Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-7038 CVE-2013-7039

Source

Debian Bug report logs - #731933
libmicrohttpd: CVE-2013-7038 CVE-2013-7039

Package: libmicrohttpd; Maintainer for libmicrohttpd is Bertrand Marc <bmarc@debian.org>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Wed, 11 Dec 2013 11:54:02 UTC

Severity: grave

Tags: security

Fixed in versions libmicrohttpd/0.9.32-1, libmicrohttpd/0.9.20-1+deb7u1

Done: Bertrand Marc <beberking@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <beberking@gmail.com>:
Bug#731933; Package libmicrohttpd. (Wed, 11 Dec 2013 11:54:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Bertrand Marc <beberking@gmail.com>. (Wed, 11 Dec 2013 11:54:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libmicrohttpd
Severity: grave
Tags: security

Please see 
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7038
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7039

This doesn't warrant a DSA, but can still be fixed in a point
update if needed:
http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Bertrand Marc <beberking@gmail.com>:
Bug#731933; Package libmicrohttpd. (Wed, 11 Dec 2013 22:54:04 GMT) (full text, mbox, link).

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Bertrand Marc <beberking@gmail.com>. (Wed, 11 Dec 2013 22:54:04 GMT) (full text, mbox, link).

Message #10 received at 731933@bugs.debian.org (full text, mbox, reply):

* Moritz Muehlenhoff:

> Please see 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7038
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7039

When fixing this, please also include these two upstream commits.
Thanks.

------------------------------------------------------------------------
r30927 | grothoff | 2013-11-28 11:05:52 +0100 (Thu, 28 Nov 2013) | 1 line

-handle case that original allocation request was zero
------------------------------------------------------------------------
r30926 | grothoff | 2013-11-28 10:16:38 +0100 (Thu, 28 Nov 2013) | 1 line

-fix theoretical overflow issue reported by Florian Weimer

Reply sent to Bertrand Marc <beberking@gmail.com>:
You have taken responsibility. (Thu, 12 Dec 2013 15:27:05 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Thu, 12 Dec 2013 15:27:06 GMT) (full text, mbox, link).

Message #15 received at 731933-close@bugs.debian.org (full text, mbox, reply):

