Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

libice: CVE-2017-2626: Weak Entropy Usage in Session Keys in libICE

Related Vulnerabilities: CVE-2017-2626  

Source

Debian Bug report logs - #856400
libice: CVE-2017-2626: Weak Entropy Usage in Session Keys in libICE

version graph

Package: src:libice; Maintainer for src:libice is Debian X Strike Force <debian-x@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 28 Feb 2017 15:54:04 UTC

Severity: important

Tags: security, upstream

Found in version libice/2:1.0.9-1

Fixed in version libice/2:1.0.9-2

Done: Emilio Pozuelo Monfort <pochu@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#856400; Package src:libice. (Tue, 28 Feb 2017 15:54:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>. (Tue, 28 Feb 2017 15:54:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libice: CVE-2017-2626: Weak Entropy Usage in Session Keys in libICE
Date: Tue, 28 Feb 2017 16:51:56 +0100
Source: libice
Version: 2:1.0.9-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for libice.

CVE-2017-2626[0]:
Weak Entropy Usage in Session Keys in libICE

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-2626
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2626

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility. (Tue, 28 Feb 2017 22:09:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 28 Feb 2017 22:09:11 GMT) (full text, mbox, link).

Message #10 received at 856400-close@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>
To: 856400-close@bugs.debian.org
Subject: Bug#856400: fixed in libice 2:1.0.9-2
Date: Tue, 28 Feb 2017 22:04:22 +0000
Source: libice
Source-Version: 2:1.0.9-2

We believe that the bug you reported is fixed in the latest version of
libice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 856400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 Feb 2017 22:46:39 +0100
Source: libice
Binary: libice6 libice6-dbg libice-dev libice-doc
Architecture: source
Version: 2:1.0.9-2
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
 libice-dev - X11 Inter-Client Exchange library (development headers)
 libice-doc - documentation for the X11 ICE protocol and library
 libice6    - X11 Inter-Client Exchange library
 libice6-dbg - X11 Inter-Client Exchange library (debug package)
Closes: 856400
Changes:
 libice (2:1.0.9-2) unstable; urgency=medium
 .
   [ Julien Cristau ]
   * CVE-2017-2626: Use libbsd for arc4random. Closes: #856400.
   * Bump Standards-Version to 3.9.6, update Vcs-* control fields.
 .
   [ Emilio Pozuelo Monfort ]
   * Remove Drew from Uploaders.
Checksums-Sha1:
 cc3d11c30a038d987e6e1c49981574f8c13af189 2130 libice_1.0.9-2.dsc
 f16102adcfbc11bb78da4aff7a9cb28009828c9f 455871 libice_1.0.9.orig.tar.gz
 a3c67003d9d0d991e3885fa412066913ab1636d3 6384 libice_1.0.9-2.diff.gz
 18a7d7d5e9ee8148dc835f631f0837ffaed33927 4790 libice_1.0.9-2_source.buildinfo
Checksums-Sha256:
 116595cd54be23edad0b55e1cd4bc1929f277fa5c2d00d8f187b0bc5dd39ad6c 2130 libice_1.0.9-2.dsc
 7812a824a66dd654c830d21982749b3b563d9c2dfe0b88b203cefc14a891edc0 455871 libice_1.0.9.orig.tar.gz
 777f13e08aada3103c32a0b93a26782ca959027bcd98c2c1ddaade8f944fa40a 6384 libice_1.0.9-2.diff.gz
 0eb91177b9c49f239758fdbc0e9d41edfe73830453214d68ff7255a9aa28a9b1 4790 libice_1.0.9-2_source.buildinfo
Files:
 326f431028990778f116066bb958f42c 2130 x11 optional libice_1.0.9-2.dsc
 95812d61df8139c7cacc1325a26d5e37 455871 x11 optional libice_1.0.9.orig.tar.gz
 73e6d895842a7cef3126711f1fd21475 6384 x11 optional libice_1.0.9-2.diff.gz
 201a6f8fab6924473835908d852c0f16 4790 x11 optional libice_1.0.9-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAli17+MACgkQnUbEiOQ2
gwJ2mhAAs52GDS/7ICMeZQ8TowW6EmeYKqA79bliNt0ic1tbDKc8pDreBMcrVe1A
By3EBhcjdyNrArihGgbjYP7BWguCr737QtdbQhaOAuWt/OhT0TNjvcrqO9dgq8if
/XtWj+c0AuuEGbTrZDUMMM0wpLazN8cYKzKuPrly2WpCKXBTsY3EipQ1NjneEdln
BY5bzCq6EIlksK9K0/K2ECVDqhExMsWrX7E0TTVKzby7gUzobkLqrpb1IDWu2Otm
cxs8AFVyh/8oVqRx/Swc9dxBBqOdQvxho3IdGBkmw6pxzjeyyQ6m507ZykdP4Ksi
MOm0vQ0OGSKR+jl4HPMtqQDqHVsDR2QB5sjK4L239mIrVvEE6KhISOplOkI/W5Ol
/BChI4zBrsNgDevhQh4JzJvjvr3jvFBLdWCieMcVyN+GyMx6KTv0tgcNzOu+QuRb
iKt74XuzFQaTFQ3kdKfM9Ou7tzNWDuTzHteGJtPsCyTMWtr/dRTT0bCUTH3oxQX7
zISYxAnw/lvOVKkpmzxsCUFNIX9UUl2bu5x07/b2qoWdjaQfJOmCKzZ3aXH5ob35
j7+WOml4lQN370cWJo5Y0fYtKFBCZNbaM3tozF/PTjE0LX+QUQSDfS8oCiZoFWfg
BljdLzjfbptXqgPQQvTjcvN44wlwuE2428td9xkrZopMM+srHBw=
=au/Z
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Apr 2017 07:24:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:20:56 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started