Your message dated Mon, 26 Feb 2018 12:50:07 +0000 with message-id <e1eqiej-000bco...@fasolo.debian.org> and subject line Bug#890289: fixed in bibledit 5.0.453-1 has caused the Debian Bug report #890289, regarding bibledit: embeds mbedtls - vulnerable to CVE-2017-2784, CVE-2017-14032, CVE-2018-0487, CVE-2018-0488 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890289 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: bibledit Version: 5.0.331-1 Severity: grave Tags: security Hi, I notice bibledit embeds mbed TLS 2.2.1. The embedded version is vulnerable to at least these CVEs (based on the version number and assuming they have not been manually patched): CVE-2017-2784 CVE-2017-14032 CVE-2018-0487 CVE-2018-0488 [disclaimer: the mbedtls package is still vulnerable to the last two, but I am working on fixing those] I see you have overridden lintian which warns you about this: > # For just now the mbed TLS library is included. > # When using the system-provided libmbedtls, there currently is a > segmentation fault. > # Pending investigation of this fault, temporarily include mbed TLS. > # Here is the link to the issue: > https://github.com/bibledit/bibledit/issues/499 > # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"? > # So Bibledit is doing that right now, it "embeds" mbed TLS. > bibledit: embedded-library usr/bin/bibledit: mbedtls "mbed" is the brand name ARM uses for its IOT operating system (of which mbedtls is a component) and therefore is derived from "embedded systems". IMO embedding a security library is unacceptable and the package should not be in a stable release in its current state. Thanks, Jamessignature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---Source: bibledit Source-Version: 5.0.453-1 We believe that the bug you reported is fixed in the latest version of bibledit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Teus Benschop <teusjanne...@gmail.com> (supplier of updated bibledit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 26 Feb 2018 13:08:21 +0100 Source: bibledit Binary: bibledit bibledit-data Architecture: source Version: 5.0.453-1 Distribution: unstable Urgency: medium Maintainer: CrossWire Packaging Team <pkg-crosswire-de...@lists.alioth.debian.org> Changed-By: Teus Benschop <teusjanne...@gmail.com> Description: bibledit - Bible editor bibledit-data - Data for bibledit Closes: 890289 Changes: bibledit (5.0.453-1) unstable; urgency=medium . * New upstream version 5.0.453, closes: #890289 * Upgrade to debhelper 10 Checksums-Sha1: 68f2c7ea4e47a161ae7f35c7ac7c09fee2c9cbc9 2387 bibledit_5.0.453-1.dsc 509697622f95d617aab06a4cdc784afb4d33b05c 60424425 bibledit_5.0.453.orig.tar.gz f520f9d8d6d2a8a050fea921e2b87668682560a6 11916 bibledit_5.0.453-1.debian.tar.xz 5f2621f903c0c5562d3c0d33b19463f5e69da813 14438 bibledit_5.0.453-1_source.buildinfo Checksums-Sha256: 1c9d6a43199b5ad6319dd908974a2774eec5c6e3858a84ad02933b6c304683ba 2387 bibledit_5.0.453-1.dsc 6968b2e05973e8ca9cbb1f25769a5ad55be2b2b4e7825f87e21472d565ee22ac 60424425 bibledit_5.0.453.orig.tar.gz cc9437e3a0a30b4b583cc3815102cc7ad2b1a5be577ca66c39bc5b6c8146ed9d 11916 bibledit_5.0.453-1.debian.tar.xz ddbe2bbf983251e4224f05a9196eb197e47ddd3e7c3d61edec624f1e4a493b90 14438 bibledit_5.0.453-1_source.buildinfo Files: bf2a68c9cf8d3a9f63ad48adf2af973f 2387 editors optional bibledit_5.0.453-1.dsc 6905be3f3206e18eae26d3890d0777dc 60424425 editors optional bibledit_5.0.453.orig.tar.gz cecbddbc8d3098c21911241e438633a5 11916 editors optional bibledit_5.0.453-1.debian.tar.xz e9ded7bda3063858381642ef3327d57f 14438 editors optional bibledit_5.0.453-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEEher+5c8s1QBza9jekwIrrQVjpR0FAlqT/U4XHHRldXNqYW5u ZXR0ZUBnbWFpbC5jb20ACgkQkwIrrQVjpR3J7g//dP4kn6aivbEdA81bB/dwUVGA kNtuAIy/vQwmCgZT1tg7GpAbu2gtNys77GgF8KYlU4VoDCfrGtM0iJ5JT7eCTd8a L9/79S6T3mWiM/Zx9ltWbRAJr9WWLu/eJuW9t1MfGLGKnthceRbx5jxZbaTD+vE6 CCUMakpm8aqB0hkVhTRRvAoo7rfDETLsSHlBPggZfqabcu8Yslws/zBIUgcwH3Wp /JdDbe+X40tuLIOR/bv7a40cKiUYCwZmpjaJ3uEamiRyFr92vR3f/hHubIk4Xxll 63XqNtoCqUraX8GOCYzc8ndq5/zkYncyYifOehceIisrKKZLyM908JrMPMm6ylSy jK+C53iUH/QV+PXxMzau7yxa2Rosa7+g/my4rAc1HmR5Qsk3GjAiewPsVU4kPAdP LXq5U1sGGvTxXGZchofWq92774mLxiNX9sbNmDdUPH+bvagA9Ph1okf+b7qBQawo xZTDTIaNDRHrMQEOWaHoxTR50vWc9m//ZJED6HCYmYhJW3EtwdfcM/q1Ln3QCWcw 7oND8/QEt0qrJrVbA3aESIHzQ9Ca/PTBssQfM/iosrlgb6ddtBDTZiCslZ18B7Lc RUko+frTkobgtUupwZe0R+JyzR6yAw8TgUqtvjoN+9ZMYh/Obf2VA1i29/kCORVm blzPrrT/I92bZit/Ydk= =UuTO -----END PGP SIGNATURE-----
--- End Message ---