Package: release.debian.org Severity: normal bro/2.5.5-1 (unstable, testing) is affected by CVE-2018-16807, CVE-2018-17019 (#908614, #908779) and bro/2.6.1+ds1-1 is still sitting in NEW.
May I upload bro/2.5.5-1+deb10u1 to buster? I have attached a debdiff. Cheers, -Hilko
diff -Nru bro-2.5.5/debian/changelog bro-2.5.5/debian/changelog --- bro-2.5.5/debian/changelog 2019-06-25 21:26:53.000000000 +0200 +++ bro-2.5.5/debian/changelog 2018-09-05 16:05:40.000000000 +0200 @@ -1,10 +1,3 @@ -bro (2.5.5-1+deb10u1) buster; urgency=medium - - * Add patches for CVE-2018-16807, CVE-2018-17019 (Closes: #908614, - #908779) - - -- Hilko Bengen <[email protected]> Tue, 25 Jun 2019 21:26:53 +0200 - bro (2.5.5-1) unstable; urgency=medium * New upstream version 2.5.5 diff -Nru bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch --- bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch 2019-06-25 21:26:53.000000000 +0200 +++ bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,38 +0,0 @@ -From: Jon Siwek <[email protected]> -Date: Mon, 10 Sep 2018 18:06:07 -0500 -Subject: Fix potential memory leak in Kerberos scripts - -Reported by Maksim Shudrak. - ---- - -Stripped files: - testing/btest/Traces/krb/optional-service-name.pcap - testing/btest/core/leaks/krb-service-name.test - ---- - -diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro -index 02abced..9621378 100644 ---- a/scripts/base/protocols/krb/main.bro -+++ b/scripts/base/protocols/krb/main.bro -@@ -140,7 +140,8 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5 - - c$krb$request_type = "AS"; - c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm); -- c$krb$service = msg$service_name; -+ if ( msg?$service_name ) -+ c$krb$service = msg$service_name; - - if ( msg?$from ) - c$krb$from = msg$from; -@@ -183,7 +184,8 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5 - return; - - c$krb$request_type = "TGS"; -- c$krb$service = msg$service_name; -+ if ( msg?$service_name ) -+ c$krb$service = msg$service_name; - if ( msg?$from ) - c$krb$from = msg$from; - c$krb$till = msg$till; diff -Nru bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch --- bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch 2019-06-25 21:24:57.000000000 +0200 +++ bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,35 +0,0 @@ -From: Jon Siwek <[email protected]> -Date: Wed, 12 Sep 2018 19:47:57 -0500 -Subject: Fix IRC names command parsing - ---- - -Stripped files: - testing/btest/Traces/irc-353.pcap - testing/btest/scripts/base/protocols/irc/names-weird.bro - testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log - ---- - -diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc -index a26045f..de8846c 100644 ---- a/src/analyzer/protocol/irc/IRC.cc -+++ b/src/analyzer/protocol/irc/IRC.cc -@@ -252,14 +252,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig) - { - vector<string> parts = SplitWords(params, ' '); - -- // Remove nick name. -- parts.erase(parts.begin()); -- if ( parts.size() < 2 ) -+ if ( parts.size() < 3 ) - { - Weird("irc_invalid_names_line"); - return; - } - -+ // Remove nick name. -+ parts.erase(parts.begin()); -+ - string type = parts[0]; - string channel = parts[1]; diff -Nru bro-2.5.5/debian/patches/series bro-2.5.5/debian/patches/series --- bro-2.5.5/debian/patches/series 2019-05-11 00:56:50.000000000 +0200 +++ bro-2.5.5/debian/patches/series 2018-06-17 12:44:48.000000000 +0200 @@ -3,5 +3,3 @@ 0003-Fix-btest-paths.patch 0004-Port-most-of-bro-to-OpenSSL-1.1.patch 0005-Disable-OCSP-features-that-can-t-yet-be-ported-to-Op.patch -0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch -0007-Fix-IRC-names-command-parsing.patch
