Your message dated Mon, 13 May 2019 21:17:07 +0000
with message-id <e1hqijn-000765...@fasolo.debian.org>
and subject line Bug#927553: fixed in atftp 0.7.git20120829-3.1~deb9u1
has caused the Debian Bug report #927553,
regarding atftp: CVE-2019-11365 CVE-2019-11366
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
927553: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927553
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: atftp
Version: 0.7.git20120829-3
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerabilities were published for atftp.
CVE-2019-11365[0]:
| An issue was discovered in atftpd in atftp 0.7.1. A remote attacker
| may send a crafted packet triggering a stack-based buffer overflow due
| to an insecurely implemented strncpy call. The vulnerability is
| triggered by sending an error packet of 3 bytes or fewer. There are
| multiple instances of this vulnerable strncpy pattern within the code
| base, specifically within tftpd_file.c, tftp_file.c, tftpd_mtftp.c,
| and tftp_mtftp.c.
CVE-2019-11366[1]:
| An issue was discovered in atftpd in atftp 0.7.1. It does not lock the
| thread_list_mutex mutex before assigning the current thread data
| structure. As a result, the daemon is vulnerable to a denial of
| service attack due to a NULL pointer dereference. If thread_data is
| NULL when assigned to current, and modified by another thread before a
| certain tftpd_list.c check, there is a crash when dereferencing
| current->next.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11365
https://sourceforge.net/p/atftp/code/ci/abed7d245d8e8bdfeab24f9f7f55a52c3140f96b/
[1] https://security-tracker.debian.org/tracker/CVE-2019-11366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11366
https://sourceforge.net/p/atftp/code/ci/382f76a90b44f81fec00e2f609a94def4a5d3580/
[2] https://pulsesecurity.co.nz/advisories/atftpd-multiple-vulnerabilities
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: atftp
Source-Version: 0.7.git20120829-3.1~deb9u1
We believe that the bug you reported is fixed in the latest version of
atftp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 927...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated atftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 May 2019 18:51:14 +0200
Source: atftp
Architecture: source
Version: 0.7.git20120829-3.1~deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Ludovic Drolez <ldro...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 927553
Changes:
atftp (0.7.git20120829-3.1~deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for stretch-security.
.
atftp (0.7.git20120829-3.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix concurrency issue denial of service (CVE-2019-11366) (Closes: #927553)
* Fix error handler stack overflow (CVE-2019-11365) (Closes: #927553)
Checksums-Sha1:
150b5c9f4d9295de270115370134e2bf7dacfb6b 1983
atftp_0.7.git20120829-3.1~deb9u1.dsc
6db7891546a5e19add6390c33ce82d2b1596c5ac 90982
atftp_0.7.git20120829.orig.tar.gz
d7f9bc5808e42a25f6601d42fbf88a3641d5d576 37883
atftp_0.7.git20120829-3.1~deb9u1.diff.gz
Checksums-Sha256:
7537a800695192123e1250c053fa1d5f14cf4dbd546fc147a90b6c01e71823fa 1983
atftp_0.7.git20120829-3.1~deb9u1.dsc
d93a302ead76a0629feb061768df4393f9da02e3ffbf25eb10d281082ecf02d0 90982
atftp_0.7.git20120829.orig.tar.gz
0099793dc3df449526ca0a9d0e53d980142e373ee109a5909d0ddb897a3f848b 37883
atftp_0.7.git20120829-3.1~deb9u1.diff.gz
Files:
ab7cb822c6ae075c93674d597635f814 1983 net extra
atftp_0.7.git20120829-3.1~deb9u1.dsc
f0cf6eb9e38cd7c789c0f953f20e1b69 90982 net extra
atftp_0.7.git20120829.orig.tar.gz
13b263980e74dfe008ed055c1f65b164 37883 net extra
atftp_0.7.git20120829-3.1~deb9u1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlzMc0VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7NkP/0FQog6oXdz6tf4g4gJM0OyOXJPrcKve
zZadQ5PV/b+wLHF4MZl2wQ5Q9pYwd7O1U5UvjDy2Aend+X2vLMe9FWJHVnY2B37V
KXDhS77iJPSJFXv1+KjRa65ptvJA1qjraLnCIpAJfED2aSZBwuAOuVzWdUFtI3LA
ydwSzhzyq16N1f+TStH2QjzKY2dMv8xaePhFEp10CbIrFgxuAwJwMMgWjgaVZU24
rJmRodA21jwMxTYvVBJ3evkgf6Q6P1ler5GyBalzAnGAjTNXGNI0LWUxqrpMTGAF
Ta9IPYll4PAcn+4FCUr6zilVuOCY+cODkEgDHsbdo/jka3VD1XNiWWhm5DrR7Pyx
lStrMdkSaMwGtbU1cEkEm8JwicxR9rS6AOArSC2VDZ/J82s2sxc6lARx5A2ecNF8
Mugatu/ribPIyIjmsrV1RT4kjjlbJR6A/thmzPxPP38rOWXKp3h6RrP1p5AprBun
NpOPvZrRclluBQiDA6dtttZiiZ0/S36Jh3m28wzg3Fs7Y0RFYicsEtOnZ4Z/hj2D
Rxw8SzXxepM/L8cmOUW4UVWfbujOp+EoTOJfLYdUdZjiRjuDuEJk/7CVjrodeUsM
b5Am/vK+chYotK6Jnjl2LdQ/F+dDmAabs4wuUGI/2x/1xyrJ8PrhuUrQwTcAqZaM
RxYLodOdFRkf
=yEIl
-----END PGP SIGNATURE-----
--- End Message ---