Source: libmicrohttpd
Source-Version: 0.9.32-1

We believe that the bug you reported is fixed in the latest version of
libmicrohttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731933@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <beberking@gmail.com> (supplier of updated libmicrohttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Dec 2013 17:30:36 +0100
Source: libmicrohttpd
Binary: libmicrohttpd10 libmicrohttpd-dbg libmicrohttpd-dev
Architecture: source amd64
Version: 0.9.32-1
Distribution: unstable
Urgency: medium
Maintainer: Bertrand Marc <beberking@gmail.com>
Changed-By: Bertrand Marc <beberking@gmail.com>
Description: 
 libmicrohttpd-dbg - library embedding HTTP server functionality (debug)
 libmicrohttpd-dev - library embedding HTTP server functionality (development)
 libmicrohttpd10 - library embedding HTTP server functionality
Closes: 731933
Changes: 
 libmicrohttpd (0.9.32-1) unstable; urgency=medium
 .
   * Imported Upstream version 0.9.32
     + Fix CVE-2013-7038 and CVE-2013-7039 (Closes: #731933).
   * debian/libmicrohttpd10.symbols:
     + remove 2 unused symbols.
     + add a new one from 0.9.30.
     + add 2 new ones from 0.9.32.
   * Refresh the only patch.
   * debian/rules: remove an old cleaning rule after install.
Checksums-Sha1: 
 7965b835546e249cfde4e523b1db640ff68041dc 2089 libmicrohttpd_0.9.32-1.dsc
 ff7ff057964710f3eae52711e6d06e85bfe5ed83 1124859 libmicrohttpd_0.9.32.orig.tar.gz
 9c76c271ac5b3861216b78803bcea0731ef9e81a 5728 libmicrohttpd_0.9.32-1.debian.tar.gz
 26b406bf84270f9934095c3e52f7fa4ef14efcd7 61002 libmicrohttpd10_0.9.32-1_amd64.deb
 366e1cddd145f9680682c053f1d07b48aa77b9da 109482 libmicrohttpd-dbg_0.9.32-1_amd64.deb
 859948decb60fb0a04f59b34cd4ee9b6ff6233f0 169224 libmicrohttpd-dev_0.9.32-1_amd64.deb
Checksums-Sha256: 
 222167f1a12ef03140750452645ad9e82c27cd195be6ac3de19c2073efffa252 2089 libmicrohttpd_0.9.32-1.dsc
 e554b8e1313b336616a460aca0ac1fc8c96552320bc1d4dc503ce00bfb70d89c 1124859 libmicrohttpd_0.9.32.orig.tar.gz
 e5c5a98f182567b7869df9988fcaef9b8d20962ee0e9fb15d4706f025ae359ab 5728 libmicrohttpd_0.9.32-1.debian.tar.gz
 bf5adb943daa31627701b39984351831e8f0c67f9d959d7f14fb57000d9c9ea0 61002 libmicrohttpd10_0.9.32-1_amd64.deb
 8aadb783e369b72ee191a4ae0dfd10cc080a6db95f5cdda80ad1ff72defd3686 109482 libmicrohttpd-dbg_0.9.32-1_amd64.deb
 6459089c8059aa1b6be8c7229665ae988f9bfe85a4b281c3548f6953589bb2ed 169224 libmicrohttpd-dev_0.9.32-1_amd64.deb
Files: 
 413fabd53936cd4fbd226abe212b0838 2089 libs optional libmicrohttpd_0.9.32-1.dsc
 29dcc1c201c36044be2c3f816c64a5bb 1124859 libs optional libmicrohttpd_0.9.32.orig.tar.gz
 001fbcf3cbef9fcb833b9757a606bca7 5728 libs optional libmicrohttpd_0.9.32-1.debian.tar.gz
 6780cc33736622fa61189f1a54dd12b8 61002 libs optional libmicrohttpd10_0.9.32-1_amd64.deb
 a39dae8579c0f075a14e0f29f72ba0f1 109482 debug extra libmicrohttpd-dbg_0.9.32-1_amd64.deb
 9c53e9922eb5cf58cbaa0a61ef385166 169224 libdevel optional libmicrohttpd-dev_0.9.32-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUqnS2gkauFYGmqocAQie2Q//fX7xQ9EOjXmuyeT0ppwQgg4Zj3H0c+UN
mkNuloeO10nZPqbDpTkhh7khz5d3EmIhOVUrcSINPQrSwAIjHubGALB0kRfYA/nN
273HY44HASVCJud45kF888RrYlsHYUpTfvdz9LaUTBgkj6QsJ1p4W4VZY6j6qS7r
ZfhQPFC7xRA4aI8v/Ur/ynkyUVNdLBFUpkZkKo07fB93p841K/s4PJLVw8yzbfW9
yz7z2iR1WX1gb/Td0SecZ4dbEUvYd+HDvy/c61G91Ey4FOetWZghwTpyIB4NLIc7
TWmLOjq7zE2wBpaDdlGVR4r8bIVnWIc6AlH/GM6CCuLk53UjUUEhrEZbdhdRq/+E
uNpCU3estgyp8+iKHVtBSRUiwfQLda7PcXmUS3oYwcN9QFjPAlapRE0r0tSme6Q0
6b2UfXSDfs8mk9gAeeSxq8uzY6sHHO4JaYfMHzE37GvK4PrJ9iLlYuIzTQonSyWD
sTeaQcN/Pps5LFEpvlj/G4rA00irwMcgzTZavKGNkt1t2yN0GDNYTVH12BaWGoU+
15q4pA2n7dttkbWCxSZtIqyFU+0yn1HC7YlZ4FN/C/8s3KahRJcNbigYvHa75J/X
JqtPQna/4cW0KuSmiebPMGtQu4bVF9YU24ye0ZfyZwssOJEZKaZawgzx99wU4rk9
ckchOLK8gd4=
=5K/l
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#731933; Package libmicrohttpd. (Thu, 12 Dec 2013 15:45:08 GMT) (full text, mbox, link).

Acknowledgement sent to Bertrand Marc <beberking@gmail.com>:
Extra info received and forwarded to list. (Thu, 12 Dec 2013 15:45:08 GMT) (full text, mbox, link).

Message #20 received at 731933@bugs.debian.org (full text, mbox, reply):

Dear Moritz,

Thank you for reporting these security issues. Thanks to upstream, this
is fixed in unstable.

I am willing to fix it also in wheezy, but I don't understand why it
should wait for a point release and doesn't deserve a DSA. Could you
please explain ?

Thanks,
Bertrand

Reply sent to Bertrand Marc <beberking@gmail.com>:
You have taken responsibility. (Mon, 06 Jan 2014 21:48:14 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 06 Jan 2014 21:48:15 GMT) (full text, mbox, link).

Message #25 received at 731933-close@bugs.debian.org (full text, mbox, reply):

