Bug#867598: marked as done (irssi: CVE-2017-10965 CVE-2017-10966)
Your message dated Sun, 06 Aug 2017 12:32:10 + with message-idand subject line Bug#867598: fixed in irssi 1.0.2-1+deb9u2 has caused the Debian Bug report #867598, regarding irssi: CVE-2017-10965 CVE-2017-10966 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867598 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: irssi Version: 0.8.17-1 Severity: important Tags: upstream patch security fixed-upstream Hi, the following vulnerabilities were published for irssi. CVE-2017-10965[0]: | An issue was discovered in Irssi before 1.0.4. When receiving messages | with invalid time stamps, Irssi would try to dereference a NULL | pointer. CVE-2017-10966[1]: | An issue was discovered in Irssi before 1.0.4. While updating the | internal nick list, Irssi could incorrectly use the GHashTable | interface and free the nick while updating it. This would then result | in use-after-free conditions on each access of the hash table. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10965 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 [1] https://security-tracker.debian.org/tracker/CVE-2017-10966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 [2] https://irssi.org/security/irssi_sa_2017_07.txt [3] https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 Regards, Salvatore --- End Message --- --- Begin Message --- Source: irssi Source-Version: 1.0.2-1+deb9u2 We believe that the bug you reported is fixed in the latest version of irssi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rhonda D'Vine (supplier of updated irssi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Thu, 03 Aug 2017 15:59:51 -0400 Source: irssi Binary: irssi irssi-dev Architecture: source amd64 Version: 1.0.2-1+deb9u2 Distribution: stretch Urgency: high Maintainer: Rhonda D'Vine Changed-By: Rhonda D'Vine Description: irssi - terminal based IRC client irssi-dev - terminal based IRC client - development files Closes: 867598 Changes: irssi (1.0.2-1+deb9u2) stretch; urgency=high . * Security related update pulling upstream 5e26325317 (closes: 867598): - Fix null pointer dereference (CVE-2017-10965) - Fix use-after-free condition for nicklist (CVE-2017-10966) Checksums-Sha1: adb9bb0dd1bba31c21457147e140516c9560b127 1938 irssi_1.0.2-1+deb9u2.dsc ff9c8d829431eba09e401ac4885ab651069a0a7f 20944 irssi_1.0.2-1+deb9u2.debian.tar.xz 8b376a9d7ce53bdef3be852d9a106e6b4c7d7abb 2943402 irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb 87c281ff45a38929e0d7fe097417e9b839f91fa5 449468 irssi-dev_1.0.2-1+deb9u2_amd64.deb 4f8dd3fc55c4365f07a6f67c0d2f09b9a758d23f 6873 irssi_1.0.2-1+deb9u2_amd64.buildinfo c721728ad6e280c87cf07b93642babff124a6dda 1075880 irssi_1.0.2-1+deb9u2_amd64.deb Checksums-Sha256: 094de63b3e9bce8fc3fc185717cc55ed5647c6b3113dca85134c7eb00950fdd1 1938 irssi_1.0.2-1+deb9u2.dsc 56b90c5a4d4d37c28e1930df2e444f3e83b7f6a601701ba7d4cc8e63ea4e8c3a 20944 irssi_1.0.2-1+deb9u2.debian.tar.xz 01569712ea1bb69decceb49b855f28757ca6ca1f189c8f563dd14693cb7e0e71 2943402 irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb d962ae1814ede60e3201f7e38592807986d39e13e503321ef302648dc1472d66 449468 irssi-dev_1.0.2-1+deb9u2_amd64.deb 030a42ae1bec084484f1e9ae166bfaeb4494160a122e1da9d6b3c36e3b86d677 6873 irssi_1.0.2-1+deb9u2_amd64.buildinfo b34038e8428654a03011f3abe55cbc0e8d07a15670aaf33a5fe8732e81eab475 1075880 irssi_1.0.2-1+deb9u2_amd64.deb Files: af33e66af4333672ed9c2efec46670c2 1938 net optional irssi_1.0.2-1+deb9u2.dsc c2201fb282d6382dc140f4671ca38bec 20944 net optional irssi_1.0.2-1+deb9u2.debian.tar.xz f23e4d19747dfdc5ff253bb58b5e446d 2943402 debug extra irssi-dbgsym_1.0.2-1+deb9u2_amd64.deb
