Your message dated Mon, 26 Feb 2018 12:50:07 +0000
with message-id <e1eqiej-000bco...@fasolo.debian.org>
and subject line Bug#890289: fixed in bibledit 5.0.453-1
has caused the Debian Bug report #890289,
regarding bibledit: embeds mbedtls - vulnerable to CVE-2017-2784,
CVE-2017-14032, CVE-2018-0487, CVE-2018-0488
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
890289: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890289
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bibledit
Version: 5.0.331-1
Severity: grave
Tags: security
Hi,
I notice bibledit embeds mbed TLS 2.2.1. The embedded version is
vulnerable to at least these CVEs (based on the version number and
assuming they have not been manually patched):
CVE-2017-2784
CVE-2017-14032
CVE-2018-0487
CVE-2018-0488
[disclaimer: the mbedtls package is still vulnerable to the last two,
but I am working on fixing those]
I see you have overridden lintian which warns you about this:
> # For just now the mbed TLS library is included.
> # When using the system-provided libmbedtls, there currently is a
> segmentation fault.
> # Pending investigation of this fault, temporarily include mbed TLS.
> # Here is the link to the issue:
> https://github.com/bibledit/bibledit/issues/499
> # By the way, isn't it called "mbed" TLS, obviously intended to be "embedded"?
> # So Bibledit is doing that right now, it "embeds" mbed TLS.
> bibledit: embedded-library usr/bin/bibledit: mbedtls
"mbed" is the brand name ARM uses for its IOT operating system (of which
mbedtls is a component) and therefore is derived from "embedded systems".
IMO embedding a security library is unacceptable and the package should
not be in a stable release in its current state.
Thanks,
James
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: bibledit
Source-Version: 5.0.453-1
We believe that the bug you reported is fixed in the latest version of
bibledit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Teus Benschop <teusjanne...@gmail.com> (supplier of updated bibledit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 26 Feb 2018 13:08:21 +0100
Source: bibledit
Binary: bibledit bibledit-data
Architecture: source
Version: 5.0.453-1
Distribution: unstable
Urgency: medium
Maintainer: CrossWire Packaging Team
<pkg-crosswire-de...@lists.alioth.debian.org>
Changed-By: Teus Benschop <teusjanne...@gmail.com>
Description:
bibledit - Bible editor
bibledit-data - Data for bibledit
Closes: 890289
Changes:
bibledit (5.0.453-1) unstable; urgency=medium
.
* New upstream version 5.0.453, closes: #890289
* Upgrade to debhelper 10
Checksums-Sha1:
68f2c7ea4e47a161ae7f35c7ac7c09fee2c9cbc9 2387 bibledit_5.0.453-1.dsc
509697622f95d617aab06a4cdc784afb4d33b05c 60424425 bibledit_5.0.453.orig.tar.gz
f520f9d8d6d2a8a050fea921e2b87668682560a6 11916 bibledit_5.0.453-1.debian.tar.xz
5f2621f903c0c5562d3c0d33b19463f5e69da813 14438
bibledit_5.0.453-1_source.buildinfo
Checksums-Sha256:
1c9d6a43199b5ad6319dd908974a2774eec5c6e3858a84ad02933b6c304683ba 2387
bibledit_5.0.453-1.dsc
6968b2e05973e8ca9cbb1f25769a5ad55be2b2b4e7825f87e21472d565ee22ac 60424425
bibledit_5.0.453.orig.tar.gz
cc9437e3a0a30b4b583cc3815102cc7ad2b1a5be577ca66c39bc5b6c8146ed9d 11916
bibledit_5.0.453-1.debian.tar.xz
ddbe2bbf983251e4224f05a9196eb197e47ddd3e7c3d61edec624f1e4a493b90 14438
bibledit_5.0.453-1_source.buildinfo
Files:
bf2a68c9cf8d3a9f63ad48adf2af973f 2387 editors optional bibledit_5.0.453-1.dsc
6905be3f3206e18eae26d3890d0777dc 60424425 editors optional
bibledit_5.0.453.orig.tar.gz
cecbddbc8d3098c21911241e438633a5 11916 editors optional
bibledit_5.0.453-1.debian.tar.xz
e9ded7bda3063858381642ef3327d57f 14438 editors optional
bibledit_5.0.453-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJLBAEBCgA1FiEEher+5c8s1QBza9jekwIrrQVjpR0FAlqT/U4XHHRldXNqYW5u
ZXR0ZUBnbWFpbC5jb20ACgkQkwIrrQVjpR3J7g//dP4kn6aivbEdA81bB/dwUVGA
kNtuAIy/vQwmCgZT1tg7GpAbu2gtNys77GgF8KYlU4VoDCfrGtM0iJ5JT7eCTd8a
L9/79S6T3mWiM/Zx9ltWbRAJr9WWLu/eJuW9t1MfGLGKnthceRbx5jxZbaTD+vE6
CCUMakpm8aqB0hkVhTRRvAoo7rfDETLsSHlBPggZfqabcu8Yslws/zBIUgcwH3Wp
/JdDbe+X40tuLIOR/bv7a40cKiUYCwZmpjaJ3uEamiRyFr92vR3f/hHubIk4Xxll
63XqNtoCqUraX8GOCYzc8ndq5/zkYncyYifOehceIisrKKZLyM908JrMPMm6ylSy
jK+C53iUH/QV+PXxMzau7yxa2Rosa7+g/my4rAc1HmR5Qsk3GjAiewPsVU4kPAdP
LXq5U1sGGvTxXGZchofWq92774mLxiNX9sbNmDdUPH+bvagA9Ph1okf+b7qBQawo
xZTDTIaNDRHrMQEOWaHoxTR50vWc9m//ZJED6HCYmYhJW3EtwdfcM/q1Ln3QCWcw
7oND8/QEt0qrJrVbA3aESIHzQ9Ca/PTBssQfM/iosrlgb6ddtBDTZiCslZ18B7Lc
RUko+frTkobgtUupwZe0R+JyzR6yAw8TgUqtvjoN+9ZMYh/Obf2VA1i29/kCORVm
blzPrrT/I92bZit/Ydk=
=UuTO
-----END PGP SIGNATURE-----
--- End Message ---
