Your message dated Sat, 20 Jan 2024 10:34:42 +0000 with message-id <e1rr8gu-00cq1q...@fasolo.debian.org> and subject line Bug#1059452: fixed in opennds 10.2.0+dfsg-1 has caused the Debian Bug report #1059452, regarding opennds: CVE-2023-41101 CVE-2023-41102 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059452: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059452 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: opennds Version: 9.10.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for opennds. CVE-2023-41101[0]: | An issue was discovered in the captive portal in OpenNDS before | version 10.1.3. get_query in http_microhttpd.c does not validate the | length of the query string of GET requests. This leads to a stack- | based buffer overflow in versions 9.x and earlier, and to a heap- | based buffer overflow in versions 10.x and later. Attackers may | exploit the issue to crash OpenNDS (Denial-of-Service condition) or | to inject and execute arbitrary bytecode (Remote Code Execution). CVE-2023-41102[1]: | An issue was discovered in the captive portal in OpenNDS before | version 10.1.3. It has multiple memory leaks due to not freeing up | allocated memory. This may lead to a Denial-of-Service condition due | to the consumption of all available memory. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41101 https://www.cve.org/CVERecord?id=CVE-2023-41101 [1] https://security-tracker.debian.org/tracker/CVE-2023-41102 https://www.cve.org/CVERecord?id=CVE-2023-41102 [3] https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx [4] https://github.com/openNDS/openNDS/commit/69dde77927b252e2a4347170504a785ac5d50c33 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: opennds Source-Version: 10.2.0+dfsg-1 Done: Mike Gabriel <sunwea...@debian.org> We believe that the bug you reported is fixed in the latest version of opennds, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated opennds package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 20 Jan 2024 11:00:54 +0100 Source: opennds Architecture: source Version: 10.2.0+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Edu Packaging Team <debian-edu-pkg-t...@lists.alioth.debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Closes: 1040392 1059451 1059452 Changes: opennds (10.2.0+dfsg-1) unstable; urgency=medium . * New upstream release. (Closes: #1059451, #1059452). - CVE-2023-38313, CVE-2023-38314, CVE-2023-38315, CVE-2023-38316: Fix NULL pointer dereference if authdir is called with an incomplete or missing query string. - CVE-2023-38320, CVE-2023-38322: Fix - NULL pointer dereference if user_agent is NULL. - CVE-2023-38324: Generate unique sha256 faskey if not set in config. - CVE-2023-41101: Fix buffer overflow causing segfault. - CVE-2023-41102: Fix multiple memory leaks. * debian/patches: + Rebase 1004_add-documentation-key-in-service-file.patch. + Add 1005_evaluate-system-call-retvals.patch. Fix FTBFS against recent Debian. * debian/{opennds-daemon.install,rules}: + Adjust file installations into DEST_DIR. * debian/copyright: + Update copyright attributions. + Update copyright attribution for debian/. + Update auto-generated copyright.in file. * lintian: + Update files lines in very-long-line-length-in-source-file overrides with globbings. * debian/opennds-daemon-common.links: + Drop file. Drop man page symlinking. The formerly shipped man page was bogus and upstream removed it (for now). (Closes: #1040392). Checksums-Sha1: ae5ed93f94837a57f95a5fe7d6f1d96e5ba6e171 2238 opennds_10.2.0+dfsg-1.dsc 085dfaf7ccbe8b5106df68e7b13763a5cf1823c2 657512 opennds_10.2.0+dfsg.orig.tar.xz 71b631fbc1bcf61eccbdc67f3e87f0e7716fa8d9 7396 opennds_10.2.0+dfsg-1.debian.tar.xz 7d2be979de32ff38f6b94c3cf4947e01a9af739c 7473 opennds_10.2.0+dfsg-1_source.buildinfo Checksums-Sha256: 9da6a3e4f24e7db81d990821d9cfdabf65595a25f24bc4a78a1e9f0c109c2c9b 2238 opennds_10.2.0+dfsg-1.dsc af67fbe82d06e13e651d27dfbdcb59423ae215824c09a213e471cff1c8ced157 657512 opennds_10.2.0+dfsg.orig.tar.xz 5749bdefa246f5814160a903c8679ca1c45e1bdb79e84f2638fd9c1adfca83ba 7396 opennds_10.2.0+dfsg-1.debian.tar.xz 6fe5c9d3555720460f49f982e1f870f0daeccc3ba7265e95004a0fe4e963645a 7473 opennds_10.2.0+dfsg-1_source.buildinfo Files: c1c5b1f0a02ac70aaaa13820951f8d65 2238 net optional opennds_10.2.0+dfsg-1.dsc a97d1b8b080682d3a4bb8d6e9c3545db 657512 net optional opennds_10.2.0+dfsg.orig.tar.xz 1d4f943454b78cce71aa269cc6c50007 7396 net optional opennds_10.2.0+dfsg-1.debian.tar.xz 8e71484c9a2ad3a0934e60d7eb215fc7 7473 net optional opennds_10.2.0+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmWrm/8VHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxpk0P/2H6DAoBD+YtoJHfGDzi5lMBhfrf HQjTsWAqcnloBlwfj0H4eyVTWWhxWVruSs4zjmprXAqWtEDxT7s+f+I7Gc2fhReU pjoT5bEZ/YDZ0CoVO8/WSTVK3h5nB0YhD4OLsBKU8k6q31bFyn7GzCQnvSqRUuKB ZQG7he5YxUL3ntGGj18OBMm4k4tlP90i6pk9u8mFFVAB+uPXNV1l+poEKrv8Hv3x 2quBYbrE8qqltZtZMIyUz6Q3m7j+VlUUFHEWi76UhOY1Y4kQ/SxcCkrG8A1WqLKY ydn5mHVWJo6C7iwmml6mrhk2/DrGMcfyk993gFIIj79jmMrUpA5UpRn9c5vCme/w eiRqiQafvSv/zK3d+0LxHg+oSADnbznzCdgqOTcjBIdq9rNzUGfclLP3Nzaaq5Ch A1+XmqhgShFE5t7lf23qZcnTNEpUpCY0s44x3cFYE0IJJiHvamGAdL2qmwHxn52t FepHrbFagianJ8T/ZUNhouaV6CbNHJB/3157r/jhqQi0muP2Qrype5MPl7Q60klf lc0zqSvgCf/0KZoeL/hxZobA5fnry4PTnhupV9r3uuv8mgNNfarrH3l3eFg/mwBM iJQU6sIAohqhyNUCQjRVbOpeuQfzC3KrGkrOkis7jY9QO/Z3amcPPT8ZHkXT4cC4 wWX72BMhuV0qeYPz =JlnC -----END PGP SIGNATURE-----
--- End Message ---
