Your message dated Thu, 19 Jan 2017 17:49:05 +0000 with message-id <e1cugpd-0001sr...@fasolo.debian.org> and subject line Bug#851612: fixed in opus 1.2~alpha2-1 has caused the Debian Bug report #851612, regarding opus: CVE-2017-0381: Memory corruption during media file and data processing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 851612: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851612 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: opus Version: 1.1-2 Severity: grave Tags: upstream security patch Justification: user security hole Hi, the following vulnerability was published for opus. CVE-2017-0381[0]: Memory corruption during media file and data processing If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-0381 [1] https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: opus Source-Version: 1.2~alpha2-1 We believe that the bug you reported is fixed in the latest version of opus, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 851...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ron Lee <r...@debian.org> (supplier of updated opus package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 20 Jan 2017 02:48:31 +1030 Source: opus Binary: libopus0 libopus-dev libopus-dbg libopus-doc Architecture: source amd64 all Version: 1.2~alpha2-1 Distribution: unstable Urgency: medium Maintainer: Ron Lee <r...@debian.org> Changed-By: Ron Lee <r...@debian.org> Description: libopus-dbg - debugging symbols for libopus libopus-dev - Opus codec library development files libopus-doc - libopus API documentation libopus0 - Opus codec runtime library Closes: 851612 Changes: opus (1.2~alpha2-1) unstable; urgency=medium . * Run the tonality analysis at 24 kHz, which reduces complexity while giving better frequency resolution for the tonality estimate. * Speech quality improvements especially in the 12-20 kbit/s range. * Improved VBR encoding for hybrid mode. * More aggressive use of wider speech bandwidth, including fullband speech starting at 14 kbit/s. * Music quality improvements in the 32-48 kb/s range. * Generic and SSE CELT optimizations. * Support for directly encoding packets up to 120 ms. * DTX support for CELT mode. * SILK CBR improvements. * Ensure that NLSF cannot be negative when computing a min distance between them. This was reported and fixed in July, and assessed as having only a relatively minor impact (garbage output, from the garbage input needed to trigger it), or at very worst, an assertion failure or simple crash from a slightly out of bounds read. In December it was assigned CVE-2017-0381 by someone other than the upstream developers, with claims of it being a 'Critical' issue on Android, but we're yet to see any analysis to back that up. Closes: #851612 Checksums-Sha1: 943e4d3250ef57f3214a4f330eaf32067069d08d 1967 opus_1.2~alpha2-1.dsc ee80d7823dadea7036a7589d5a5faca182b9b87d 1021012 opus_1.2~alpha2.orig.tar.gz 5b19cc0c72dba9508a18640fef677705ae6c1db4 7445 opus_1.2~alpha2-1.diff.gz 5d751953518498d059cf26c1c40b2eb916251e80 350212 libopus-dbg_1.2~alpha2-1_amd64.deb 80c9564f2292584eae4ef0e669b7a57cf8d8548f 212298 libopus-dev_1.2~alpha2-1_amd64.deb 620237e051be6e3c6c4c687f0d76cbeb5b316c20 194618 libopus-doc_1.2~alpha2-1_all.deb de3120acc49728d43140587bf16509fd394ed764 170836 libopus0_1.2~alpha2-1_amd64.deb d593e09d1960621eac80da3057132b64eccc4b5b 7385 opus_1.2~alpha2-1_amd64.buildinfo Checksums-Sha256: 1b281c14f23ff5336f2edfc07181ae9a6d358a72162598589fec609df83d9de6 1967 opus_1.2~alpha2-1.dsc 148d38cd0a19e0dde7f7e5491c19953025ff4e7e172e7b21fcf7ba3ff84fa06e 1021012 opus_1.2~alpha2.orig.tar.gz 0bc67d52b0d1de2836390e267240c4bd998c5985e34a71d03ba3f57d7668a219 7445 opus_1.2~alpha2-1.diff.gz ad37c6b049bee74069be513f19a11747a40b5ab59a68f832452e5e14d664ad5d 350212 libopus-dbg_1.2~alpha2-1_amd64.deb ec4273be54eef25193d5a5f17fc1413b161462d9daad0f6bfa12f8e0c2ec3dc8 212298 libopus-dev_1.2~alpha2-1_amd64.deb 4588a23de06f29621b97af247b5a5dfc9de8a2981873b7ffa56cb4444cfb4f4f 194618 libopus-doc_1.2~alpha2-1_all.deb 56727cc3d0b893d483509cd897e85cce421cd8b7edcd99efb23eed4af717bd3b 170836 libopus0_1.2~alpha2-1_amd64.deb e858a03c72cd45a9c056e091e22a9a0a5e718ba35fcf39652074ee17dff888e6 7385 opus_1.2~alpha2-1_amd64.buildinfo Files: 1d103f17752fec206e0ef81a7d22c234 1967 sound optional opus_1.2~alpha2-1.dsc 96c5f6cbf8431e568e22c8153a2fded5 1021012 sound optional opus_1.2~alpha2.orig.tar.gz e4f97b932afc702054a11f307cab8206 7445 sound optional opus_1.2~alpha2-1.diff.gz 2ab4c51a870a2ea90827c4a00ef5ac4b 350212 debug extra libopus-dbg_1.2~alpha2-1_amd64.deb 31ef4633d0faa3fbf6bf4a7a76737625 212298 libdevel optional libopus-dev_1.2~alpha2-1_amd64.deb 0b36d84269898f35605d91e9323fec2b 194618 doc optional libopus-doc_1.2~alpha2-1_all.deb 6b40f87cf45b36c82669643f14690e64 170836 libs optional libopus0_1.2~alpha2-1_amd64.deb 6b1309d78c9f0b2e0f12cde5104adb73 7385 sound optional opus_1.2~alpha2-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJYgPUoAAoJECSWn9pgwHEsPJ0P/07XvQQQGWTRLzr/Q3Vk9WQB ulRee7XCRDBrfiI4Jj/M5CtMxuaFqOq9x/aA/yGn/3ZzHr48PufMcZStdzRlf/iq fiLjTH/DcCxe2axsm22a7kUKpZAqqGvz2gJ1PFu6tlN4WuJlz3oMbmsg8qA4F68A pXD2+lJPAdXdxLzl4YEriHfS8g77YErNZ3Jv5EyCXN3ws4i5AQMpA9WxkslAUlQn Vru1rqpS86mYANeMM4HSim26+YygW6dGRIrS5slBZofXYmelZqePlRxHjyIHMXzz 9yC15rlIsI4Hi98hSN8cPCVINkNLkOn5s7EZxqn8QR+6+pEN2isv28JOr0d+CnC0 6LyQ9sTWzD5l8MmvmsJYYRgspuOWfC5eNvKc4Ya/CeDUVfAKojWCaQTG3dqE3G6z mniAS3mkJMnJQ1zUMN0oTEbBrl+tr58I3lH3MdUQkcs4CVhIknB590NQyLziZbcC vLb7oBZ18GHC76dd/RvrhuzuDNaonl9Q8cu16Zly5+6ZYX+nlpOI49bACIxMpNsE hq0XuEOhAzops3UP+QYI2CAgxeHbA5r/tPB4uDz9heUzFje1rS/LG7+Xw6qCBgq4 IW55ReEHeA3RoF3kzHU65yzen2SkJE5pF8+Y7guoVNWMXGfztk7ey4r0yXTcA6r8 7pSh3FM++av9Y14OEOFD =MwWg -----END PGP SIGNATURE-----
--- End Message ---
