Your message dated Sun, 16 Jul 2023 10:47:09 +0000
with message-id <[email protected]>
and subject line Bug#1037100: fixed in cpp-httplib 0.11.4+ds-1+deb12u1
has caused the Debian Bug report #1037100,
regarding cpp-httplib: CVE-2023-26130
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1037100: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037100
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cpp-httplib
Version: 0.11.4+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cpp-httplib.
CVE-2023-26130[0]:
| Versions of the package yhirose/cpp-httplib before 0.12.4 are
| vulnerable to CRLF Injection when untrusted user input is used to set
| the content-type header in the HTTP .Patch, .Post, .Put and .Delete
| requests. This can lead to logical errors and other misbehaviors.
| **Note:** This issue is present due to an incomplete fix for
| [CVE-2020-11709](https://security.snyk.io/vuln/SNYK-UNMANAGED-
| YHIROSECPPHTTPLIB-2366507).
The related CVE-2020-11709 was fixed before the initial upload to
Debian.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-26130
https://www.cve.org/CVERecord?id=CVE-2023-26130
[1] https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194
[2]
https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cpp-httplib
Source-Version: 0.11.4+ds-1+deb12u1
Done: Andrea Pappacoda <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cpp-httplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <[email protected]> (supplier of updated cpp-httplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Jul 2023 00:26:06 +0200
Source: cpp-httplib
Architecture: source
Version: 0.11.4+ds-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Andrea Pappacoda <[email protected]>
Changed-By: Andrea Pappacoda <[email protected]>
Closes: 1037100
Changes:
cpp-httplib (0.11.4+ds-1+deb12u1) bookworm; urgency=medium
.
* d/gbp.conf: adjust branch names for bookworm
* d/patches: fix fox CVE-2023-26130.
Backport of the security fix for CVE-2023-26130, a CRLF Injection, from
upstream commit 5b397d455d25a391ba346863830c1949627b4d08 included in
upstream release 0.12.4 and newer. (Closes: #1037100)
Checksums-Sha1:
b10252524cc5e2e8d0e4bb8fe2ca250bca228f01 1634
cpp-httplib_0.11.4+ds-1+deb12u1.dsc
56356edc358f2e595849051468d17856875341f6 5616
cpp-httplib_0.11.4+ds-1+deb12u1.debian.tar.xz
8b72ba6c5a9993ca2d5fe1aef632c05e423856b0 6724
cpp-httplib_0.11.4+ds-1+deb12u1_amd64.buildinfo
Checksums-Sha256:
a4dde747bbde7cc9fa62cdf50d61140a0eaefb7f1383497ef2d48daf3bf5f9ec 1634
cpp-httplib_0.11.4+ds-1+deb12u1.dsc
a0adf8a38610806f6d94ba69839438635e5e6580775e28ff31d6a081e34f1484 5616
cpp-httplib_0.11.4+ds-1+deb12u1.debian.tar.xz
ca60c05cf6d02c4aa25e89ad17457258a1c9a76ae75e14da69c8c829e4ab40ac 6724
cpp-httplib_0.11.4+ds-1+deb12u1_amd64.buildinfo
Files:
a95505e35ef61e8fde9d15243ecd8651 1634 libs optional
cpp-httplib_0.11.4+ds-1+deb12u1.dsc
fc07b29217918c150beb546e228bbff4 5616 libs optional
cpp-httplib_0.11.4+ds-1+deb12u1.debian.tar.xz
1526d837349fcf9c688935d1eb0a328e 6724 libs optional
cpp-httplib_0.11.4+ds-1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCZLMMOAAKCRBKkgiiRVB3
p7PiAP9If9bcSW8QwFyfm1pe9lrvGMQ/FdXGrjGokuUijee4LwD9HQptIYCAi4DR
cyauLKL4Vb76aLoqYOmGrQ+7KIZxNQw=
=wnZN
-----END PGP SIGNATURE-----
--- End Message ---
