Your message dated Thu, 21 Nov 2024 17:48:57 +0000
with message-id <[email protected]>
and subject line Bug#1056752: fixed in zfs-linux 2.1.11-1+deb12u1
has caused the Debian Bug report #1056752,
regarding zfs-linux: CVE-2023-49298
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1056752: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056752
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: zfs-linux
Version: 2.1.13-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/openzfs/zfs/issues/15526
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for zfs-linux.
CVE-2023-49298[0]:
| OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios
| involving applications that try to rely on efficient copying of file
| data, can replace file contents with zero-valued bytes and thus
| potentially disable security mechanisms. NOTE: this issue is not
| always security related, but can be security related in realistic
| situations. A possible example is cp, from a recent GNU Core
| Utilities (coreutils) version, when attempting to preserve a rule
| set for denying unauthorized access. (One might use cp when
| configuring access control, such as with the /etc/hosts.deny file
| specified in the IBM Support reference.) NOTE: this issue occurs
| less often in version 2.2.1, and in versions before 2.1.4, because
| of the default configuration in those versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49298
https://www.cve.org/CVERecord?id=CVE-2023-49298
[1] https://github.com/openzfs/zfs/issues/15526
[2] https://github.com/openzfs/zfs/pull/15571
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: zfs-linux
Source-Version: 2.1.11-1+deb12u1
Done: Shengqi Chen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
zfs-linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengqi Chen <[email protected]> (supplier of updated zfs-linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Nov 2024 15:34:23 +0800
Source: zfs-linux
Architecture: source
Version: 2.1.11-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian ZFS on Linux maintainers
<[email protected]>
Changed-By: Shengqi Chen <[email protected]>
Closes: 1056752 1063497
Changes:
zfs-linux (2.1.11-1+deb12u1) bookworm; urgency=medium
.
* dch: typo fix
* New symbols for libzfs4linux and libzpool5linux
* d/patches: cherry-pick upstream fixes for stability issues
+ fix dnode dirty test (Closes: #1056752, #1063497, CVE-2023-49298)
+ fix sharenfx IPv6 address parsing (Closes: CVE-2013-20001)
+ and some fixes related to NULL pointer, memory allocation, etc.
Checksums-Sha1:
e3161d843abe704ed2eca6890f378321aa9dbbec 3245 zfs-linux_2.1.11-1+deb12u1.dsc
7454fbb0f3111ff98098e79da9591d7005b15152 116548
zfs-linux_2.1.11-1+deb12u1.debian.tar.xz
b552f9a1a955d178f06533d7b9736cb1ed50df52 8511
zfs-linux_2.1.11-1+deb12u1_source.buildinfo
Checksums-Sha256:
0709c2160cc8a428c55657251eb345aade4496596eefcdb8c5e66716319db3bb 3245
zfs-linux_2.1.11-1+deb12u1.dsc
902a7900e6ede3b262838e022c507b51a6b20d815b2c39a35626ecd98ae7d6db 116548
zfs-linux_2.1.11-1+deb12u1.debian.tar.xz
a665864a87d6ce809b0df66ae34209dee48436c770edd595a96f9d1fd14d9a32 8511
zfs-linux_2.1.11-1+deb12u1_source.buildinfo
Files:
d1688215266b54f6bf8f342569edb830 3245 contrib/kernel optional
zfs-linux_2.1.11-1+deb12u1.dsc
35b78b1c847409b22b8691bcf5ea0095 116548 contrib/kernel optional
zfs-linux_2.1.11-1+deb12u1.debian.tar.xz
7bc23f564d5eb98a85606cbe5a3eac68 8511 contrib/kernel optional
zfs-linux_2.1.11-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEBLHAyuu1xqoC2aJ5NP8o68vMTMgFAmc6BJIACgkQNP8o68vM
TMh4cAf+NPE+n14tM3b2AwFFDIQmXqwGbfjVmcPxToXIE2EZbd5eiZJ3NyyVgveV
XacJdVfPK4RpsDZnUAimoJXdKpr8TYhdi0sB4jDcw+HdXGGe96R62MUE8siiP0wQ
rf9xwY3QpEhJX8kjgLkbXcp0yPYc/7TjA5rBF4mTPGN7GKRZ7fPpP/eETcpxsUTt
qF2lt8+VVJJn/evrR+Gj7o3UE4/EplG9Q3/YKCg2Nk/r9M3NlVNU5tDC+n6MWM9R
X6zlwQ8+NA+RRGw0A8d7sPFNFtzmDbXXdXlhkjrJ+Cj281f+M/vBUl46dwV6c9/r
2d62328dwhafwG2+pca0MSIcbfJbVA==
=Utbm
-----END PGP SIGNATURE-----
pgpr5_Euv1jOJ.pgp
Description: PGP signature
--- End Message ---