Bug#1095168: marked as done (rust-openssl: RUSTSEC-2025-0004 ssl::select_next_proto use after free)

Thu, 06 Feb 2025 03:09:18 -0800 

Your message dated Thu, 06 Feb 2025 11:05:56 +0000
with message-id <[email protected]>
and subject line Bug#1095168: fixed in rust-openssl 0.10.70-1
has caused the Debian Bug report #1095168,
regarding rust-openssl: RUSTSEC-2025-0004 ssl::select_next_proto use after free
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1095168: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095168
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: rust-openssl
Version: 0.10.68-1
Severity: normal
X-Debbugs-Cc: [email protected]

Dear Maintainer,

use after free vulnerability in versions >=0.10.0, <0.10.70

https://rustsec.org/advisories/RUSTSEC-2025-0004

In openssl versions before 0.10.70, ssl::select_next_proto can return a slice 
pointing
into the server argument's buffer but with a lifetime bound to the client 
argument. In
situations where the server buffer's lifetime is shorter than the client 
buffer's, this
can cause a use after free. This could cause the server to crash or to return 
arbitrary
memory contents to the client.

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.11-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: rust-openssl
Source-Version: 0.10.70-1
Done: Peter Michael Green <[email protected]>

We believe that the bug you reported is fixed in the latest version of
rust-openssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Michael Green <[email protected]> (supplier of updated rust-openssl 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 06 Feb 2025 10:33:27 +0000
Source: rust-openssl
Architecture: source
Version: 0.10.70-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers 
<[email protected]>
Changed-By: Peter Michael Green <[email protected]>
Closes: 1095168
Changes:
 rust-openssl (0.10.70-1) unstable; urgency=medium
 .
   * Team upload.
   * Package openssl 0.10.70 from crates.io using debcargo 2.7.6 (Closes: 
#1095168)
Checksums-Sha1:
 a8da1dd72e9b2b30ecd445846c130cc36b128589 2643 rust-openssl_0.10.70-1.dsc
 989bae58bc9990a699407e62db61d974914cb835 277545 
rust-openssl_0.10.70.orig.tar.gz
 3c61755d695b0006c76d230aab5e0e1504ed7c58 2868 
rust-openssl_0.10.70-1.debian.tar.xz
 a96a0187fc0e55a1cbeebe5e241948df5d14e663 12193 
rust-openssl_0.10.70-1_source.buildinfo
Checksums-Sha256:
 770612d0cf7e4394d65e60bb99dbde56d65102526084187b59770f5b6e715a91 2643 
rust-openssl_0.10.70-1.dsc
 61cfb4e166a8bb8c9b55c500bc2308550148ece889be90f609377e58140f42c6 277545 
rust-openssl_0.10.70.orig.tar.gz
 c460319a10dd48f95d59a7c9cfe85b03e38650e5a91c3c22510de2ddf2baf130 2868 
rust-openssl_0.10.70-1.debian.tar.xz
 8995c5017b6fb49d0e27e215a8e10a215e4f9390fc1515bb6b6e22bdf739fef3 12193 
rust-openssl_0.10.70-1_source.buildinfo
Files:
 da6f8bd36e0cafa15c9d144dcf64e37c 2643 rust optional rust-openssl_0.10.70-1.dsc
 0061bfd2677aca3a2aae3d51ea113564 277545 rust optional 
rust-openssl_0.10.70.orig.tar.gz
 0e02bb8a716fcaebbb7167494c72dfa0 2868 rust optional 
rust-openssl_0.10.70-1.debian.tar.xz
 ea97f9d46cf99d2783a4145c60d5f578 12193 rust optional 
rust-openssl_0.10.70-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmeklOIUHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XsxrxAAg3WbRetCrrYA7hdWiS5YRRGQiZT0
+y/qc0/bqiryXEUj79/0xa0i9Lf/0wTFBnS0xShhWHSioon+mw2mYtkkVpJI3JXx
3aTRxA6Vqozp6WYRY4xRcg7xl0UTijLZ6cm9vWO+H7dFSW5oCarJnIMY1eEOhIxe
sP3bN2qqdQjBnkBtQ8ALAZ9xyMfGkdjtH0lQMS73cG7e+15FTW6Kvgh7owDUXQuk
WnHv3VaoAwzhGGgr/uRz87y7cTdigWQAnshLcIYfYUkmCBEutKsVxmSa1hbgFyLO
cV6B6jMdF6dPUZRtQOcrKOPJXaJuzziURkmWZHxUYUzPs/NFBx0WajbVGsJeXxf5
21ubXi8C5YW+p/f8ZlA/JdLZATbZeN/eRmT5BHx8jdakIOxvY0k0HFDk8yekktPt
nYqnX4MSE1Ury/RVq+UsguyVmLEVKGoWDl1z9+HHUQ9R2PbF7MGSRNDrB0o8yehq
b30T3Tvvn+1r2qV5XUIZDSrvObrl9UBkrX+deTpz/lNrhafKM5gRTSOQ7cJDjsqM
PkitO6PeQ+ItntBcKBQDv6MdPUwINAVZxTJDDUB+EDMrUjoU5GLeesnMNIslDRj8
3qHubuZPmLbb+kqPGdKqptJ4gPc/kUj/sYH+BbJv6ZtXTWuqvG661UQcTVXY5SIy
g4ak/9leWDmGM5o=
=G2yH
-----END PGP SIGNATURE-----

Attachment: pgpqOB3dYLY_x.pgp
Description: PGP signature


--- End Message ---

Reply via email to