Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
* Moritz Mühlenhoff: >> Working on 2.6.1, but I need to get broker (and a new upstream versio >> nof actor-framework) into unstable first. Working on that, too. It's a pity that this did not work out... > With buster being in full freeze, can you backport CVE-2018-17019 and > CVE-2018-16807 to 2.5.5, please? Yes, I'll try. Thanks for reminding me. Cheers, -Hilko
Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
On Tue, Jan 29, 2019 at 02:19:20AM +0100, Hilko Bengen wrote: > * Moritz Mühlenhoff: > > >> CVE-2018-17019[0]: > >> | In Bro through 2.5.5, there is a DoS in IRC protocol names command > >> | parsing in analyzer/protocol/irc/IRC.cc. > > > > ping, can we get this one (and CVE-2018-16807) uploaded still in time > > for buster? > > Working on 2.6.1, but I need to get broker (and a new upstream versio > nof actor-framework) into unstable first. Working on that, too. With buster being in full freeze, can you backport CVE-2018-17019 and CVE-2018-16807 to 2.5.5, please? Cheers, Moritz
Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
* Hilko Bengen: >>> | In Bro through 2.5.5, there is a DoS in IRC protocol names command >>> | parsing in analyzer/protocol/irc/IRC.cc. >> >> ping, can we get this one (and CVE-2018-16807) uploaded still in time >> for buster? > > Working on 2.6.1, but I need to get broker (and a new upstream versio > nof actor-framework) into unstable first. Working on that, too. So that didn't work out -- bro/2.6.1 is still sitting in NEW, along with some of its build-dependencies. :-( I don't know yet if or when I'll be able to backport fixes for the outstanding CVE-worthy bugs. Cheers, -Hilko
Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
* Moritz Mühlenhoff: >> CVE-2018-17019[0]: >> | In Bro through 2.5.5, there is a DoS in IRC protocol names command >> | parsing in analyzer/protocol/irc/IRC.cc. > > ping, can we get this one (and CVE-2018-16807) uploaded still in time > for buster? Working on 2.6.1, but I need to get broker (and a new upstream versio nof actor-framework) into unstable first. Working on that, too. Cheers, -Hilko
Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
On Thu, Sep 13, 2018 at 10:39:17PM +0200, Salvatore Bonaccorso wrote: > Source: bro > Version: 2.5-1 > Severity: important > Tags: patch security upstream > Control: found -1 2.5.5-1 > > Hi, > > The following vulnerability was published for bro. > > CVE-2018-17019[0]: > | In Bro through 2.5.5, there is a DoS in IRC protocol names command > | parsing in analyzer/protocol/irc/IRC.cc. ping, can we get this one (and CVE-2018-16807) uploaded still in time for buster? Cheers, Moritz
Bug#908779: bro: CVE-2018-17019: Fix IRC names command parsing
Source: bro Version: 2.5-1 Severity: important Tags: patch security upstream Control: found -1 2.5.5-1 Hi, The following vulnerability was published for bro. CVE-2018-17019[0]: | In Bro through 2.5.5, there is a DoS in IRC protocol names command | parsing in analyzer/protocol/irc/IRC.cc. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17019 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17019 [1] https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30 Regards, Salvatore