Your message dated Sun, 16 Oct 2016 17:03:35 +0000
with message-id <e1bvoqv-0001o1...@franck.debian.org>
and subject line Bug#840934: fixed in libarchive 3.2.1-5
has caused the Debian Bug report #840934,
regarding libarchive: CVE-2016-8689: heap-based buffer overflow in read_Header
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
840934: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840934
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libarchive
Version: 3.1.2-11
Severity: grave
Tags: security upstream patch
Forwarded: https://github.com/libarchive/libarchive/issues/761
Hi,
the following vulnerability was published for libarchive.
CVE-2016-8689[0]:
heap-based buffer overflow in read_Header
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-8689
[1] https://github.com/libarchive/libarchive/issues/761
[2]
https://github.com/libarchive/libarchive/commit/7f17c791dcfd8c0416e2cd2485b19410e47ef126
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libarchive
Source-Version: 3.2.1-5
We believe that the bug you reported is fixed in the latest version of
libarchive, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 840...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Henriksson <andr...@fatal.se> (supplier of updated libarchive package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Oct 2016 15:41:59 +0200
Source: libarchive
Binary: libarchive-dev libarchive13 libarchive-tools bsdtar bsdcpio
Architecture: source
Version: 3.2.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Libarchive Maintainers <ah-libarch...@debian.org>
Changed-By: Andreas Henriksson <andr...@fatal.se>
Description:
bsdcpio - transitional dummy package for moving bsdcpio to libarchive-tools
bsdtar - transitional dummy package for moving bsdtar to libarchive-tools
libarchive-dev - Multi-format archive and compression library (development
files)
libarchive-tools - FreeBSD implementations of 'tar' and 'cpio' and other
archive too
libarchive13 - Multi-format archive and compression library (shared library)
Closes: 840934 840935 840936
Changes:
libarchive (3.2.1-5) unstable; urgency=medium
.
* Cherry-pick upstream commits 7f17c791, eec077f5, e37b620f
- Fixes for upstream issues 747, 761, 767 also known as
CVE-2016-8689, CVE-2016-8688, CVE-2016-8687
(Closes: #840934, #840935, #840936)
Checksums-Sha1:
3f5e79dbe5db04426d4463ffd1ed325916c638e3 2449 libarchive_3.2.1-5.dsc
9e0bb51bc3020c8dd8867248b699c23071409ff4 27112 libarchive_3.2.1-5.debian.tar.xz
Checksums-Sha256:
fefccd517f1d69a4977f8cc2b5d8f2e96d290da6915c44f45c9de1a1af1a9b68 2449
libarchive_3.2.1-5.dsc
4de4bf44613428f9eb7c0cbde82183d2edffa856ae3501dcea07fc69b8789770 27112
libarchive_3.2.1-5.debian.tar.xz
Files:
9d21830fdac357eaccbd5ece05ca016d 2449 libs optional libarchive_3.2.1-5.dsc
6fdff5908c67fd45e8d60aac0f798e2a 27112 libs optional
libarchive_3.2.1-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIuBAEBCgAYBQJYA4UmERxhbmRyZWFzQGZhdGFsLnNlAAoJEAvEfcZNE1MGdn4P
/1j3X2ohSpxe3sFccB7VUjAtipKzxdHAuf7BT5xQBZa2CHVTOgFbRqZpjOnCpFuz
LY0XEcQWI8i92kWBEzltMpiKh6eEEjBOxHGCRPv4OwEvzGuGdRaNsyH6qnLqF6Bh
j5Y8GX5xeZXuhipRjeCUMP4u6EnTKaGV0PBZ00qqvOvplPM4l2cJfsClDX8ZDLdu
wZnI3RmQDImpXH+big4GSKSZfYqzQoJV2RodduORhCiquVBSmoDiiDfsNXyH3R9D
oOZQLkLULgaZbMeyG5br5XkOagd273bitmnUIpaAoauPSCBT5LKUl4pfdT7cOQJ0
YeYpMC4tewXz4RN97FZxHsNNqsWz76nNz39uKzghIIy3SA565WJkv92O0rMIBhzv
SkMe0TkGK/w7R2aEgNjfQ64zQTYmxDqEiEkYkVf8TpwWXOppgBbrb615UXR1aVtR
rhUPVmrmYMA5/XIK9xLcNasUAJNRZtvYkLTqoTVhtvCAAASonFdaaExH/y6BIFC0
DFm3GzDWBmoqsuPrD+SoJryTOiDvvpv1R4j1SJh7A571+lELFb5o8tPyEfG6EFPV
WsDjiIMBpqQZgisUPKEWWBmdDgXy8NkgyYHt4E6JjmOX/laVmJxZJlUGk2DH16xZ
bQbdMCAEZdDDToV+zu2so38kNOxl81x5mi6Yb5TjOmnl
=KBI9
-----END PGP SIGNATURE-----
--- End Message ---