Bug#1015873: marked as done (libtirpc: CVE-2021-46828)

2022-08-13 Thread Debian Bug Tracking System 
Your message dated Sat, 13 Aug 2022 18:17:38 +
with message-id 
and subject line Bug#1015873: fixed in libtirpc 1.3.1-1+deb11u1
has caused the Debian Bug report #1015873,
regarding libtirpc: CVE-2021-46828
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1015873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libtirpc
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libtirpc.

CVE-2021-46828[0]:
| In libtirpc before 1.3.3rc1, remote attackers could exhaust the file
| descriptors of a process that uses libtirpc because idle TCP
| connections are mishandled. This can, in turn, lead to an svc_run
| infinite loop without accepting new connections.

Patch:
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-46828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46828

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libtirpc
Source-Version: 1.3.1-1+deb11u1
Done: Salvatore Bonaccorso 

We believe that the bug you reported is fixed in the latest version of
libtirpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1015...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated libtirpc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 01 Aug 2022 16:26:18 +0200
Source: libtirpc
Architecture: source
Version: 1.3.1-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Josue Ortega 
Changed-By: Salvatore Bonaccorso 
Closes: 1015873
Changes:
 libtirpc (1.3.1-1+deb11u1) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix DoS vulnerability in libtirpc (CVE-2021-46828) (Closes: #1015873)
Checksums-Sha1: 
 ef4de51addd3ef95c3c11ba0c99d1f22df332cee 2273 libtirpc_1.3.1-1+deb11u1.dsc
 882eaf4c13f0cafb83afd96cd2855638f978d755 513399 libtirpc_1.3.1.orig.tar.bz2
 0d076df08b6d8832081985db4af14cdf9585de20 12752 
libtirpc_1.3.1-1+deb11u1.debian.tar.xz
Checksums-Sha256: 
 f6c9103b9155e0845a991e08678c9faad8a087c502cf8c8c552046c27847 2273 
libtirpc_1.3.1-1+deb11u1.dsc
 245895caf066bec5e3d4375942c8cb4366adad184c29c618d97f724ea309ee17 513399 
libtirpc_1.3.1.orig.tar.bz2
 a0415b82adeba844372ca104e87376cd4c4bbb47e490925369e46e1c8f8750d4 12752 
libtirpc_1.3.1-1+deb11u1.debian.tar.xz
Files: 
 7bdd2f21ca4980839d63b765bab1cde0 2273 libs optional 
libtirpc_1.3.1-1+deb11u1.dsc
 f222e258c129c6da2f8f9cfe7f1ed745 513399 libs optional 
libtirpc_1.3.1.orig.tar.bz2
 364e4589b0221806ebead567d4e9660b 12752 libs optional 
libtirpc_1.3.1-1+deb11u1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmLoOiFfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EKnsP/3ows43qqXwPGxGc+2vYdeeme9rcwZua
No7NyCPL4fFMUuQTVxT2Z+230nXONe9v2/2tT5Mizn7hV3xrtKYzXUnqOO/U53va
IlBvrEa6a2n9m8fzW6SbP+o352azjWd0/STXzrhr64zvwvfl6v3QOBoXRWeWuahH
JtQhv2juxIvk1OnmgRJ7aSR0nyUYnAdWPmf2pv1rAyccRSSqSv/RjKJSeXZeD9CZ
TXM2/4x2583l2YhHmwa3EH9Umqa9KLwcw2My6GQWnqas++hC2bhdG09gV7hLd8nG
dKInHMH9I13UxiC/xS1MolaAfrc90oIX1pFMr1RfgpxkMMrQ2tKskRCLeVp7zINW
cwMeG9cRngL3Elxpb4kXDSB59XmMWNece41lq2zWA1HkDSBkk5W0wy7tcLPTvgB7
D9WSSuOsE0ux/d/Dk4+paOf2AnYMjewAdeNsK4jkb/vaOaGMZTKQFIZkf+ICTZxv
GUDgRe610OhA1WHgvTIm3V++2XRPLBrdY4XikqU6+yTRYNhbLzAW/ZCbA5fRdjmJ
ftYJ9FcZPUPOmPAJUwYSmUlK0YyiLwMQ0RXVyPrXlAZXyi06Qat6fh73TfXzUK8R
U+UjhSwXuSB6WWtzTPdAsFGmjoeSWgYQVeNHi96p4i4OBZTsCCXsIqywqRfb47Zp
4qwuUx/ambvU
=ZOvy
-END PGP SIGNATURE End Message ---

Bug#1015873: marked as done (libtirpc: CVE-2021-46828)

2022-08-05 Thread Debian Bug Tracking System 
Your message dated Fri, 05 Aug 2022 19:35:21 +
with message-id 
and subject line Bug#1015873: fixed in libtirpc 1.3.2-2.1
has caused the Debian Bug report #1015873,
regarding libtirpc: CVE-2021-46828
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1015873: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015873
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libtirpc
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for libtirpc.

