Your message dated Mon, 24 Jul 2023 16:32:23 +0000
with message-id <[email protected]>
and subject line Bug#1041426: fixed in hnswlib 0.4.0-3+deb11u1
has caused the Debian Bug report #1041426,
regarding hnswlib: CVE-2023-37365
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041426
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: hnswlib
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for hnswlib.
CVE-2023-37365[0]:
| Hnswlib 0.7.0 has a double free in init_index when the M argument is
| a large integer.
https://github.com/nmslib/hnswlib/issues/467
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-37365
https://www.cve.org/CVERecord?id=CVE-2023-37365
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: hnswlib
Source-Version: 0.4.0-3+deb11u1
Done: Étienne Mollier <[email protected]>
We believe that the bug you reported is fixed in the latest version of
hnswlib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Étienne Mollier <[email protected]> (supplier of updated hnswlib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 19 Jul 2023 11:07:28 +0200
Source: hnswlib
Architecture: source
Version: 0.4.0-3+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Med Packaging Team
<[email protected]>
Changed-By: Étienne Mollier <[email protected]>
Closes: 1041426
Changes:
hnswlib (0.4.0-3+deb11u1) bullseye; urgency=medium
.
* Team upload.
* cve-2023-37365.patch: new: fix CVE-2023-37365.
This is done by capping M to 10000 per discussion with upstream.
(Closes: #1041426)
Checksums-Sha1:
a319c12477553f86f883c6d2352bbd1cfcfe7e00 2182 hnswlib_0.4.0-3+deb11u1.dsc
b5276b52c995dee413901fcd8e9b926a803d5fd6 11108
hnswlib_0.4.0-3+deb11u1.debian.tar.xz
caf39f93796edd145f51c5769847b4b10f1ce5c6 7961
hnswlib_0.4.0-3+deb11u1_amd64.buildinfo
Checksums-Sha256:
b680ae75a724b30e3a4f4d494dd09284d7343ea4d57656c1fa3546adf587f5ea 2182
hnswlib_0.4.0-3+deb11u1.dsc
384af3edfa6107004e915a36b5e601ab3e84d2eefc93e2a6e005d93d5bd2ff28 11108
hnswlib_0.4.0-3+deb11u1.debian.tar.xz
38a2befbeaa78418e7ea4608a3de0c02029a132627c087e2c9a50a6c56084577 7961
hnswlib_0.4.0-3+deb11u1_amd64.buildinfo
Files:
5a9460d44d1252a9539a25fa8bb9ec46 2182 science optional
hnswlib_0.4.0-3+deb11u1.dsc
d911338fe77d8c11576c7891a5bd98a9 11108 science optional
hnswlib_0.4.0-3+deb11u1.debian.tar.xz
919d9379cc8d3b5c555f8bea160d7190 7961 science optional
hnswlib_0.4.0-3+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEj5GyJ8fW8rGUjII2eTz2fo8NEdoFAmS9MfkUHGVtb2xsaWVy
QGRlYmlhbi5vcmcACgkQeTz2fo8NEdpK0g/7B1LToH8Z2sWYbGyW8txMeOkSsYPw
YFeU4VnrAf7l8HnQ7yQu6Hi3i1wBAjQQSQcRNJd4R0H+iAnxPrLGHHj2jF5sj2FV
8AGx6tP4WehHaXWzNzUNi5V1SNFoOZExT8FdKjQt/XraAtQnGl6d8od9g9CiORB6
kWq6pq6dTKpTELvHOsIMTpbS57UeN/HX61K+WEZai0LTvKlf5mq1u0HoNIyHAlFK
FeP3JXdQdhnUd+6lf3ubvQ+aGXAgOB4UYo5O+znWeHgBpzTLRvbsuL1FAS3mKTrH
0oUZy9OwKKu6S76cQkdkV9dzhM1KSJf9kQv/SyhjSQCLW6Z8AGHZ20YwetfrOPqB
+f2lrbJPHZYkJJ7SL+z3cGBRyqvBOJw+ZypQt+bY7WbBx2Y+PCF0qGKb+uXwP0Np
CaCbz0j4jSEJ08VinEkDWTa/fjLoX6bELa3YnrAp6PKFQ3u+uvU/8J0bHcdG9w2L
HgkaAJ6fjJ1F4M3m7szcV79OKFS+ZNeyERVPf3vlDmYGeMgTMEVSYcVPYJQEbgbq
yRqEX0PVfo8v/cnDQnAYQyym6lMSPAjNT1l8ajyd0Nmu9njgHP4uL95xf9Azq8gG
x/L4TSkG4yodjc/MSA5o4rrbx7zyHecndKC412b39lR1l15nxHszxe6qnE9x8aHZ
d8sxnZJHHr9H2T8=
=TYng
-----END PGP SIGNATURE-----
--- End Message ---
