Your message dated Sun, 06 Aug 2017 13:04:34 +0000 with message-id <e1deleq-000bq0...@fasolo.debian.org> and subject line Bug#870799: fixed in mpg123 1.25.4-1 has caused the Debian Bug report #870799, regarding mpg123: CVE-2017-9545 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870799: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870799 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mpg123 Version: 1.23.8-1 Severity: important Tags: security upstream Hi, the following vulnerability was published for mpg123. CVE-2017-9545[0]: | The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows | remote attackers to cause a denial of service (buffer over-read) via a | crafted mp3 file. Not sure if the reporter has reported that upstream. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-9545 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9545 [1] http://seclists.org/fulldisclosure/2017/Jul/65 Please adjust the affected versions in the BTS as needed, checked only versions back to 1.23.8-1 in stretch. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mpg123 Source-Version: 1.25.4-1 We believe that the bug you reported is fixed in the latest version of mpg123, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramac...@debian.org> (supplier of updated mpg123 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 06 Aug 2017 14:33:07 +0200 Source: mpg123 Binary: mpg123 libmpg123-0 libout123-0 libmpg123-dev Architecture: source Version: 1.25.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Sebastian Ramacher <sramac...@debian.org> Description: libmpg123-0 - MPEG layer 1/2/3 audio decoder (shared library) libmpg123-dev - MPEG layer 1/2/3 audio decoder (development files) libout123-0 - MPEG layer 1/2/3 audio decoder (libout123 shared library) mpg123 - MPEG layer 1/2/3 audio player Closes: 870799 Changes: mpg123 (1.25.4-1) unstable; urgency=medium . * Team upload. * New upstream release. - Fix buffer over-read. (CVE-2017-9545) (Closes: #870799) * debian/control: Bump Standards-Version. Checksums-Sha1: 7ccbcedfd60f859f7f82974edbd01630ca787965 2282 mpg123_1.25.4-1.dsc b204ec892d8b535ff7fa87fd6174f5df2fd287c0 918534 mpg123_1.25.4.orig.tar.bz2 c23b583b46cad7de7149c498c61f7a442706ad14 23344 mpg123_1.25.4-1.debian.tar.xz e615e86af5658b62f3d2b2cb7d1bf61405935b5c 8516 mpg123_1.25.4-1_amd64.buildinfo Checksums-Sha256: 8cb39548532319e63f4bdb4f39149e29c1684ad7c4fdfc98e79439f19c28cfd9 2282 mpg123_1.25.4-1.dsc cdb5620e8aab83f75a27dab3394a44b9cc4017fc77b2954b8425ca416db6b3e7 918534 mpg123_1.25.4.orig.tar.bz2 2c1ae4fb7da32c1e5e34938328a861d5f05858cfecd2ed107e7bc066450ab57e 23344 mpg123_1.25.4-1.debian.tar.xz 720461e1826f9dfd2fcd59256757cbd539a3cf8d25f5e356bb7032074db6e635 8516 mpg123_1.25.4-1_amd64.buildinfo Files: 27970c8935bac0fa82fa89f94372fcb7 2282 sound optional mpg123_1.25.4-1.dsc 810e9d00fd75c92c4afafa20245317b5 918534 sound optional mpg123_1.25.4.orig.tar.bz2 cff5466e06dee6217e3246f6c6ce2b61 23344 sound optional mpg123_1.25.4-1.debian.tar.xz 1dd26d57c48eadc8e695ed0cc48be40c 8516 sound optional mpg123_1.25.4-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlmHDkkACgkQafL8UW6n GZPbDRAAivSZgr/kKTwAx/XQHrQGpyBiPr3hZXXgd6z1GUwJA8CDxOfUKQ1vCiFG UeP+idBIOpseIw49zYne99aQ5EPH57TRFXZkYUiqFn9tG8WqiyyNtiOUlSvzfJm3 YVaZ6QONkBuZYzdMQ+6+hs19AIz4ZpRMFboajrEJ+LA1NmN6VkLWlYF8snEr+6Wy HhGgjDCmMU050cNoFOISl7hpdyEeXip1f8iL3UfTAcN5oAY/tepwMLO+wg3b2WZ9 DeHrJ46iWsR60F6Muc31Jtk5W0QM9gmvEt6+E5zlFyu1bUmhEScI0AWyxft9kKDO bhl/icKF4VmIH6RSeP+EO4BQcWqbTzamDkfF7Nqo8fGVQguZT5Y//SMD7gEfXZrp oWLjsiy5lgcDlUzT4adhee2AxeScftRdgntKRTR9nw9oSiHTbjJCjj9VeFT0TYA7 Gii5Xsnjq6SgL5AGtiP9Bi3rc5N/erAK4/X2BKSv3mXIcflWFwzEq0rWQrU+j4VO 2bqbym/e4fzWRdZXqmHdYEbE5SYgVC6oYXdzsCJMJhQNVMXtxyOSttWeD+INg7bL WCvCuYyh1WRoWVzcWPpkY6/G3xoswchInQJLWY8FmkS62Z6NvHPLGc0ryZ30JIet SOJXY4uH2FbhefMLIffZ0UiEFaF5E1+cnQC8nEo3DQfurB5MwsU= =7VYu -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
