Bug#944012: freetds: CVE-2019-13508: Heap overflow in FreeTDS if UDT type is used with protocol 5.0
Hi Steve, On Wed, Nov 06, 2019 at 10:10:23AM -0800, Steve Langasek wrote: > Hello, > > On Sat, Nov 02, 2019 at 08:59:25PM +0100, Salvatore Bonaccorso wrote: > > Source: freetds > > Version: 1.1.6-1 > > Severity: important > > Tags: security upstream fixed-upstream > > Control: found -1 1.00.104-1 > > > The following vulnerability was published for freetds. > > > CVE-2019-13508[0]: > > | FreeTDS through 1.1.11 has a Buffer Overflow. > > Where does this "1.1.11" number come from? I do not see any releases newer > than 1.1.6 upstream. The CVE assignment was acknowledged by upstream in the launchpad bug 1835896. MITRE descriptions in any case should not be trusted 1-1 and in this case it even was very mimimalistic. In any case the fix is the upstream commit 0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac in the git repository on github. But I notice on https://www.freetds.org/software.html that the current stable version should be 1.1.20 and the respective commits there while they are on the master branch the releases seem not tagged. Does this helps? Regards, Salvatore
Bug#944012: freetds: CVE-2019-13508: Heap overflow in FreeTDS if UDT type is used with protocol 5.0
Hello, On Sat, Nov 02, 2019 at 08:59:25PM +0100, Salvatore Bonaccorso wrote: > Source: freetds > Version: 1.1.6-1 > Severity: important > Tags: security upstream fixed-upstream > Control: found -1 1.00.104-1 > The following vulnerability was published for freetds. > CVE-2019-13508[0]: > | FreeTDS through 1.1.11 has a Buffer Overflow. Where does this "1.1.11" number come from? I do not see any releases newer than 1.1.6 upstream. > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-13508 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508 > [1] > https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac > [2] https://bugs.launchpad.net/bugs/1835896 > [3] https://bugzilla.redhat.com/show_bug.cgi?id=1736255 > [4] https://bugzilla.novell.com/show_bug.cgi?id=1141132 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature
Bug#944012: freetds: CVE-2019-13508: Heap overflow in FreeTDS if UDT type is used with protocol 5.0
Source: freetds Version: 1.1.6-1 Severity: important Tags: security upstream fixed-upstream Control: found -1 1.00.104-1 Hi, The following vulnerability was published for freetds. CVE-2019-13508[0]: | FreeTDS through 1.1.11 has a Buffer Overflow. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13508 [1] https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac [2] https://bugs.launchpad.net/bugs/1835896 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1736255 [4] https://bugzilla.novell.com/show_bug.cgi?id=1141132 Please adjust the affected versions in the BTS as needed. Regards, Salvatore