Your message dated Tue, 05 Feb 2019 19:37:58 +0000 with message-id <e1gr6xe-000chs...@fasolo.debian.org> and subject line Bug#920047: fixed in glibc 2.28-6 has caused the Debian Bug report #920047, regarding glibc: CVE-2016-10739: getaddrinfo should reject IP addresses with trailing characters to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920047 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: glibc Version: 2.28-5--src Severity: normal Tags: patch security upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 Control: found -1 2.24-11+deb9u3 Control: found -1 2.24-11 Hi, The following vulnerability was published for glibc. CVE-2016-10739[0]: | In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo | function would successfully parse a string that contained an IPv4 | address followed by whitespace and arbitrary characters, which could | lead applications to incorrectly assume that it had parsed a valid | string, without the possibility of embedded HTTP headers or other | potentially dangerous substrings. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10739 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739 [1] https://sourceware.org/bugzilla/show_bug.cgi?id=20018 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: glibc Source-Version: 2.28-6 We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aure...@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 05 Feb 2019 19:55:42 +0100 Source: glibc Architecture: source Version: 2.28-6 Distribution: unstable Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aure...@debian.org> Closes: 761300 908928 920047 921165 Changes: glibc (2.28-6) unstable; urgency=medium . [ Samuel Thibault ] * debian/patches/hurd-i386/git-AT_EMPTY_PATH.diff: New patch, fixes qt's file size query. * debian/patches/hurd-i386/git-altstack.diff: New patch, fixes altstack initial state. . [ Aurelien Jarno ] * debian/patches/git-updates.diff: update from upstream stable branch: - Fix a buffer overflow in string/memory functions on x32 (CVE-2019-6488). - Reject IP addresses with trailing characters (CVE-2016-10739). Closes: #920047. - Fix wrong return value for memcmp on amd64 and x32 due to mishandling of most significant bit (CVE-2019-7309). * Update Russian debconf translation, by Lev Lamberov. Closes: #921165. * debian/patches/any/local-ldso-disable-hwcap.diff: only check for /etc/ld.so.nohwcap on alpha, hurd-i386 and i386. Based on a patch from Josh Triplett. Closes: #908928. * debian/patches/any/git-libio-stdout-putc.diff: fix puts and putchar output with change stdout pointer. Closes: #761300. * debhelper.in/locales.bug-presubj: drop obsolete file, the dependency mechanism for locales has been changes a lot of time ago. Checksums-Sha1: c09451059d222a7b4615af2f5547437d570f9025 8885 glibc_2.28-6.dsc e32156b4d0791ec0af883685e726f618160c1284 873424 glibc_2.28-6.debian.tar.xz 455f82ecf3fe6c42c28048462e3ee74da2b2ed5c 7303 glibc_2.28-6_source.buildinfo Checksums-Sha256: 469d2e7c196f3be89ec55f8cf28a5d8d0ef276ac227be063f782d1b9f85a65a8 8885 glibc_2.28-6.dsc e94e20f890cd3e1b3bcb9e5dc3cc4725b91e9101a8a93c2588b506f73b688924 873424 glibc_2.28-6.debian.tar.xz a1dacf4de9985443c1e80d9332e2e8bea963abbfcffa1b30e33cf637c8b05bf3 7303 glibc_2.28-6_source.buildinfo Files: 9ef64b9ffb224bb9f67441398348154b 8885 libs required glibc_2.28-6.dsc fea4aa332e15e9acbe37484470e9e47f 873424 libs required glibc_2.28-6.debian.tar.xz f219b499b86ca6b5dc46f30347b7f828 7303 libs required glibc_2.28-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUryGlb40+QrX1Ay4E4jA+JnoM2sFAlxZ3MMACgkQE4jA+Jno M2sE7A//T/b1hPRFPGVg3a2kC9WQjpiFjlh0mk2uqYLrNtQ1HVvwHNwl3kMxns28 GWI5TDZNhxulkTAn5xR6PDlRzC1MDcKVq94WTTHvFvLmJWoWb6awr9vnkZ9wo6wh hS916WJYqZ3Wy27j5uJyz9LWT9q6IBPstnuNmOyame6Koj21R2iCiAD9qvhFUbVL d7Iug017+P9zKAoriThy2dICGGrRZkpxmIaz5MNmW9jOrtSoZ6gDh1haNY5WMFrU hbajwiTdoEXeolx69baDwtsl+Wh4vySGxhBz245QHJTyNUaxblOwT1ECAWAtQ3u9 QBcLsR+WFH+h1DJYbbZezkGa1/pXuq6NPv35FP4p831HO3oYOX6LmaVvC7rgwWcf FgYyy6TpqwkZb3FUJ27gpmRvarw00GWH7pqtvzK3V4VUQa55hC8agLM/eCFgYLJv oG0WEgI6y/Qfac0dL3J2FYk9IITneLg2qpxcMaPUOEzcCnhmW8+4xKcI+M7LbOsD XlNzad1ZB91aiwWLc+ruLKdhp/HU0NSJhiThCybHn7bJRrGi3qjY3Mi0LxY8VqcT wdSMCqu71FEqooa2Qryl0Z42PhjThf41lLFh2ADAjXhvhKz+fC3Zqmghd2epW2LV OcjyzefmwMkk4IVPKDP2zSSdJMvpxH6pqwjx+LUFK20bmRQN1q0= =0o+S -----END PGP SIGNATURE-----
--- End Message ---