Bug#867598: marked as done (irssi: CVE-2017-10965 CVE-2017-10966)
Your message dated Wed, 12 Jul 2017 06:35:06 + with message-idand subject line Bug#867598: fixed in irssi 1.0.4-1 has caused the Debian Bug report #867598, regarding irssi: CVE-2017-10965 CVE-2017-10966 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 867598: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867598 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: irssi Version: 0.8.17-1 Severity: important Tags: upstream patch security fixed-upstream Hi, the following vulnerabilities were published for irssi. CVE-2017-10965[0]: | An issue was discovered in Irssi before 1.0.4. When receiving messages | with invalid time stamps, Irssi would try to dereference a NULL | pointer. CVE-2017-10966[1]: | An issue was discovered in Irssi before 1.0.4. While updating the | internal nick list, Irssi could incorrectly use the GHashTable | interface and free the nick while updating it. This would then result | in use-after-free conditions on each access of the hash table. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10965 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965 [1] https://security-tracker.debian.org/tracker/CVE-2017-10966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966 [2] https://irssi.org/security/irssi_sa_2017_07.txt [3] https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 Regards, Salvatore --- End Message --- --- Begin Message --- Source: irssi Source-Version: 1.0.4-1 We believe that the bug you reported is fixed in the latest version of irssi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 867...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Rhonda D'Vine (supplier of updated irssi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Tue, 11 Jul 2017 07:17:19 +0200 Source: irssi Binary: irssi irssi-dev Architecture: source amd64 Version: 1.0.4-1 Distribution: unstable Urgency: high Maintainer: Rhonda D'Vine Changed-By: Rhonda D'Vine Description: irssi - terminal based IRC client irssi-dev - terminal based IRC client - development files Closes: 867598 Changes: irssi (1.0.4-1) unstable; urgency=high . * New upstream bugfix release (closes: #867598): - Fix null pointer dereference when parsing invalid timestamp. Reported by Brian 'geeknik' Carpenter. [CVE-2017-10965] - Fix use-after-free condition when removing nicks from the internal nicklist. Reported by Brian 'geeknik' Carpenter. [CVE-2017-10966] - Fix incorrect string comparison in DCC file names. - Fix regression in Irssi 1.0.3 where it would claim "Invalid time '-1'". - Fix a bug when using \n to separate lines with expand_escapes. - Retain screen output on improper exit, to better see any error messages. - Minor help update. Checksums-Sha1: 0d270947eccb9d4b6d8948da22dea90f07c6b785 1910 irssi_1.0.4-1.dsc 8e5567f7dc6f872aa3d04a04f62b7a376fd99cc2 1030956 irssi_1.0.4.orig.tar.xz 86f40d4e5a6dd9273dfa1531ac7c0e6fa519bdea 19536 irssi_1.0.4-1.debian.tar.xz c28eaf4d04292caa80f292281c5cd0858bfbf287 2931962 irssi-dbgsym_1.0.4-1_amd64.deb 6ce7f2bb3347ec0061197fccf7a401d3843ffd20 451478 irssi-dev_1.0.4-1_amd64.deb 9e911c12775ccce6651984e1b22237253fd694c0 6686 irssi_1.0.4-1_amd64.buildinfo fc1dc05b3d48fd35a13bf0e3965fe64c170763c0 1078046 irssi_1.0.4-1_amd64.deb Checksums-Sha256: 8fec098c12cadf6b23609784234e08a46670cf3829dfee1285a6a42bcb13f208 1910 irssi_1.0.4-1.dsc b85c07dbafe178213eccdc69f5f8f0ac024dea01c67244668f91ec1c06b986ca 1030956 irssi_1.0.4.orig.tar.xz 3a27cce0ee948a17ce9fda401e4ed6f5c959b663c8205d22f63a216d33ce6154 19536 irssi_1.0.4-1.debian.tar.xz 747c2147a5d584f8656823d5390ba2e21c494784bb8d9e3e793dccf4210d6140 2931962 irssi-dbgsym_1.0.4-1_amd64.deb