Bug#1132018: marked as done (freeipmi: CVE-2026-33554)

[Debian Bug Tracking System]

Your message dated Fri, 27 Mar 2026 19:19:00 +0000
with message-id <e1w6chw-0000000bx0s-1...@fasolo.debian.org>
and subject line Bug#1132018: fixed in freeipmi 1.6.17-1
has caused the Debian Bug report #1132018,
regarding freeipmi: CVE-2026-33554
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1132018: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132018
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: freeipmi
Version: 1.6.16-1
Severity: important
Tags: security upstream
Forwarded: https://savannah.gnu.org/bugs/?68140 
https://savannah.gnu.org/bugs/?68141 https://savannah.gnu.org/bugs/?68142
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>




*** /tmp/freeipmi.reportbug
Package: freeipmi
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for freeipmi.

CVE-2026-33554[0]:
| ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows
| on response messages. The Intelligent Platform Management Interface
| (IPMI) specification defines a set of interfaces for platform
| management. It is implemented by a large number of hardware
| manufacturers to support system management. It is most commonly used
| for sensor reading (e.g., CPU temperatures through the ipmi-sensors
| command within FreeIPMI) and remote power control (the ipmipower
| command). The ipmi-oem client command implements a set of a IPMI OEM
| commands for specific hardware vendors. If a user has supported
| hardware, they may wish to use the ipmi-oem command to send a
| request to a server to retrieve specific information. Three
| subcommands were found to have exploitable buffer overflows on
| response messages. They are: "ipmi-oem dell get-last-post-code - get
| the last POST code and string describing the error on some Dell
| servers," "ipmi-oem supermicro extra-firmware-info - get extra
| firmware info on Supermicro servers," and "ipmi-oem wistron read-
| proprietary-string - read a proprietary string on Wistron servers."


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-33554
    https://www.cve.org/CVERecord?id=CVE-2026-33554
[1] https://savannah.gnu.org/bugs/?68140
[2] https://savannah.gnu.org/bugs/?68141
[3] https://savannah.gnu.org/bugs/?68142
[4] 
https://cgit.git.savannah.gnu.org/cgit/freeipmi.git/commit/?id=b03ca4d1bff4626c11db8684564b88cd26a2425d


Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: freeipmi
Source-Version: 1.6.17-1
Done: Fabio Fantoni <fantonifa...@tiscali.it>

We believe that the bug you reported is fixed in the latest version of
freeipmi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1132...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabio Fantoni <fantonifa...@tiscali.it> (supplier of updated freeipmi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Mar 2026 20:01:47 +0100
Source: freeipmi
Built-For-Profiles: noudeb
Architecture: source
Version: 1.6.17-1
Distribution: unstable
Urgency: medium
Maintainer: Fabio Fantoni <fantonifa...@tiscali.it>
Changed-By: Fabio Fantoni <fantonifa...@tiscali.it>
Closes: 1132018
Changes:
 freeipmi (1.6.17-1) unstable; urgency=medium
 .
   * New upstream version 1.6.17 (Closes: #1132018, CVE-2026-33554)
   * d/patches: refresh
   * Update standards version to 4.7.3, no changes needed
Checksums-Sha1:
 0b265a50895b2a5594182bc11474f8e60862cdd2 3353 freeipmi_1.6.17-1.dsc
 e8da2c0fe28c76697065b4f7b8b66cb2acdf3c9b 3468285 freeipmi_1.6.17.orig.tar.gz
 da7b6bc243a524638abe0741110231f63fcd9020 195 freeipmi_1.6.17.orig.tar.gz.asc
 5d5966081ee3976cde5a665b35699dc0ea7fced0 28192 freeipmi_1.6.17-1.debian.tar.xz
 7a4d98b619686f295684469111380a5bc9f6fad4 6983 
freeipmi_1.6.17-1_source.buildinfo
Checksums-Sha256:
 5d5bb322fa026c527ff10f71f595f18604922c34612ef54f19e2c0d2a4cfa7f3 3353 
freeipmi_1.6.17-1.dsc
 16783d10faa28847a795cce0bf86deeaa72b8fbe71d1f0dc1101d13a6b501ec1 3468285 
freeipmi_1.6.17.orig.tar.gz
 0368c87914c64f50d0afd9505ba8458ebd626c89df4835575305f296ebab9864 195 
freeipmi_1.6.17.orig.tar.gz.asc
 00316776a5f07c11299697a2591511555008590c6cbfed2fe5568524319e73ab 28192 
freeipmi_1.6.17-1.debian.tar.xz
 86aceda5087aa496ca6ba1a143101362ce561fcc0d9001eb9855cc120e03f2b8 6983 
freeipmi_1.6.17-1_source.buildinfo
Files:
 1e8dec66b3a9f96c7a38af4e52651e65 3353 admin optional freeipmi_1.6.17-1.dsc
 ff87c6782991d119eff630e3a58a602f 3468285 admin optional 
freeipmi_1.6.17.orig.tar.gz
 17f924b80c448fcbc6f85dd5ed0c0046 195 admin optional 
freeipmi_1.6.17.orig.tar.gz.asc
 f423ccea50ee0a582fdcbf383fe5dd45 28192 admin optional 
freeipmi_1.6.17-1.debian.tar.xz
 0743e39d49d0a44529459bc84619ebfd 6983 admin optional 
freeipmi_1.6.17-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELEHRfLe4S9D5+1GzaAZorpB/EB0FAmnG1HkACgkQaAZorpB/
EB25SA/+OZjwarh5DqfmL0cWn4+HVWNPmeegTUdR6uIb8wOZT+bvOFJreix3ibGl
zaP4ph5e3Ps2IX540eUEIUr9viGfydCsa7BQmUUztOoiJ1Ea6Ug0VpPtf8Gea52C
DqoqnltvKf1AqlqRNnjAeTAzvbOPOi3sV8/2ik0/JhbfE+NDMUKheXbp5FnPHdXF
rFZDWWrYNLjeb+0389kHeXPITLL1FmGyC6EsDf1h8Sm2pxMMHZi/necTPABBdl+d
/FqJCqVer0HitSOrPChthvxggAW7J0BqNOESVP8T/jCzRDLKpdKA9grmDuYngqlJ
lPhAMhgrjajUZgDjb1INPZ55/ucR+5nq6LH+kfVOHoDJ3j8OqRzWrVh8a0FUAOwz
poyGTZ7B7h41obQFXPmtc6Tbq1NwSu1gpeArvP63YUFu25SKK2qGxaTPNn17Zfsx
7ljjpFfkFuvYP5JnWXNaSYQ1te56ccpJVLgwtxiL2DkmK+NfwXlzL6qwH+Qfudh/
apRUnBjef590gvsp8PDF/jtJ+xMj0u/UzrchSNc2tNJTNBzzoQFO5W4N8eay2ELE
wpP1K2IoRXachF/+0IRlUs/ZkU4krCa/f0GjJtH1EDS1J0gOzMwm+X4ql3LYsqND
0QmGYZzO0aLRG3HVjl0l0Y6AR4Vb3wX9J//hRh5rLVsjzw7iGoQ=
=hFSE
-----END PGP SIGNATURE-----

pgptDC6GMdjMr.pgp
Description: PGP signature

--- End Message ---