Debian Bug report logs -
#866719
ntopng: CVE-2017-7459: HTTP Response Splitting
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 1 Jul 2017 07:57:02 UTC
Severity: important
Tags: security, upstream
Found in version ntopng/2.4+dfsg1-3
Fixed in version ntopng/2.4+dfsg1-4
Done: Ludovico Cavedon <cavedon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovico Cavedon <cavedon@debian.org>:
Bug#866719; Package src:ntopng.
(Sat, 01 Jul 2017 07:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovico Cavedon <cavedon@debian.org>.
(Sat, 01 Jul 2017 07:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ntopng
Version: 2.4+dfsg1-3
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for ntopng.
CVE-2017-7459[0]:
| ntopng before 3.0 allows HTTP Response Splitting.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7459
[1] https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Ludovico Cavedon <cavedon@debian.org>
to control@bugs.debian.org.
(Sat, 02 Sep 2017 17:48:06 GMT) (full text, mbox, link).
Reply sent
to Ludovico Cavedon <cavedon@debian.org>:
You have taken responsibility.
(Sun, 03 Sep 2017 20:03:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Sep 2017 20:03:09 GMT) (full text, mbox, link).
Message #12 received at 866719-close@bugs.debian.org (full text, mbox, reply):
Source: ntopng
Source-Version: 2.4+dfsg1-4
We believe that the bug you reported is fixed in the latest version of
ntopng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 866719@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated ntopng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 03 Sep 2017 21:12:05 +0200
Source: ntopng
Binary: ntopng ntopng-data
Architecture: source all amd64
Version: 2.4+dfsg1-4
Distribution: unstable
Urgency: medium
Maintainer: Ludovico Cavedon <cavedon@debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description:
ntopng - High-Speed Web-based Traffic Analysis and Flow Collection Tool
ntopng-data - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
Closes: 853578 856048 859653 866719 866721
Changes:
ntopng (2.4+dfsg1-4) unstable; urgency=medium
.
* Add CVE-2017-7458.patch to prevent an empty host to crash ntopng
(Closes: #866721, CVE-2017-7458).
* Add CVE-2017-7459.patch to prevent \r\n from being injected into HTTP URIs
(Closes: #866719, CVE-2017-7459).
* Add gcc-7.patch to fix FTBFS with gcc 7 (Closes: #853578).
* Update Check-for-presence-of-crsf-in-admin-scripts.patch to avoid the
'Missing CSRF parameter' error (Closes: #856048).
* Add Avoid-access-after-free.patch and
Avoid-access-to-unintialized-memory.patch to fix crash with mysql (thanks
to Bernhard Übelacker, Closes: #859653).
* Add redis-server in the Required fields of the SysVinit script
(LP: #1437835).
Checksums-Sha1:
438d0f6803072806b7fa7559bc1c642d27493026 2208 ntopng_2.4+dfsg1-4.dsc
3aa5f8d1584809808b97134bd463d413f8318b40 28928 ntopng_2.4+dfsg1-4.debian.tar.xz
71cdddfa5f6f7589a27006e5c0ef3b0f47dfb9ef 1274256 ntopng-data_2.4+dfsg1-4_all.deb
10071b1bd8f637eefc5cd34da8cad9dfe1738275 2179748 ntopng-dbgsym_2.4+dfsg1-4_amd64.deb
109f6e9ecaa4aa43224688ee79c674abb3aa666a 8835 ntopng_2.4+dfsg1-4_amd64.buildinfo
d2079c847499e14376320beb0490a168ccb0cae6 244210 ntopng_2.4+dfsg1-4_amd64.deb
Checksums-Sha256:
a6a7a8d6fdc167be96ca8a26fbf2b2aec043a020d7a96af04673f6d6b7a1aeb8 2208 ntopng_2.4+dfsg1-4.dsc
f9105f71681d3d515e010ad00579c3d167d3336da8e65fef83c17a2d49236d74 28928 ntopng_2.4+dfsg1-4.debian.tar.xz
0e0470d1d3f1d1c3d90f96b520b23ab392c6bbe3efac9abbf6067c196f7a677c 1274256 ntopng-data_2.4+dfsg1-4_all.deb
4dc5680ca760cf91ca955cdf1a886722623112ddca7ed1d91d6df567dea0e3d4 2179748 ntopng-dbgsym_2.4+dfsg1-4_amd64.deb
1f692646cb2d2dd5fa82a88732bb336da0483e3e7914a5dcca4b34ad8c91a0ba 8835 ntopng_2.4+dfsg1-4_amd64.buildinfo
7326ada220d890f048a4db9063ac1e25fe16a096e19dc7c11904a88db83ccee8 244210 ntopng_2.4+dfsg1-4_amd64.deb
Files:
344accf124afe4547005544f23c5ed4c 2208 net extra ntopng_2.4+dfsg1-4.dsc
828794e4644005755536980d8123fdd5 28928 net extra ntopng_2.4+dfsg1-4.debian.tar.xz
1a43b97b67ea044c4963e5b0f5e0a723 1274256 net extra ntopng-data_2.4+dfsg1-4_all.deb
8a42f54cab9455111eeed81a3042257d 2179748 debug extra ntopng-dbgsym_2.4+dfsg1-4_amd64.deb
87ad698234f34456ad7fe0a1946bf49d 8835 net extra ntopng_2.4+dfsg1-4_amd64.buildinfo
56cfa9ba36e8f692ea613d18ca49aeba 244210 net extra ntopng_2.4+dfsg1-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEExi9RJLiVCtv386tME8C1Zno4sLAFAlmsV84ACgkQE8C1Zno4
sLDL8xAAqd2iqtNh46XG75rWQcYMLo6MQ61rlXqBf/Uynf+suhG+8mLuVbO9bUxb
dZdtbcUGIiBe9MB/yZ1NJG3eogj75I42qUnpXIGv5ib/6REMOUzXjlsAMAr5Xck3
zPWWfqaHTc+2eJxchcf04l+qKv1SA/4QEjLkgerI2GpyWva73Rskyy7iTNujtKOS
5J+S5Xgf1L2BRFJbSTazemyqlN1G9Zs6o+t+BvU9iFHnKUgpLlCn4fip7jTBCyxp
JQ4/0XtrchzZmPKjuf3+qn5sbz4CBJOQxGQWiQE1+tulwTSYaxMJltLDfzeYbVGB
J0XPGpWX2inyvRgXrE2R0hJECjEQIJ8HIrHsSyJs4khr3i30yjgcMEr3uz4lNjbR
liQ+lCsJC6AWLHG1OnzQ8H3JuPnsxs3fb//TSMDRYy20vOCInvTsCsZsi2K7wU8E
XA7YqcyzWh0LAxge2LX8JBb9mgSmxiHQ5G3fxnu/p+JcO9aK62naPcrlQhTsyAri
+hNCM2R6P9VBAF5p5CdeNXd5Wh/ax9TiSXSfCH8EhxI8tQJfl3GUDA017llAFg6N
cdNDspsuZGtIfp9veRaEzu0bsH0GqoYIn9GgbwFlJzD9Eptv/Ut1QgR4SXGauO13
pQj3y+tC0/SH2RYbpL3lP4fM2iGZHdAMTr6T1UGKYJgTne2vFBA=
=YVML
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 02 Oct 2017 07:26:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:19:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon