Your message dated Sun, 17 Mar 2024 17:02:40 +0000
with message-id <e1rltuc-00agdi...@fasolo.debian.org>
and subject line Bug#1063484: fixed in libuv1 1.44.2-1+deb12u1
has caused the Debian Bug report #1063484,
regarding libuv1: CVE-2024-24806
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1063484: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libuv1
Version: 1.46.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for libuv1.
CVE-2024-24806[0]:
| libuv is a multi-platform support library with a focus on
| asynchronous I/O. The `uv_getaddrinfo` function in
| `src/unix/getaddrinfo.c` (and its windows counterpart
| `src/win/getaddrinfo.c`), truncates hostnames to 256 characters
| before calling `getaddrinfo`. This behavior can be exploited to
| create addresses like `0x00007f000001`, which are considered valid
| by `getaddrinfo` and could allow an attacker to craft payloads that
| resolve to unintended IP addresses, bypassing developer checks. The
| vulnerability arises due to how the `hostname_ascii` variable (with
| a length of 256 bytes) is handled in `uv_getaddrinfo` and
| subsequently in `uv__idna_toascii`. When the hostname exceeds 256
| characters, it gets truncated without a terminating null byte. As a
| result attackers may be able to access internal APIs or for websites
| (similar to MySpace) that allows users to have
| `username.example.com` pages. Internal services that crawl or cache
| these user pages can be exposed to SSRF attacks if a malicious user
| chooses a long vulnerable username. This issue has been addressed in
| release version 1.48.0. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
Note, that the advisory at [1] mentions that affected versions are
only > 1.45.x. Looking at the git changes, is it not introduced after
6dd44caa35b4 ("unix,win: support IDNA 2008 in uv_getaddrinfo()") in
v1.24.0?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-24806
https://www.cve.org/CVERecord?id=CVE-2024-24806
[1] https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libuv1
Source-Version: 1.44.2-1+deb12u1
Done: Dominique Dumont <d...@debian.org>
We believe that the bug you reported is fixed in the latest version of
libuv1, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1063...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominique Dumont <d...@debian.org> (supplier of updated libuv1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 Feb 2024 18:28:54 +0100
Source: libuv1
Architecture: source
Version: 1.44.2-1+deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Dominique Dumont <d...@debian.org>
Changed-By: Dominique Dumont <d...@debian.org>
Closes: 1063484
Changes:
libuv1 (1.44.2-1+deb12u1) bookworm-security; urgency=medium
.
* add patch to fix CVE-2024-24806 (Closes: 1063484)
Checksums-Sha1:
9588ae6ca442e22acaec2475194ec189901f9d4f 2029 libuv1_1.44.2-1+deb12u1.dsc
ced06e69586ea4b3be56c2cc67caa5dc1718a70c 1308776 libuv1_1.44.2.orig.tar.gz
5061d77c2055b183b1bc3640f3f53eb9c24c53dd 21460
libuv1_1.44.2-1+deb12u1.debian.tar.xz
3d8acd17328c4b9935cca168e7bec194226fc46e 8840
libuv1_1.44.2-1+deb12u1_source.buildinfo
Checksums-Sha256:
798be0a2bcbcd40bb85302f6ccbf02b240e1958d4ad9cf153b8101c3a82f21b9 2029
libuv1_1.44.2-1+deb12u1.dsc
d79b4b06ef04be85fb890bf39d55942cc64c2e15fd14eaa32dae5dce94485484 1308776
libuv1_1.44.2.orig.tar.gz
14fc605e7d1520137416fd8c097b58a191be9b07bdbb406f7b39c7894b7d66a5 21460
libuv1_1.44.2-1+deb12u1.debian.tar.xz
6729f56c1a50bcf954f70ab4016e1c44047af50707e283e83d9d79b8651e70ac 8840
libuv1_1.44.2-1+deb12u1_source.buildinfo
Files:
24577671198dca02c1a0da01b977dd35 2029 libs optional libuv1_1.44.2-1+deb12u1.dsc
c154b7548028901c9ad70d2adfa5dae2 1308776 libs optional
libuv1_1.44.2.orig.tar.gz
5767cebbb44a080de662a588a60cada2 21460 libs optional
libuv1_1.44.2-1+deb12u1.debian.tar.xz
335d3ed99956c306769bf1a81bf53d5c 8840 libs optional
libuv1_1.44.2-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEn3I5/LZk8Qsz6dwDwx9P2UmrK2wFAmXoo1IACgkQwx9P2Umr
K2x4yQ//d9/UFdrIW4zOHRGOCviDrSbVDYbkvYululPUpn3VmEkW0G1JXAf/IK4f
s9HPfQxCExtKE7CDyEOPQdmgT45I8nZ4HHHAfwWPJzSErLyxVx0Mf8sd8/v3VQga
mDa3czCAKw4m9fMrXszpGxhOj1s9D6stz8xbIoPTrVMAVg6/NBWmIjBCgGR/c6/N
LMamSn2UkrDx5N74QBtkToUCovMCC/CaGE8kCePIFjj1HyF6Bnd/dypySOqoTP7z
F57kYzGx0blSn7vDrTHUCA/kENL7gVgWHiL9xZrir9eEdo3q9YYOff53ghU1nLIs
5qOcnp7/dlAi2pblWrvNZOGB5ALpzC8V2Q9cNcZ4EitQxu+q7z0eGo9qIPVtRLLN
CkWhhhhv1P2xeDsVg2gf01gca4wnGanwBpK+6EKITT4OncOS8YQtMr12xV0h+hr9
sgwRANGYmIXPHdPqKCCwBfkJZwRypJwccHo92Px8AzLrhUwrMvld54J5zUBNUcmh
Fi8sdWXGWc0RDa3ZvUhp7d4UEg9IpLRamBCVF2TXWrNWXOIQy372okLcxlO7ufGT
/++q50/F0QmRASGZaPQih4sSdlAvHbk789FN4RH/9d+pxFUZ1hs0pZpfoFJvp8IA
JAOKtBBcIHBQWrl08Wd4CfXYxS2UUvnxIOaPInV0mlup6fPRkx4=
=ZSft
-----END PGP SIGNATURE-----
pgp4ASoqpMgXM.pgp
Description: PGP signature
--- End Message ---
