Bug#924350: marked as done (libofx: CVE-2019-9656)
Your message dated Sat, 09 Nov 2019 20:35:05 + with message-id and subject line Bug#924350: fixed in libofx 1:0.9.14-1+deb10u1 has caused the Debian Bug report #924350, regarding libofx: CVE-2019-9656 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 924350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libofx Version: 1:0.9.14-1 Severity: important Tags: security upstream Forwarded: https://github.com/libofx/libofx/issues/22 Hi, The following vulnerability was published for libofx. CVE-2019-9656[0]: | An issue was discovered in LibOFX 0.9.14. There is a NULL pointer | dereference in the function OFXApplication::startElement in the file | lib/ofx_sgml.cpp, as demonstrated by ofxdump. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9656 [1] https://github.com/libofx/libofx/issues/22 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: libofx Source-Version: 1:0.9.14-1+deb10u1 We believe that the bug you reported is fixed in the latest version of libofx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 924...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dylan Aïssi (supplier of updated libofx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 23 Oct 2019 08:04:35 +0200 Source: libofx Architecture: source Version: 1:0.9.14-1+deb10u1 Distribution: buster Urgency: medium Maintainer: Dylan Aïssi Changed-By: Dylan Aïssi Closes: 924350 Changes: libofx (1:0.9.14-1+deb10u1) buster; urgency=medium . * Add upstream patch to fix CVE-2019-9656 (Closes: #924350). Checksums-Sha1: 3b396ec4dd0ae0c09cd268d9e189092bc5d9a327 2123 libofx_0.9.14-1+deb10u1.dsc 194e8f8b7d702bfa47544f810e13b900b4b8bc5e 14092 libofx_0.9.14-1+deb10u1.debian.tar.xz d476e58ab8376989a8fa45bee9f15c61c8c6 9061 libofx_0.9.14-1+deb10u1_amd64.buildinfo Checksums-Sha256: d112c3b3234d19d2a33ef1b17566a76e8670f4be7fd54448325e7a26c64ba122 2123 libofx_0.9.14-1+deb10u1.dsc 9e0ceed05eb77c596379bfc762654d0e3326884e7252886015bd25bcde63d1db 14092 libofx_0.9.14-1+deb10u1.debian.tar.xz edba9a56187a0a8ce3044ca6877e45fc05a7642a0931a15d886cfc079016650a 9061 libofx_0.9.14-1+deb10u1_amd64.buildinfo Files: eb53dd0b9b92dfbb262c7d431d8ecc0b 2123 libs optional libofx_0.9.14-1+deb10u1.dsc b66d7cf0b8686c431114fd2bf14e8898 14092 libs optional libofx_0.9.14-1+deb10u1.debian.tar.xz 1ab049c4f5e67624fc69389e574e1d2a 9061 libs optional libofx_0.9.14-1+deb10u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl3F7EcSHGRhaXNzaUBk ZWJpYW4ub3JnAAoJEGEu8WE+BQ9Uu20P/jEbVKAHd2MtoC8tdFNu9R2xYfjgduTX SpomqTp2NFfYsse3vBvhnS6rEsy49UAvyyT3vaLxZg/1kzwLadmAAVarvaUvE1/n Aqlyy3g/c2TF/tuQjIX6niEMkkVxtW8gS2c6lSv+I3pXqRppzeftVbTAMcz3vHMs bM6Wn1dl3cydAVTQHOBnvZAAP164V3MrYeEgbtK6EQt0JbRi3wFtjwgUJzB5sZWr xOXDKqjG6pwHEkBg5ppchKfc3IGiGJtwXIvD4i9JILvhtVp9xP8FortfeBdlXUjs Fz6BpyAoJZHIyuYInOR2XCQl1R0dzoHXnMd1lwQvRRVlDUHrDyZvJO9tCy1/kmHr eNgW4MGquPQGtNUAQqDQvAnPMD7n7cRU8wERsutocJNymkjF6OxIRrYK7PcaKiXM K2aGqwQz94nf2psvkBqChaO4jglICjXcBbxBQGZkJjaTQ3MDTZgsIKX8cifQSID2 oixog6xihn2Pq8S0YpSZv8uXkTibA+50UI2M+yF618eTInt5UR535FHdct68UMt0 EqiV0KE3NhtqDY+KyPMyipsBwI1GRzD/cZomB5sujTuCfuPahdzZoIErABUb9dL4 8maKy4k5N8ypq/9mNd4495+d/y0Y67aE/FK9g7nJ1i0IKyDW7tEaYIoEj6Eeq36V GSfD9hOY4GVe =9X2h -END PGP SIGNATURE End Message ---
Bug#924350: marked as done (libofx: CVE-2019-9656)
