Your message dated Mon, 29 May 2017 22:18:52 +0000
with message-id <[email protected]>
and subject line Bug#863277: fixed in systemd 232-24
has caused the Debian Bug report #863277,
regarding systemd: CVE-2017-9217: systemd-resolved crashed with SIGSEGV in
dns_packet_is_reply_for()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
863277: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863277
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: systemd
Version: 232-23
Severity: important
Tags: patch upstream security
Forwarded: https://github.com/systemd/systemd/pull/5998
Hi,
the following vulnerability was published for systemd.
CVE-2017-9217[0]:
| systemd-resolved through 233 allows remote attackers to cause a denial
| of service (daemon crash) via a crafted DNS response with an empty
| question section.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9217
[1] https://github.com/systemd/systemd/pull/5998
[2] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1621396
[3] https://bugzilla.novell.com/show_bug.cgi?id=1040614
Please adjust the affected versions in the BTS as needed. I think the
version in jessie should not be affected; unless I'm wrong (and then
please correct me) the resolved: DNS client stub resolver was only
introduced post v216, and the issue maybe even later (post v219). But
would be greatly appreciated if you can confirm that.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: systemd
Source-Version: 232-24
We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <[email protected]> (supplier of updated systemd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 29 May 2017 16:25:43 +0200
Source: systemd
Binary: systemd systemd-sysv systemd-container systemd-journal-remote
systemd-coredump libpam-systemd libnss-myhostname libnss-mymachines
libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1
libudev-dev udev-udeb libudev1-udeb
Architecture: source
Version: 232-24
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers
<[email protected]>
Changed-By: Michael Biebl <[email protected]>
Description:
libnss-myhostname - nss module providing fallback resolution for the current
hostname
libnss-mymachines - nss module to resolve hostnames for local container
instances
libnss-resolve - nss module to resolve names via systemd-resolved
libnss-systemd - nss module providing dynamic user and group name resolution
libpam-systemd - system and service manager - PAM module
libsystemd-dev - systemd utility library - development files
libsystemd0 - systemd utility library
libudev-dev - libudev development files
libudev1 - libudev shared library
libudev1-udeb - libudev shared library (udeb)
systemd - system and service manager
systemd-container - systemd container/nspawn tools
systemd-coredump - tools for storing and retrieving coredumps
systemd-journal-remote - tools for sending and receiving remote journal logs
systemd-sysv - system and service manager - SysV links
udev - /dev/ and hotplug management daemon
udev-udeb - /dev/ and hotplug management daemon (udeb)
Closes: 862292 863277
Changes:
systemd (232-24) unstable; urgency=medium
.
[ Felipe Sateler ]
* Specify nobody user and group.
Otherwise nss-systemd will translate to group 'nobody', which doesn't
exist on debian systems.
.
[ Michael Biebl ]
* Add Depends: procps to systemd.
It's required by /usr/lib/systemd/user/systemd-exit.service which calls
/bin/kill to stop the systemd --user instance. (Closes: #862292)
* resolved: fix null pointer p->question dereferencing.
This fixes a bug which allowed a remote DoS (daemon crash) via a crafted
DNS response with an empty question section.
Fixes: CVE-2017-9217 (Closes: #863277)
Checksums-Sha1:
75d94a757951e500c2aeb90e85430e366d43a1f1 4769 systemd_232-24.dsc
39d75ae7fa58b95d84207ad5bcf4c59abf0f2052 200176 systemd_232-24.debian.tar.xz
1c0aa4ac81f23e5a05bde7984365aa142614e486 9707 systemd_232-24_source.buildinfo
Checksums-Sha256:
575c4c682fe7c405a78a0a6c6f10a55e1e88f2b62c956548779f20eaf2e3fb52 4769
systemd_232-24.dsc
4d65e7a038e9d1132f0a3088ba2658d08358c2d090bee1989dba5f10a1dd0d55 200176
systemd_232-24.debian.tar.xz
f078f443f7634f5e48bc06bb2e668b03c1ad6156d4450cc76364df91a412111f 9707
systemd_232-24_source.buildinfo
Files:
1e1bb4455c3689a01b8d302245f5c4db 4769 admin optional systemd_232-24.dsc
471a22a30f780b16b48e9d443ec92245 200176 admin optional
systemd_232-24.debian.tar.xz
de0f3ba9a9bf6d8258a1c4db6444a096 9707 admin optional
systemd_232-24_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAlksnBcACgkQauHfDWCP
ItyIUBAAlPLmU+tx3Ntx/PVpOb192fYbIhtwv/kYKNHHqO8ELBFvxxuZsktPtMeb
Zap6wZLIHw715h0uDqvjA47QB5erI4V/HWfCpR0h5ORokHkzEW/JfaL2QngptWt2
5ZeQZpGhsZAAfrlG+iNQKPdwHH8yWZNeHIjcfTWWtddCDrx38ufZ8lyFNTdqA68Q
0bMgV1d2RlTtB6jNRCkiemRWxQu2wov0lUZ0hM97Rm7cpcQ/vNuEhuem6S9E2AFe
VGVonOduD8X0bJ0T0UgJMliTylPHBtr1wsb+SWp2/Qg1ZwVPDngMDr9vz82OO9zt
+K26f5WlUoSds30eHSX5xE1ohx6vguHMoV+UCgCaVApsG/lRoufexD5I8etFqKuC
b7/YeZnajZyvN4x/hHfzBcSfxr0lPCr6JrrN59KsVyu49AiuEjvQQr4iw+DwYim1
7JYukxfssNTycZLCnYIlnb/zc2M6TKUU6W2fzNmwNcLXgk0pwO46FMVr9ppPNADJ
busd2gIWsBa2bfQ6AJuWYrqyfyfBSBbijisZJObDn2rNliwiShp2hWCj8SH7GjSC
sROrsW2fgQHxGXWwKHYjfi8dz5vTT4iVH7pMkLxYxEvVRS/hX6l9yBSLChx2aeSr
cXAk9cOG6addlq3v4Yh5sqqi7IzUSgO0Grt4QAigPtacXCZDrFM=
=LUvL
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-systemd-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
