Debian Bug report logs -
#496034
CVE-2008-3688: DoS by infinite loop
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 22 Aug 2008 08:27:02 UTC
Severity: grave
Tags: patch, security
Fixed in versions havp/0.88-1.1, havp/0.89-1
Done: Rene Mayrhofer <rene.mayrhofer@gibraltar.at>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rene.mayrhofer@gibraltar.at>:
Bug#496034; Package havp.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Rene Mayrhofer <rene.mayrhofer@gibraltar.at>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: havp
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for havp.
CVE-2008-3688[0]:
| sockethandler.cpp in HTTP Antivirus Proxy (HAVP) 0.88 allows remote
| attackers to cause a denial of service (hang) by connecting to a
| non-responsive server, which triggers an infinite loop due to an
| uninitialized variable.
You'll find a patch here[1].
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3688
http://security-tracker.debian.net/tracker/CVE-2008-3688
[1] http://bugs.endian.it/view.php?id=1129
Information forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rene.mayrhofer@gibraltar.at>:
Bug#496034; Package havp.
(full text, mbox, link).
Acknowledgement sent to morph <matrixhasu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rene.mayrhofer@gibraltar.at>.
(full text, mbox, link).
Message #10 received at 496034@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 487598 + patch
tags 492235 + patch
tags 492236 + patch
tags 496034 + patch
thanks
Hi,
Attached is the diff for my havp 0.88-1.1 NMU.
[havp-0.88-1.1-nmu.diff (text/x-diff, attachment)]
Tags added: patch
Request was from morph <matrixhasu@gmail.com>
to control@bugs.debian.org.
(Thu, 28 Aug 2008 22:25:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rene.mayrhofer@gibraltar.at>:
Bug#496034; Package havp.
(full text, mbox, link).
Acknowledgement sent to morph <matrixhasu@gmail.com>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rene.mayrhofer@gibraltar.at>.
(full text, mbox, link).
Message #17 received at 496034@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 487598 + patch
tags 492235 + patch
tags 492236 + patch
tags 496034 + patch
thanks
Hi,
Attached is the diff for my havp 0.88-1.1 NMU, updated to add the GPLv2+
boilerplate to debian/copyright
[havp-0.88-1.1-nmu.diff (text/x-diff, attachment)]
Tags added: patch
Request was from morph <matrixhasu@gmail.com>
to control@bugs.debian.org.
(Sat, 30 Aug 2008 11:30:13 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Rene Mayrhofer <rene.mayrhofer@gibraltar.at>:
Bug#496034; Package havp.
(full text, mbox, link).
Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Rene Mayrhofer <rene.mayrhofer@gibraltar.at>.
(full text, mbox, link).
Message #24 received at 496034@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.35
# via tagpending
#
# havp (0.88-1.1) unstable; urgency=medium
#
# * debian/havp.init
# - added cleanup for temporary files under /var/spool/havp; thanks to
# Alberto for the report; Closes: #492235
# * debian/{havp.prerm,havp.postinst,rules}
# - modified to skip errors on service start/stop; thanks to Alberto for the
# report; Closes: #492236
# * debian/patches/05_bts496034_CVE-2008-3688_fix_infinite_retry.dpatch
# - added to fix CVE-2008-3688, DoS by connecting to a non-responsive server,
# generating an infinite loop; thanks to Steffen Joeris for the report;
# Closes: #496034
# * debian/po/sv.po
# - added Swedish translation of debconf templates; thanks to Martin Bagge;
# Closes: #487598
#
package havp
tags 496034 + pending
tags 487598 + pending
tags 492236 + pending
tags 492235 + pending
Tags added: pending
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org.
(Sat, 30 Aug 2008 12:48:08 GMT) (full text, mbox, link).
Reply sent to Sandro Tosi <matrixhasu@gmail.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 496034-close@bugs.debian.org (full text, mbox, reply):
Source: havp
Source-Version: 0.88-1.1
We believe that the bug you reported is fixed in the latest version of
havp, which is due to be installed in the Debian FTP archive:
havp_0.88-1.1.diff.gz
to pool/main/h/havp/havp_0.88-1.1.diff.gz
havp_0.88-1.1.dsc
to pool/main/h/havp/havp_0.88-1.1.dsc
havp_0.88-1.1_amd64.deb
to pool/main/h/havp/havp_0.88-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sandro Tosi <matrixhasu@gmail.com> (supplier of updated havp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 30 Aug 2008 10:58:54 +0200
Source: havp
Binary: havp
Architecture: source amd64
Version: 0.88-1.1
Distribution: unstable
Urgency: medium
Maintainer: Rene Mayrhofer <rene.mayrhofer@gibraltar.at>
Changed-By: Sandro Tosi <matrixhasu@gmail.com>
Description:
havp - HTTP Anti Virus Proxy
Closes: 487598 492235 492236 496034
Changes:
havp (0.88-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* debian/havp.init
- added cleanup for temporary files under /var/spool/havp; thanks to
