Your message dated Sun, 23 Jul 2023 11:38:09 +0000
with message-id <[email protected]>
and subject line Bug#1041426: fixed in hnswlib 0.6.2-2+deb12u1
has caused the Debian Bug report #1041426,
regarding hnswlib: CVE-2023-37365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hnswlib
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for hnswlib.
CVE-2023-37365[0]:
| Hnswlib 0.7.0 has a double free in init_index when the M argument is
| a large integer.
https://github.com/nmslib/hnswlib/issues/467
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37365
https://www.cve.org/CVERecord?id=CVE-2023-37365
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: hnswlib
Source-Version: 0.6.2-2+deb12u1
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
hnswlib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated hnswlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 19 Jul 2023 10:27:07 +0200
Source: hnswlib
Architecture: source
Version: 0.6.2-2+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1041426
Changes:
hnswlib (0.6.2-2+deb12u1) bookworm; urgency=medium
.
* Team upload.
* cve-2023-37365.patch: new: fix CVE-2023-37365.
This is done by capping M to 10000 per discussion with upstream.
(Closes: #1041426)
Checksums-Sha1:
9eb2b893087bf002ea71b72ca4049fa7c17ad97b 2182 hnswlib_0.6.2-2+deb12u1.dsc
7ca15cf3e679755160f7906d7cd8e62c0934837f 11268
hnswlib_0.6.2-2+deb12u1.debian.tar.xz
bd103bd199adfade78bb6706e5e824d118d2c3f2 7791
hnswlib_0.6.2-2+deb12u1_amd64.buildinfo
Checksums-Sha256:
7db96c8a491507dc8a602e5737b1cd0a776b5c4ddf09b3e5a07d8af843ca8576 2182
hnswlib_0.6.2-2+deb12u1.dsc
fe774132d0cbf3dd6dda371a33e3e78de3806a37f86c9d427e47f065c88eb114 11268
hnswlib_0.6.2-2+deb12u1.debian.tar.xz
bcc94e51bd3c966cd858f9c28e1bc28bd0af35cf8134167ee9837f731f0dba49 7791
hnswlib_0.6.2-2+deb12u1_amd64.buildinfo
Files:
2fae58d6703e5667222002c1a4278217 2182 science optional
hnswlib_0.6.2-2+deb12u1.dsc
1b8dad20be497aacc33fc6c96ae101aa 11268 science optional
hnswlib_0.6.2-2+deb12u1.debian.tar.xz
6ca57ef68da9bc1142b81ac78d199117 7791 science optional
hnswlib_0.6.2-2+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmS75doUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdrEOg/+PMxaPchYOIcAqPtYlkPA28kwZNQU
6y9r5ey5JXcOzDZ0stP/utIlRih0BLq5EHXtXT3FTP7dtRw/3HsMlQElnfSfaX7z
NbPZQMwxqjXUW52oel8Yx+jkXhhyiHwIfTWqW6b1L0Deztqa5Y8VynThCmKOrVj3
26LIK1CUnCq31AGe2Iyzoy1r/MU0DZpAxOUmaLZfM5CAB6jzROjUSy7D/ugGIple
npiV0UQSNfqbAmbl0gU/Yu+532s08filtXwu2+XYDSWpwEJYjMlt8p4Z74vCbQIl
tYF3nBzqKAEj1rMW4chG7ToUTfiHsboGiEHkLvF2GNIjgezHJS0lDkWde4BvTduy
jXGCM3menCVvOkeo2nahjCXir0wOCwPT3XB4vOIAKXunCt/Gk2MS2o4fzGD8wkFN
eLvsjhFPPFlGVsmmJYR0LT5i4V78VXEVpVP+oSFqgckw5apMEWv+TCVhpyAjh9dG
P8RGBB8asrD9rpsZJlPFDF15U+jTO9maeduRyAtTYJZnAocPViWQWSFtBZ8ltrv4
/nB5ys9DhV6UNEsDN8kjeNg/WKOEuUrflXQeI/SNDqPfzOWKOgT3o+3axBMjcUdc
WbCruUe08Vfz/0AvskMmltgeDV6W8G1zjZLT3/43MDz8+dqzBJwJcqQKEYptp8Na
M8yPcXkOpYNwkLs=
=TGfH
-----END PGP SIGNATURE-----
--- End Message ---
