Your message dated Sun, 25 Aug 2019 13:47:32 +0000 with message-id <e1i1srk-0000ik...@fasolo.debian.org> and subject line Bug#933741: fixed in qemu 1:2.8+dfsg-6+deb9u8 has caused the Debian Bug report #933741, regarding qemu: CVE-2019-14378: heap buffer overflow during packet reassembly to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933741: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933741 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qemu Version: 1:3.1+dfsg-8 Severity: grave Tags: security upstream Control: clone -1 -2 Control: reassign -2 src:slirp4netns 0.3.1-1 Control: retitle -2 slirp4netns: CVE-2019-14459: heap buffer overflow during packet reassembly Hi, The following vulnerability was published for qemu (respective the SLiRP networking implemenatation which is as well forked in slirp4netns). CVE-2019-14378[0]: | ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer | overflow via a large packet because it mishandles a case involving the | first fragment. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14378 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14378 [1] https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210 [2] https://www.openwall.com/lists/oss-security/2019/08/01/2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qemu Source-Version: 1:2.8+dfsg-6+deb9u8 We believe that the bug you reported is fixed in the latest version of qemu, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Tokarev <m...@tls.msk.ru> (supplier of updated qemu package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 09 Aug 2019 13:41:43 +0300 Source: qemu Architecture: source Version: 1:2.8+dfsg-6+deb9u8 Distribution: stretch-security Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-de...@lists.alioth.debian.org> Changed-By: Michael Tokarev <m...@tls.msk.ru> Closes: 873012 931351 933741 Changes: qemu (1:2.8+dfsg-6+deb9u8) stretch-security; urgency=medium . [ Michal Arbet ] * Fix improper backport of CVE-2017-9524 fix that caused NBD connections to hang (Closes: #873012). Thanks to Geoffrey Thomas. - nbd-fully-initialize-client-in-case-of-failed-negotiation-CVE-2017-9524.patch: Don't move nbd_set_handlers before nbd_negotiate. - nbd-fix-regression-on-resiliency-to-port-scan-CVE-2017-9524.patch: Refresh. . [ Michael Tokarev ] * slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input-CVE-2019-14378.patch bugfix in user-level networking Closes: #933741, CVE-2019-14378 * qemu-bridge-helper-restrict-interface-name-to-IFNAMSIZ-CVE-2019-13164.patch Closes: #931351, CVE-2019-13164 * integrate fix-md-clear-backport.patch into enable-md-clear.patch Thanks Moritz Mühlenhoff and Vincent Tondellier * device_tree-dont-use-load_image-CVE-2018-20815.patch fix unlikely overflow via saved image file size Closes: CVE-2018-20815 Checksums-Sha1: 8fbeafc7c10912d1e137d6697b609f768b3232aa 5579 qemu_2.8+dfsg-6+deb9u8.dsc 30ed9844cd7b60441d5532b4a7ff5bfcc04baebb 162212 qemu_2.8+dfsg-6+deb9u8.debian.tar.xz 351e1efe0fef0262cf2a2013aa0215679c2815af 7869 qemu_2.8+dfsg-6+deb9u8_source.buildinfo Checksums-Sha256: 0a4987c1ba44baa25341ea25c3e3ac06358994abc662a7db5ed1545a191048c1 5579 qemu_2.8+dfsg-6+deb9u8.dsc e3c0cd85409403824efe9ead0d5f110f2943c82986e460d5e3bb37bdb71d7fbb 162212 qemu_2.8+dfsg-6+deb9u8.debian.tar.xz 67b01392505ec7e5664968ba798324212027e9fca92f989e62f3580f9d1bc77c 7869 qemu_2.8+dfsg-6+deb9u8_source.buildinfo Files: 0bf19074279779e05fe2bd9233a77409 5579 otherosfs optional qemu_2.8+dfsg-6+deb9u8.dsc 15c10c07febb626168caff7f2e20f56e 162212 otherosfs optional qemu_2.8+dfsg-6+deb9u8.debian.tar.xz 12fc5e4ac1ad9c7754054a5c4bee85a0 7869 otherosfs optional qemu_2.8+dfsg-6+deb9u8_source.buildinfo -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl1fod4PHG1qdEB0bHMu bXNrLnJ1AAoJEHAbT2saaT5ZNlcIAMAc64zOaMb6Yvuln+EvTTgXVLO5RIxH8e92 a7bA87TF9h98s2FeOabcIhno3b3kDZX0rjB+yFRPItQHPYwtY8YTSW6kLUb8q2Ds 9xh7RFMlEKfd1AHsRf3eeWCrxxNib0nqsUqaG5ZSEc8U8BANXwSP8Z8A2DR4/AE8 NveJZ8zaQy53RSNPjo9Sd3PlUcKTPW568QABfbkIQ43uVoXwsf8FiifhrN/LY8nD GrygXNiYpTDjS4Uvkhvjt+RMAxCvfRzlfLeMm2BEv/PFDHtOWqDsF+9m7hLaEMre 45CYUECpxZn22UDvT/L7K/7CFTy+ocwvSgqbKE6h0gqwADB8MR0= =GR5X -----END PGP SIGNATURE-----
--- End Message ---
