Your message dated Fri, 01 Dec 2023 17:05:10 +0000
with message-id <[email protected]>
and subject line Bug#1056752: fixed in zfs-linux 2.1.14-1
has caused the Debian Bug report #1056752,
regarding zfs-linux: CVE-2023-49298
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1056752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056752
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zfs-linux
Version: 2.1.13-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/openzfs/zfs/issues/15526
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for zfs-linux.

CVE-2023-49298[0]:
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios
| involving applications that try to rely on efficient copying of file
| data, can replace file contents with zero-valued bytes and thus
| potentially disable security mechanisms. NOTE: this issue is not
| always security related, but can be security related in realistic
| situations. A possible example is cp, from a recent GNU Core
| Utilities (coreutils) version, when attempting to preserve a rule
| set for denying unauthorized access. (One might use cp when
| configuring access control, such as with the /etc/hosts.deny file
| specified in the IBM Support reference.) NOTE: this issue occurs
| less often in version 2.2.1, and in versions before 2.1.4, because
| of the default configuration in those versions.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49298
    https://www.cve.org/CVERecord?id=CVE-2023-49298
[1] https://github.com/openzfs/zfs/issues/15526
[2] https://github.com/openzfs/zfs/pull/15571

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: zfs-linux
Source-Version: 2.1.14-1
Done: Shengqi Chen <[email protected]>

We believe that the bug you reported is fixed in the latest version of
zfs-linux, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Shengqi Chen <[email protected]> (supplier of updated zfs-linux package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Dec 2023 17:17:32 +0800
Source: zfs-linux
Architecture: source
Version: 2.1.14-1
Distribution: unstable
Urgency: high
Maintainer: Debian ZFS on Linux maintainers 
<[email protected]>
Changed-By: Shengqi Chen <[email protected]>
Closes: 1056752
Changes:
 zfs-linux (2.1.14-1) unstable; urgency=high
 .
   * New upstream version 2.1.14 (Closes: #1056752, CVE-2023-49298)
   * Remove already merged emergency patches
   * Refine header of patches, fix series file
Checksums-Sha1:
 318a7ef353ca3f1465e856f75cac2bef65fa7afc 3213 zfs-linux_2.1.14-1.dsc
 cb2cf704bd4b04437086c64b921dd05cf7e6acc5 35167471 zfs-linux_2.1.14.orig.tar.gz
 9e53251fc10b8380d241b3e07a68b23ae82df37f 108192 
zfs-linux_2.1.14-1.debian.tar.xz
 1b3183dd1afe769465c11d0f42c1661db4bad03b 8241 
zfs-linux_2.1.14-1_source.buildinfo
Checksums-Sha256:
 7e07b47115fb7db72639b94527aaae6cc9b709819f8ef75cd70de2972d1ea547 3213 
zfs-linux_2.1.14-1.dsc
 509fed100e73477621bfb56c58346a3306727dbb6f7e017ba714101babb6ea3f 35167471 
zfs-linux_2.1.14.orig.tar.gz
 c6a8ccefefd8e5e8256ee757ec354e285f68c0ac190180105b17f7eca7c17b98 108192 
zfs-linux_2.1.14-1.debian.tar.xz
 c3d0e987c0dcde9c00df758158262b7dcd6a06346ab68c7941bc236ef78f672b 8241 
zfs-linux_2.1.14-1_source.buildinfo
Files:
 3d7972dddd6ed026bc1ef97128731911 3213 contrib/kernel optional 
zfs-linux_2.1.14-1.dsc
 9d69f094d3bcd0b803ed4f96cd776a82 35167471 contrib/kernel optional 
zfs-linux_2.1.14.orig.tar.gz
 a649d1efca01612e2e5df268a58751ae 108192 contrib/kernel optional 
zfs-linux_2.1.14-1.debian.tar.xz
 116b0d705f25fc9d0c46636e94377ab4 8241 contrib/kernel optional 
zfs-linux_2.1.14-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmVqDMIACgkQO1LKKgqv
2VRgAQgAgWaVm7LfzB/8TDR/5zMaVGocjHatEkXYtwHnHyX5zSrHpx0ZQlDEDw3y
jC3qG/1YTsYXmXN+Vz7tCnSEE7NG3TBX6v9UxXTC5H/Gi/om1nNxLPhQN2vruWyN
NZz5A0PYZbWyXsNcqgF0Jn4/9Qn3Vgih6RcuDjB0oE56gCZGtnsBOYdBRcmkGMLP
rgMQh/1ITWdhUR/Rf3OHpxpiCLN8al5R2yLIPZ6YSjM6Y8rQiyvYz66O68iKLbsM
nB+QGG+xFUmvRUUajzt+uaLugZ4+ElOsk9EbOdJ+8e7OUGi33D4ZTKAH4Bzoa2lA
igV99wqFh0q4pGnIrF16ChW80TsGWg==
=kBXx
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to