Your message dated Sat, 28 Sep 2024 18:49:06 +0000
with message-id <[email protected]>
and subject line Bug#1073249: fixed in booth 1.2-1
has caused the Debian Bug report #1073249,
regarding booth: CVE-2024-3049
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1073249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073249
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: booth
Version: 1.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/ClusterLabs/booth/pull/142
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for booth.

CVE-2024-3049[0]:
| A flaw was found in Booth, a cluster ticket manager. If a specially-
| crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an
| invalid HMAC to be accepted by the Booth server.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-3049
    https://www.cve.org/CVERecord?id=CVE-2024-3049
[1] https://github.com/ClusterLabs/booth/pull/142

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: booth
Source-Version: 1.2-1
Done: Valentin Vidic <[email protected]>

We believe that the bug you reported is fixed in the latest version of
booth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Valentin Vidic <[email protected]> (supplier of updated booth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 28 Sep 2024 20:29:08 +0200
Source: booth
Architecture: source
Version: 1.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers 
<[email protected]>
Changed-By: Valentin Vidic <[email protected]>
Closes: 1073249
Changes:
 booth (1.2-1) unstable; urgency=medium
 .
   * New upstream version 1.2
     Includes fix for CVE-2024-3049 (Closes: #1073249)
   * d/patches: refresh for new version
Checksums-Sha1:
 1946b1422666649a7c490b43d13f8d95ae86d705 2321 booth_1.2-1.dsc
 c01b989f42d3fde8a88da2e276968094531e2782 138423 booth_1.2.orig.tar.gz
 fef0a6ab418c2ecc3f61c61a32f722735103ef72 8700 booth_1.2-1.debian.tar.xz
 f01f2a42d56a4c4e8b4da77da9c516abf19ae0b4 7562 booth_1.2-1_source.buildinfo
Checksums-Sha256:
 4729a76575bc9acdd35e1b33c69f938cb707846893e90adf4586cf8ee4a26eff 2321 
booth_1.2-1.dsc
 15e9243f59f0f8523cbc82148d38b4e9b345b56acf5d3ed1726252c4a1e6f846 138423 
booth_1.2.orig.tar.gz
 d0dd0f96300e0d9197283237ec0cd8e7c169559422e42cd1dc4ebdc2476467ba 8700 
booth_1.2-1.debian.tar.xz
 705468dd935a183e4de93267d7e64bf512c9286e1c26fb8e9c58ff096b37d711 7562 
booth_1.2-1_source.buildinfo
Files:
 909c0fc5022f2dd142177dd21beeaafa 2321 admin optional booth_1.2-1.dsc
 dddf2b383c5c4f0a14883363614440b6 138423 admin optional booth_1.2.orig.tar.gz
 b711bba0250ad4cd513b335d35a78a3d 8700 admin optional booth_1.2-1.debian.tar.xz
 86697378505a7d9151dbd311423acd80 7562 admin optional 
booth_1.2-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEExaW53cM9k/u2PWfIMofYmpfNqHsFAmb4TewSHHZ2aWRpY0Bk
ZWJpYW4ub3JnAAoJEDKH2JqXzah7Xn0P/3p2HiL/zCQ2NmHoLdkdDY4p588T1MiR
hxhiO4VcywdEH+D8fymVhzPoxluwXjMLV0sRemXnNohNp0qvdm3myA4Iy52PJ9oH
nmxzJTcA11a5Z6dKH8yRgpR9BK5cisgJFnaOI5xwMcA4yL+NFmBCOLwp11XY78aq
F2ebtQaS89bMVZCVuWyBYY6ems2DAgL8JhwTxBUB7ai5He47ApAjzXT14leSinjt
uBSogVLplzk98Y+p3s4OFDGkhQzDhGx22S9WxeR9VUUInhRfhkl+MZ6BADkZWe/O
bVHi6lRJMGsar/w7e/3hTdLXLr6YHaQFqUkXFt5Z5rX6gxiDAcac5mqHChCtp/O9
wkZtZFGG6ie/XhK3IfFl2trlROtPb5fS3/5BVkM/VrVRveEQjsTOLbTM0LtJMOUC
RSggVhIchMwYAw9WH2D+MF97FKIUgQTiO3QSrNiiTBf+gDnI9TDHuUymgJDAj+py
E3Mene+vu3OvJxnEaPgfhNHzBoMKFDJZs4+H19RPREjcxDxNyzrK8bHlHKNcCqu2
0W9MObDwC2KQn4dTzSCf4rBBFt2gmxHD+KKu+PluOCh23NaJ+CgvoNh7pZ0iDMml
J+mtMusbhFEOYEoXzMNFyh13I7CdSzr9NQW3Qb3i8nPWSbptEKXyhim7by1f+43o
a5Fd2xTdMonJ
=1ukW
-----END PGP SIGNATURE-----

Attachment: pgp0lc0JQfSJq.pgp
Description: PGP signature


--- End Message ---

Reply via email to