Bug#867598: marked as done (irssi: CVE-2017-10965 CVE-2017-10966)

2017-08-06 Thread Debian Bug Tracking System 
Your message dated Sun, 06 Aug 2017 12:32:10 +
with message-id 
and subject line Bug#867598: fixed in irssi 1.0.2-1+deb9u2
has caused the Debian Bug report #867598,
regarding irssi: CVE-2017-10965 CVE-2017-10966
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: irssi
Version: 0.8.17-1
Severity: important
Tags: upstream patch security fixed-upstream

Hi,

the following vulnerabilities were published for irssi.

CVE-2017-10965[0]:
| An issue was discovered in Irssi before 1.0.4. When receiving messages
| with invalid time stamps, Irssi would try to dereference a NULL
| pointer.

CVE-2017-10966[1]:
| An issue was discovered in Irssi before 1.0.4. While updating the
| internal nick list, Irssi could incorrectly use the GHashTable
| interface and free the nick while updating it. This would then result
| in use-after-free conditions on each access of the hash table.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
[1] https://security-tracker.debian.org/tracker/CVE-2017-10966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
[2] https://irssi.org/security/irssi_sa_2017_07.txt
[3] 
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: irssi
Source-Version: 1.0.2-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rhonda D'Vine  (supplier of updated irssi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Thu, 03 Aug 2017 15:59:51 -0400
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 1.0.2-1+deb9u2
Distribution: stretch
Urgency: high
Maintainer: Rhonda D'Vine 
Changed-By: Rhonda D'Vine 
Description:
 irssi  - terminal based IRC client
 irssi-dev  - terminal based IRC client - development files
Closes: 867598
Changes:
 irssi (1.0.2-1+deb9u2) stretch; urgency=high
 .
   * Security related update pulling upstream 5e26325317 (closes: 867598):
 - Fix null pointer dereference (CVE-2017-10965)
 - Fix use-after-free condition for nicklist (CVE-2017-10966)
Checksums-Sha1:
 adb9bb0dd1bba31c21457147e140516c9560b127 1938 irssi_1.0.2-1+deb9u2.dsc
 ff9c8d829431eba09e401ac4885ab651069a0a7f 20944 
irssi_1.0.2-1+deb9u2.debian.tar.xz
 8b376a9d7ce53bdef3be852d9a106e6b4c7d7abb 2943402 
irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
 87c281ff45a38929e0d7fe097417e9b839f91fa5 449468 
irssi-dev_1.0.2-1+deb9u2_amd64.deb
 4f8dd3fc55c4365f07a6f67c0d2f09b9a758d23f 6873 
irssi_1.0.2-1+deb9u2_amd64.buildinfo
 c721728ad6e280c87cf07b93642babff124a6dda 1075880 irssi_1.0.2-1+deb9u2_amd64.deb
Checksums-Sha256:
 094de63b3e9bce8fc3fc185717cc55ed5647c6b3113dca85134c7eb00950fdd1 1938 
irssi_1.0.2-1+deb9u2.dsc
 56b90c5a4d4d37c28e1930df2e444f3e83b7f6a601701ba7d4cc8e63ea4e8c3a 20944 
irssi_1.0.2-1+deb9u2.debian.tar.xz
 01569712ea1bb69decceb49b855f28757ca6ca1f189c8f563dd14693cb7e0e71 2943402 
irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
 d962ae1814ede60e3201f7e38592807986d39e13e503321ef302648dc1472d66 449468 
irssi-dev_1.0.2-1+deb9u2_amd64.deb
 030a42ae1bec084484f1e9ae166bfaeb4494160a122e1da9d6b3c36e3b86d677 6873 
irssi_1.0.2-1+deb9u2_amd64.buildinfo
 b34038e8428654a03011f3abe55cbc0e8d07a15670aaf33a5fe8732e81eab475 1075880 
irssi_1.0.2-1+deb9u2_amd64.deb
Files:
 af33e66af4333672ed9c2efec46670c2 1938 net optional irssi_1.0.2-1+deb9u2.dsc
 c2201fb282d6382dc140f4671ca38bec 20944 net optional 
irssi_1.0.2-1+deb9u2.debian.tar.xz
 f23e4d19747dfdc5ff253bb58b5e446d 2943402 debug extra 
irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb

Bug#867598: marked as done (irssi: CVE-2017-10965 CVE-2017-10966)

2017-07-12 Thread Debian Bug Tracking System 
Your message dated Wed, 12 Jul 2017 06:35:06 +
with message-id 
and subject line Bug#867598: fixed in irssi 1.0.4-1
has caused the Debian Bug report #867598,
regarding irssi: CVE-2017-10965 CVE-2017-10966
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
867598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867598
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: irssi
Version: 0.8.17-1
Severity: important
Tags: upstream patch security fixed-upstream

Hi,

the following vulnerabilities were published for irssi.

