--- End Message ---