Your message dated Mon, 14 Oct 2019 20:44:57 + with message-id and subject line Bug#924350: fixed in libofx 1:0.9.15-1 has caused the Debian Bug report #924350, regarding libofx: CVE-2019-9656 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 924350: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924350 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: libofx Version: 1:0.9.14-1 Severity: important Tags: security upstream Forwarded: https://github.com/libofx/libofx/issues/22 Hi, The following vulnerability was published for libofx. CVE-2019-9656[0]: | An issue was discovered in LibOFX 0.9.14. There is a NULL pointer | dereference in the function OFXApplication::startElement in the file | lib/ofx_sgml.cpp, as demonstrated by ofxdump. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-9656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9656 [1] https://github.com/libofx/libofx/issues/22 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: libofx Source-Version: 1:0.9.15-1 We believe that the bug you reported is fixed in the latest version of libofx, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 924...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dylan Aïssi (supplier of updated libofx package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 14 Oct 2019 22:15:13 +0200 Source: libofx Architecture: source Version: 1:0.9.15-1 Distribution: unstable Urgency: medium Maintainer: Dylan Aïssi Changed-By: Dylan Aïssi Closes: 924350 Changes: libofx (1:0.9.15-1) unstable; urgency=medium . * New upstream release. Fix CVE-2019-9656 (Closes: #924350) * Add debian/gitlab-ci.yml. * Add debian/libofx7.symbols. * Bump Standards-Version: 4.4.1 (no changes needed). * Switch to debhelper-compat. Checksums-Sha1: b0345b71c8ffe53ba6847cc375b740b52a813590 2097 libofx_0.9.15-1.dsc 7fb61f1375e15c8e58bc4515351b4e6523c12f8d 207361 libofx_0.9.15.orig.tar.gz 71393187006eaa564bb4a7f7a754da7d27f8 14232 libofx_0.9.15-1.debian.tar.xz 4ea55d5241276c70a2e07a48362fd518b5407fd1 9025 libofx_0.9.15-1_amd64.buildinfo Checksums-Sha256: c82c5892a310201499defde6b19b5b6ecad7d0da15ddbd1cc15b8721333283e0 2097 libofx_0.9.15-1.dsc 74a9370da560526424ab62d79f7301f86620a8566c3f38cfc4684e63a4aac155 207361 libofx_0.9.15.orig.tar.gz 7785fc38fa0a8ea5856dfc0219d08ff35bbfa883abb6fa72314bc35c63351169 14232 libofx_0.9.15-1.debian.tar.xz 5558592f911c140953b1fc57a8062b794bd296de9579a18a2d5fb9534d992ef9 9025 libofx_0.9.15-1_amd64.buildinfo Files: 753584f1b4452198210b61b93f399312 2097 libs optional libofx_0.9.15-1.dsc ee4567bf8ceb1db81f81d38ff446d833 207361 libs optional libofx_0.9.15.orig.tar.gz 8242d3561e82f97c8466fd6db5287715 14232 libs optional libofx_0.9.15-1.debian.tar.xz b94330b533781d6d48c4e8c1075ee479 9025 libs optional libofx_0.9.15-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAl2k2NMSHGRhaXNzaUBk ZWJpYW4ub3JnAAoJEGEu8WE+BQ9UtfAQAJT8h/bnYsZxtyxAYZf1hQgPeUCLT9QC +w1XIlD5ge9FN/CB0BcZIbPc7aeuANeFiEZv0xsRYhy3TW3afuch485aqduSM5ff NbWnw9W4Skb8BAXiNAjtP5SK2+n/6LfRP7oQrh/gPk/8SCwAHKWB656EgqTohx+M rVC+0gr881x2VUFJy4Az8ls8jA6rNtSfyspUCl6soVRO0TqK3uKC5NoAyd1g3PX2 mBAiSiPJfx+qWPluNAjzWr6nimFW3NaKk1BobtkqSbdMeCjHNnre5Ojn4hvvrhjF QGIjm0FmToQJHjBtF8h8+w/0DUXMeY+hsg556ZTTRKVmjadnhJm8bh35f1H+MEy0 59lqpTzmzX0nL8hXYgSYqTu13L0x8Wyw/UCqYktLvgsnZQn90vYbAT5gzurlCD09 w9fl7Ii3MdCZ2115EhZ9GuWxhXUQSIxzTcwGJfa76sS7KQrAnD/tArjf8nY7vQxB u/n7cOeD7fXyp4J0vo/o5ntmrOVwY8GimV+lDET6y4nDrEb3esJJaCtZT5wjWlyf +equupg9eUKJs9DBkHa4ESYO9Sa8yCfy89NDUiOhyASkCZ6fQLXqjL7dHsVAqMbJ vpFr6+Xb/D9tmFVDtMueSBW4SZleKPG41emAjCDD8FxVz0j0OyF0NM+OWI2GI8do 4kSCtkbgprGU =Z7Le -END PGP SIGNATURE End Message ---