CVE-2017-10965[0]:
| An issue was discovered in Irssi before 1.0.4. When receiving messages
| with invalid time stamps, Irssi would try to dereference a NULL
| pointer.

CVE-2017-10966[1]:
| An issue was discovered in Irssi before 1.0.4. While updating the
| internal nick list, Irssi could incorrectly use the GHashTable
| interface and free the nick while updating it. This would then result
| in use-after-free conditions on each access of the hash table.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-10965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
[1] https://security-tracker.debian.org/tracker/CVE-2017-10966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
[2] https://irssi.org/security/irssi_sa_2017_07.txt
[3] 
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: irssi
Source-Version: 1.0.4-1

We believe that the bug you reported is fixed in the latest version of
irssi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 867...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rhonda D'Vine  (supplier of updated irssi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Format: 1.8
Date: Tue, 11 Jul 2017 07:17:19 +0200
Source: irssi
Binary: irssi irssi-dev
Architecture: source amd64
Version: 1.0.4-1
Distribution: unstable
Urgency: high
Maintainer: Rhonda D'Vine 
Changed-By: Rhonda D'Vine 
Description:
 irssi  - terminal based IRC client
 irssi-dev  - terminal based IRC client - development files
Closes: 867598
Changes:
 irssi (1.0.4-1) unstable; urgency=high
 .
   * New upstream bugfix release (closes: #867598):
 - Fix null pointer dereference when parsing invalid timestamp.
   Reported by Brian 'geeknik' Carpenter. [CVE-2017-10965]
 - Fix use-after-free condition when removing nicks from the internal
   nicklist. Reported by Brian 'geeknik' Carpenter. [CVE-2017-10966]
 - Fix incorrect string comparison in DCC file names.
 - Fix regression in Irssi 1.0.3 where it would claim "Invalid time '-1'".
 - Fix a bug when using \n to separate lines with expand_escapes.
 - Retain screen output on improper exit, to better see any error
   messages.
 - Minor help update.
Checksums-Sha1:
 0d270947eccb9d4b6d8948da22dea90f07c6b785 1910 irssi_1.0.4-1.dsc
 8e5567f7dc6f872aa3d04a04f62b7a376fd99cc2 1030956 irssi_1.0.4.orig.tar.xz
 86f40d4e5a6dd9273dfa1531ac7c0e6fa519bdea 19536 irssi_1.0.4-1.debian.tar.xz
 c28eaf4d04292caa80f292281c5cd0858bfbf287 2931962 irssi-dbgsym_1.0.4-1_amd64.deb
 6ce7f2bb3347ec0061197fccf7a401d3843ffd20 451478 irssi-dev_1.0.4-1_amd64.deb
 9e911c12775ccce6651984e1b22237253fd694c0 6686 irssi_1.0.4-1_amd64.buildinfo
 fc1dc05b3d48fd35a13bf0e3965fe64c170763c0 1078046 irssi_1.0.4-1_amd64.deb
Checksums-Sha256:
 8fec098c12cadf6b23609784234e08a46670cf3829dfee1285a6a42bcb13f208 1910 
irssi_1.0.4-1.dsc
 b85c07dbafe178213eccdc69f5f8f0ac024dea01c67244668f91ec1c06b986ca 1030956 
irssi_1.0.4.orig.tar.xz
 3a27cce0ee948a17ce9fda401e4ed6f5c959b663c8205d22f63a216d33ce6154 19536 
irssi_1.0.4-1.debian.tar.xz
 747c2147a5d584f8656823d5390ba2e21c494784bb8d9e3e793dccf4210d6140 2931962 
irssi-dbgsym_1.0.4-1_amd64.deb