Source: libmicrohttpd
Source-Version: 0.9.20-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
libmicrohttpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731933@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <beberking@gmail.com> (supplier of updated libmicrohttpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 26 Dec 2013 15:41:39 +0100
Source: libmicrohttpd
Binary: libmicrohttpd10 libmicrohttpd-dbg libmicrohttpd-dev
Architecture: source i386
Version: 0.9.20-1+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Bertrand Marc <beberking@gmail.com>
Changed-By: Bertrand Marc <beberking@gmail.com>
Description: 
 libmicrohttpd-dbg - library embedding HTTP server functionality (debug)
 libmicrohttpd-dev - library embedding HTTP server functionality (development)
 libmicrohttpd10 - library embedding HTTP server functionality
Closes: 731933
Changes: 
 libmicrohttpd (0.9.20-1+deb7u1) wheezy; urgency=medium
 .
   * Fix various security issues (closes: #731933):
     + out-of-bounds read in MHD_http_unescape(), patch picked upstream,
     CVE-2013-7038.
     + stack overflow in MHD_digest_auth_check(), patch picked upstream,
     CVE-2013-7039.
     + handle case that original allocation request was zero and fix theoretical
     overflow issue reported by Florian Weimer, patch picked upstream.
Checksums-Sha1: 
 2ad3bcacca5a2ed2ed603fe791195b5871ad6624 2109 libmicrohttpd_0.9.20-1+deb7u1.dsc
 34bd0638c4dcc5472fd31ab4bee645f69272491d 6287 libmicrohttpd_0.9.20-1+deb7u1.debian.tar.gz
 d39ad4b1081af3b7536f642227af80446e5a6f50 53944 libmicrohttpd10_0.9.20-1+deb7u1_i386.deb
 3ff905db886529e2fe6c84276fb947929e3cafe5 93094 libmicrohttpd-dbg_0.9.20-1+deb7u1_i386.deb
 f82d6ea05e9839ae3a265f797cd0455b546536d5 154108 libmicrohttpd-dev_0.9.20-1+deb7u1_i386.deb
Checksums-Sha256: 
 d29b50599135c137b69a80006d497b421b77f17167f0ff47bcaae0426e8f1d54 2109 libmicrohttpd_0.9.20-1+deb7u1.dsc
 932e2cc723f887142774b3ea2dc2a1a925d08d709c1df7da61abd4171c4e2032 6287 libmicrohttpd_0.9.20-1+deb7u1.debian.tar.gz
 c455f4bcd94b296191b1d6413d7b54f2cad78a48c0370b6b033ecfaa159e1fef 53944 libmicrohttpd10_0.9.20-1+deb7u1_i386.deb
 bb463feaa7ce7ad753215c33dfc9838925d8aa64080211208d625cd331a367aa 93094 libmicrohttpd-dbg_0.9.20-1+deb7u1_i386.deb
 932c81efa084512994f9f1ecb9c7f6a53fc3a6edd3061c547f825d9b6f8ed913 154108 libmicrohttpd-dev_0.9.20-1+deb7u1_i386.deb
Files: 
 f99fbcad11e1011aa3d85edcddfb32fb 2109 libs optional libmicrohttpd_0.9.20-1+deb7u1.dsc
 09d41fd786bf533c9cbb26e93e272556 6287 libs optional libmicrohttpd_0.9.20-1+deb7u1.debian.tar.gz
 841399858bed85a98170da927d31d43a 53944 libs optional libmicrohttpd10_0.9.20-1+deb7u1_i386.deb
 e3ba52102cc66379fd1961eaf46412bf 93094 debug extra libmicrohttpd-dbg_0.9.20-1+deb7u1_i386.deb
 f8a44ee51e36f75349089fc67a7adcdd 154108 libdevel optional libmicrohttpd-dev_0.9.20-1+deb7u1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUsSOmgkauFYGmqocAQgi9A//VdMJZlFbZO3cBWgv17RFWJ3kiso9LBi2
++kSL2onBk0/37h4LCseNXfUl9Z1s5IP+I6tEL/PbYJjXQOTUoswIRQfM5//l5EC
8VEGQg+yeECSeig1njOVoutETLHJ0cmro0q3jawmks5MMYh4YG8fhI6py7e58x5j
KFm4gbADfhHf69ei0hxVk3LxQM2LMkiuXvPzvtHnGZ30KTEWhAd9fzdoDSFeN8Uu
DOYXs4A04dtQZdfKrIBop7RM96auXVn6sdhumA6p/go4IbcxAyjpg8q+LK+k+9CA
AxmZuBer+Fmu0Rn0hkOq523667Bx91JCETXvHK3GJOqv+d2JoM2hjQSFqPKMAzqt
k3WMVVTzXQSL4dh+oVaq/sMehadp21YglxhktWNJmX6PFYbKF7BRfOqlPOsoc2+e
BDAq0HeR9MfJOwYW9mmQEZCjfIHX0erDmZW4Jz1A6uQK3c0DHzDJ6dDgg7mv1Grk
dRFyMpwE2JfgnZeMzybDd33IG+Lptj8fXliKGhFUc2l3rwtBctsWXvXp4793KP+r
crFj3P+lCEt2lfu4LzPnyhymInUwhTQ/YCxwndwLAv66fekv/p1Q8trEM3mJy8fc
Eb60tbCZPEe+SCRB1vYg4aUFmC73Q1kLu8BocX/mRTb9qvVIJf3TX2WY7XbPYxOb
raikhpsLXLc=
=/kzo
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Feb 2014 07:29:08 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:28:00 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libmicrohttpd: CVE-2013-7038 CVE-2013-7039

Debian Bug report logs - #731933
libmicrohttpd: CVE-2013-7038 CVE-2013-7039

Vulmon Search

About

Products

Connect

libmicrohttpd: CVE-2013-7038 CVE-2013-7039

Debian Bug report logs - #731933 libmicrohttpd: CVE-2013-7038 CVE-2013-7039

Vulmon Search

About

Products

Connect

Debian Bug report logs - #731933
libmicrohttpd: CVE-2013-7038 CVE-2013-7039