Your message dated Sat, 27 Apr 2019 11:14:32 +0100
with message-id <[email protected]>
and subject line Closing bugs for updates included in 9.9
has caused the Debian Bug report #923323,
regarding stretch-pu: CVE-2018-1000872: package python-pykmip/0.5.0-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
923323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923323
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
Tags: stretch
User: [email protected]
Usertags: pu
Dear release team,
Here's the changelog entry:
+ * CVE-2018-1000872: Resource Management Errors (similar issue to
+ CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+ server can be made unavailable by one or more clients opening all of the
+ available sockets. Applied upstream patch: Fix a denial-of-service bug by
+ setting the server socket timeout (Closes: #917030).
The security team doesn't think a DSA is needed. Debdiff is attached. The
resulting package is here:
http://sid.gplhost.com/stretch-proposed-updates/python-pykmip/
Please allow me to upload python-pykmip/0.5.0-4+deb9u1 to Stretch-proposed.
Cheers,
Thomas Goirand (zigo)
diff -Nru python-pykmip-0.5.0/debian/changelog
python-pykmip-0.5.0/debian/changelog
--- python-pykmip-0.5.0/debian/changelog 2016-12-02 21:49:06.000000000
+0000
+++ python-pykmip-0.5.0/debian/changelog 2019-02-24 16:43:42.000000000
+0000
@@ -1,3 +1,13 @@
+python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium
+
+ * CVE-2018-1000872: Resource Management Errors (similar issue to
+ CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+ server can be made unavailable by one or more clients opening all of the
+ available sockets. Applied upstream patch: Fix a denial-of-service bug by
+ setting the server socket timeout (Closes: #917030).
+
+ -- Thomas Goirand <[email protected]> Sun, 24 Feb 2019 17:43:42 +0100
+
python-pykmip (0.5.0-4) unstable; urgency=medium
* Team upload.
diff -Nru
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
---
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
1970-01-01 00:00:00.000000000 +0000
+++
python-pykmip-0.5.0/debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
2019-02-24 16:43:42.000000000 +0000
@@ -0,0 +1,54 @@
+Description: CVE-2018-1000872: Fix a denial-of-service bug by setting the
server socket timeout
+ This change fixes a potential denial-of-service bug with the
+ server, setting a default timeout for all server sockets. This
+ allows the server to drop hung connections without blocking
+ forever. The interrupt triggered during accept calls is expected
+ and is now handled appropriately. Server unit tests have been
+ updated to reflect this change.
+Author: Peter Hamilton <[email protected]>
+Date: Tue, 24 Apr 2018 21:57:20 -0400
+Origin: upstream,
https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
+Bug-Debian: https://bugs.debian.org/917030
+Last-Update: 2019-02-24
+
+Index: python-pykmip/kmip/services/server/server.py
+===================================================================
+--- python-pykmip.orig/kmip/services/server/server.py
++++ python-pykmip/kmip/services/server/server.py
+@@ -176,6 +176,7 @@ class KmipServer(object):
+ self._logger.info("Starting server socket handler.")
+
+ # Create a TCP stream socket and configure it for immediate reuse.
++ socket.setdefaulttimeout(10)
+ self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+@@ -283,6 +284,11 @@ class KmipServer(object):
+ while self._is_serving:
+ try:
+ connection, address = self._socket.accept()
++ except socket.timeout:
++ # Setting the default socket timeout to break hung connections
++ # will cause accept to periodically raise socket.timeout. This
++ # is expected behavior, so ignore it and retry accept.
++ pass
+ except socket.error as e:
+ if e.errno == errno.EINTR:
+ self._logger.warning("Interrupting connection service.")
+Index: python-pykmip/kmip/tests/unit/services/server/test_server.py
+===================================================================
+--- python-pykmip.orig/kmip/tests/unit/services/server/test_server.py
++++ python-pykmip/kmip/tests/unit/services/server/test_server.py
+@@ -342,7 +342,11 @@ class TestKmipServer(testtools.TestCase)
+
+ # Test the expected behavior for a normal server/interrupt sequence
+ s._socket.accept = mock.MagicMock(
+- side_effect=[('connection', 'address'), expected_error]
++ side_effect=[
++ ('connection', 'address'),
++ socket.timeout,
++ expected_error
++ ]
+ )
+
+ s.serve()
diff -Nru python-pykmip-0.5.0/debian/patches/series
python-pykmip-0.5.0/debian/patches/series
--- python-pykmip-0.5.0/debian/patches/series 1970-01-01 00:00:00.000000000
+0000
+++ python-pykmip-0.5.0/debian/patches/series 2019-02-24 16:43:42.000000000
+0000
@@ -0,0 +1 @@
+CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch
--- End Message ---
--- Begin Message ---
Version: 9.9
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