CVE-2021-46828[0]:
| In libtirpc before 1.3.3rc1, remote attackers could exhaust the file
| descriptors of a process that uses libtirpc because idle TCP
| connections are mishandled. This can, in turn, lead to an svc_run
| infinite loop without accepting new connections.

Patch:
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-46828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46828

Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: libtirpc
Source-Version: 1.3.2-2.1
Done: Salvatore Bonaccorso 

We believe that the bug you reported is fixed in the latest version of
libtirpc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1015...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso  (supplier of updated libtirpc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 01 Aug 2022 16:26:18 +0200
Source: libtirpc
Architecture: source
Version: 1.3.2-2.1
Distribution: unstable
Urgency: medium
Maintainer: Josue Ortega 
Changed-By: Salvatore Bonaccorso 
Closes: 1015873
Changes:
 libtirpc (1.3.2-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix DoS vulnerability in libtirpc (CVE-2021-46828) (Closes: #1015873)
Checksums-Sha1: 
 18e58e9117b906730386a68fd624b312b586c383 2249 libtirpc_1.3.2-2.1.dsc
 66aff780a92227b54f1d70f88d04a252a6876f3b 12928 libtirpc_1.3.2-2.1.debian.tar.xz
Checksums-Sha256: 
 64d29ca2681b8d37cd1eaa8c8de9a4a10d7acf6d677369fdb0a712bbf0e4cd12 2249 
libtirpc_1.3.2-2.1.dsc
 9c9609c28411686c9495397843cc09d10fab97baa6867d6d3cd59a70601d3dce 12928 
libtirpc_1.3.2-2.1.debian.tar.xz
Files: 
 e967db766cb5adfb86b879e96282ab8d 2249 libs optional libtirpc_1.3.2-2.1.dsc
 b159ef8220c5cb204b777f974048ce35 12928 libs optional 
libtirpc_1.3.2-2.1.debian.tar.xz

-BEGIN PGP SIGNATURE-

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmLn43tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqbkP/2V16W+mIgfkNdc/9UEYIfosiXnnTQcm
tYlgfyylvWH4zcujoi5Ftu0C2jMfzx8CtRIWi9EIW5LJRLGS32kdKFVDsU7y2C7t
nvORq6q0E5yGj97A0K1EndYYs6d7v8ZD1N2kVhEkCIHNEErPsONtpmRXH8ND4lUt
j0Yyegj7dmZsCice06HdeTvzLtHMgfVqNW1MXl+eshvuMJalbgzcu51JIK0/C9j0
CmkdVK/mDuMv2980Ux1EwiFEmM8zqtPv/jc2jCG4YHzJY3J9ihf9Row67DpWFemn
/HyXcegmnkifbKHW0w4+6Xwt1LXfHev3rFd8auFP2WSo1e7dftwvetrXGRv80p/q
oYuJzvFMylTZ4Ci6vAox7cx1RsiCNs9H59gp+BLeIJb2rKZ0X+DeyLOfDSCYxHcb
F1lCjFEHkEWoc4WWZpynwNIERruLTZBBVl8jrELIfTVyCKmvatjWq9pBGn+Y9BXO
5nXLt7mz9xfW1AQjNzxYhqgX0TIttvUNSw//ayqsfe6jb/OkJ1L4hsjBVXwp7FyZ
W8Cc95S+liUDQXxET3ygi1rdVdwbdqQqo8MLRCWotEXKC1SO8ElA+7xE6E+h9VVy
SMbtQonN3ijealzgAoVMvLFgcicuypm/EmtHkfST/etVv7Y1D0BKS4ybBEa5+cYd
lngBG9IbhLyw
=pXkp
-END PGP SIGNATURE End Message ---