Alberto for the report; Closes: #492235
* debian/{havp.prerm,havp.postinst,rules}
- modified to skip errors on service start/stop; thanks to Alberto for the
report; Closes: #492236
* debian/rules
- added removal for generated files
- clean run only if Makefile is present
* debian/patches/05_bts496034_CVE-2008-3688_fix_infinite_retry.dpatch
- added to fix CVE-2008-3688, DoS by connecting to a non-responsive server,
generating an infinite loop; thanks to Steffen Joeris for the report;
Closes: #496034
* debian/po/sv.po
- added Swedish translation of debconf templates; thanks to Martin Bagge;
Closes: #487598
* debian/copyright
- added copyright notices
- added GPLv2+ license boilerplate
* debian/havp.docs
- removed since it installed only INSTALL file
Checksums-Sha1:
eb2d05cfa6317cf95fd375a141d2e5b43df15e94 1016 havp_0.88-1.1.dsc
3a01ab17299cd4accd00a9a9c6c05653dd101e92 22746 havp_0.88-1.1.diff.gz
c725cb54a7afb17e6b4d163d5ab17e27811e3ad0 156118 havp_0.88-1.1_amd64.deb
Checksums-Sha256:
10c79914db6544d657391995b4bb987a592e5342e2dbd102286f46a71aeae509 1016 havp_0.88-1.1.dsc
959bd0751d7f3de436e0745fec1b3a40fbe53c60405f38cf352e56251df67493 22746 havp_0.88-1.1.diff.gz
fcf790c33780c98b401a7649f0578b485d522e8ca9d028660dc1e63238fa7184 156118 havp_0.88-1.1_amd64.deb
Files:
df12836f586e29950a22b4da173f8b80 1016 net optional havp_0.88-1.1.dsc
d3cff96d023303e45e89f341be67dc4b 22746 net optional havp_0.88-1.1.diff.gz
d891f4f25a0c81969850b4506114f2cb 156118 net optional havp_0.88-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAki5QNcACgkQriZpaaIa1PnncwCfcWNNoEjHdtvYYSFDQwubJ4yU
hkMAnRmm9h8/BI3YU1iju7+ctNQriUYr
=6e0y
-----END PGP SIGNATURE-----
Reply sent to Rene Mayrhofer <rene.mayrhofer@gibraltar.at>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #36 received at 496034-close@bugs.debian.org (full text, mbox, reply):
Source: havp
Source-Version: 0.89-1
We believe that the bug you reported is fixed in the latest version of
havp, which is due to be installed in the Debian FTP archive:
havp_0.89-1.diff.gz
to pool/main/h/havp/havp_0.89-1.diff.gz
havp_0.89-1.dsc
to pool/main/h/havp/havp_0.89-1.dsc
havp_0.89-1_i386.deb
to pool/main/h/havp/havp_0.89-1_i386.deb
havp_0.89.orig.tar.gz
to pool/main/h/havp/havp_0.89.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 496034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Rene Mayrhofer <rene.mayrhofer@gibraltar.at> (supplier of updated havp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 09 Sep 2008 19:40:53 +0200
Source: havp
Binary: havp
Architecture: source i386
Version: 0.89-1
Distribution: unstable
Urgency: high
Maintainer: Rene Mayrhofer <rene.mayrhofer@gibraltar.at>
Changed-By: Rene Mayrhofer <rene.mayrhofer@gibraltar.at>
Description:
havp - HTTP Anti Virus Proxy
Closes: 487598 492235 492236 496034 498338
Changes:
havp (0.89-1) unstable; urgency=high
.
Justification for urgency high: compiles with new libclamav-dev and
therefore fixes FTBFS for Lenny,
* New upstream release. This includes the fix for the potential DoS
issue. Therefore, remove
debian/patches/05_bts496034_CVE-2008-3688_fix_infinite_retry.dpatch.
The new upstream version has another small bugfix (sending Via:
header) but no additional changes and is therefore safe for Lenny.
Closes: #496034: CVE-2008-3688: DoS by infinite loop
Closes: #498338: havp depends on old clamav. This clamav version is
vulnerable.
* Acknowledge NMU:
Closes: #492235: havp: does not delete temp files
Closes: #492236: havp: can't install if port 8080 in use
Closes: #487598: [INTL:sv] Swedish translation of debconf templates
Checksums-Sha1:
5e2d74f307161be58e2c62382e30f8208fb305b9 1008 havp_0.89-1.dsc
8f3c8596a0bd5ac1baf0cb9486b0d0967e85e717 117935 havp_0.89.orig.tar.gz
fb56b615e99f38f57f9e2f1f358e41c9c7784034 23205 havp_0.89-1.diff.gz
86c50142075295b79c5c1cda1d11801ac67ff3bd 147286 havp_0.89-1_i386.deb
Checksums-Sha256:
5a98d3ba2a0c4c37b4b7c42247f2cbc57c7c2d03ff880bf9b2de3501690d5543 1008 havp_0.89-1.dsc
48b8f9b3e653df82446d45903556858e974fc18ba2b5ed8becb36e3960f78d31 117935 havp_0.89.orig.tar.gz
77fa4439073470f816a02baecb530497d87e9ce76c3388a28396b03f587ffbe6 23205 havp_0.89-1.diff.gz
5c86e010dcd62848616465bd0f726ff1aea975262d090e7fc31ba72214b63bab 147286 havp_0.89-1_i386.deb
Files:
14c6a79817c102c3a40e9f44cbc414d7 1008 net optional havp_0.89-1.dsc
e607ca75a55cc37cb17e2bc20c9441a7 117935 net optional havp_0.89.orig.tar.gz
e98c62f30c7dc7de902362d56b11d239 23205 net optional havp_0.89-1.diff.gz
3121cac0fe91425347dd6c6bd204646e 147286 net optional havp_0.89-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjGurkACgkQq7SPDcPCS96EHgCeN2fm+CDO+KhCnLBcRvWQawW7
WbUAnixPSFetiVZcW9MQLCXKCs8YkYEv
=TYMW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 08 Oct 2008 07:29:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:20:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon