Debian Bug report logs -
#826402
quassel: CVE-2016-4414: remote DoS due to invalid handshake data
Reported by: Pierre Schweitzer <pierre@reactos.org>
Date: Sun, 5 Jun 2016 10:33:02 UTC
Severity: normal
Tags: fixed-upstream, security, upstream
Found in version quassel/1:0.10.0-2.3
Fixed in versions quassel/1:0.12.4-2, quassel/1:0.10.0-2.3+deb8u3
Done: Pierre Schweitzer <pierre@reactos.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org:
Bug#826402; Package quasselcore.
(Sun, 05 Jun 2016 10:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Schweitzer <pierre@reactos.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org.
(Sun, 05 Jun 2016 10:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: quasselcore
Version: 1:0.10.0-2.3+deb8u2
Severity: normal
Tags: security
Hi,
The following vulnerability was published for quassel.
CVE-2016-4414: remote DoSdue to invalid handshake data
This is fixed in this commit:
https://github.com/quassel/quassel/commit/e67887343c433cc35bc26ad6a9392588f427e746
Cheers,
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Bug reassigned from package 'quasselcore' to 'src:quassel'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:07 GMT) (full text, mbox, link).
No longer marked as found in versions 1:0.10.0-2.3+deb8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:08 GMT) (full text, mbox, link).
Marked as found in versions quassel/1:0.10.0-2.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:09 GMT) (full text, mbox, link).
Marked as fixed in versions quassel/1:0.12.4-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:10 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:11 GMT) (full text, mbox, link).
Notification sent
to Pierre Schweitzer <pierre@reactos.org>:
Bug acknowledged by developer.
(Sun, 05 Jun 2016 11:27:12 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2016-4414: remote DoS due to invalid handshake data' from 'CVE-2016-4414: remote DoSdue to invalid handshake data'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:14 GMT) (full text, mbox, link).
Changed Bug title to 'quassel: CVE-2016-4414: remote DoS due to invalid handshake data' from 'CVE-2016-4414: remote DoS due to invalid handshake data'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:27:18 GMT) (full text, mbox, link).
Message sent on
to Pierre Schweitzer <pierre@reactos.org>:
Bug#826402.
(Sun, 05 Jun 2016 11:27:28 GMT) (full text, mbox, link).
Message #24 received at 826402-submitter@bugs.debian.org (full text, mbox, reply):
reassign 826402 src:quassel
found 826402 1:0.10.0-2.3
close 826402 1:0.12.4-2
thanks
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 05 Jun 2016 11:36:16 GMT) (full text, mbox, link).
Reply sent
to Pierre Schweitzer <pierre@reactos.org>:
You have taken responsibility.
(Mon, 13 Jun 2016 22:21:13 GMT) (full text, mbox, link).
Notification sent
to Pierre Schweitzer <pierre@reactos.org>:
Bug acknowledged by developer.
(Mon, 13 Jun 2016 22:21:13 GMT) (full text, mbox, link).
Message #31 received at 826402-close@bugs.debian.org (full text, mbox, reply):
Source: quassel
Source-Version: 1:0.10.0-2.3+deb8u3
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 826402@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Schweitzer <pierre@reactos.org> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Jun 2016 12:41:35 +0200
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 1:0.10.0-2.3+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Pierre Schweitzer <pierre@reactos.org>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 826402
Changes:
quassel (1:0.10.0-2.3+deb8u3) jessie; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2016-4414: remote DoS in quassel core with invalid handshake data.
(Closes: #826402)
- Add debian/patches/CVE-2016-4414.patch, cherry-picked from upstream.
Checksums-Sha1:
e51ab98e59957d60ed8834d30ce8c6e8bf032d7e 2368 quassel_0.10.0-2.3+deb8u3.dsc
27822f284c4fc2466a22e365e99743a5cec9f94d 23640 quassel_0.10.0-2.3+deb8u3.debian.tar.xz
808b4e6e2f22e23b603e3160fc5c95531ff3f4be 1647860 quassel-core_0.10.0-2.3+deb8u3_amd64.deb
637848e762a0e3a17903330570b05d456e39d966 2439960 quassel-client_0.10.0-2.3+deb8u3_amd64.deb
2f713bb2ff4bec850024cf7ebc197a0abfcac0b5 2849662 quassel_0.10.0-2.3+deb8u3_amd64.deb
b24db864915d243603c650c5a5d6ee8aef11a970 23094 quassel-data_0.10.0-2.3+deb8u3_all.deb
84ad521123a514655b12024cf26262d7fdc17bdb 839152 quassel-client-kde4_0.10.0-2.3+deb8u3_amd64.deb
7f152d8ba3b2b15a500b0ea83704158cb68e81b2 1076862 quassel-kde4_0.10.0-2.3+deb8u3_amd64.deb
17909c130ac101eb69044249c35aa0d152fd4c26 625600 quassel-data-kde4_0.10.0-2.3+deb8u3_all.deb
Checksums-Sha256:
9985be51e5c07591e3f3617cbad4a5281d279efbcbe3c682ce42ac7bc2d2547e 2368 quassel_0.10.0-2.3+deb8u3.dsc
9c28918ced7f3940933def7a7524c2df0a5881678c8e029b604e4ceb0a88f21e 23640 quassel_0.10.0-2.3+deb8u3.debian.tar.xz
b22c64fe1110acc494b1b9c75a7536b1ab593b7f4b2b695084be30495f6af775 1647860 quassel-core_0.10.0-2.3+deb8u3_amd64.deb
b1765d92e30207ed2534cd6524604bfaf02b992fb9926385dd9dffc003edf22c 2439960 quassel-client_0.10.0-2.3+deb8u3_amd64.deb
49441806bb402c2a10eaaadc6c8f5d7cc351d5fcc6d3189ced5157de0851a896 2849662 quassel_0.10.0-2.3+deb8u3_amd64.deb
2fcf87c8abe0eab55e46efd601f991752c29603d79622c9aaef98f873c039485 23094 quassel-data_0.10.0-2.3+deb8u3_all.deb
aa677d3ad010caa9ed83f193b01d2239269b707792a94d432f30f284a37584dc 839152 quassel-client-kde4_0.10.0-2.3+deb8u3_amd64.deb
6d99b936b3f870391813389cd00c36a4c640f4f2a7a1ae8a8ef7032d4bba8db3 1076862 quassel-kde4_0.10.0-2.3+deb8u3_amd64.deb
5bc6e0cfeac7b424a30b7ed485a4d785787fe4b2dc848a12cf1616f6dffc7a85 625600 quassel-data-kde4_0.10.0-2.3+deb8u3_all.deb
Files:
2410b5cb7c963cfa0c68013faf6a5f04 2368 net optional quassel_0.10.0-2.3+deb8u3.dsc
87cfe018e7f26fa986c443673c6bcb11 23640 net optional quassel_0.10.0-2.3+deb8u3.debian.tar.xz
eb7ba1fa580c9470e8c6663a6b8c0c6d 1647860 net optional quassel-core_0.10.0-2.3+deb8u3_amd64.deb
17e096945096082040d3e852baeab6cd 2439960 net optional quassel-client_0.10.0-2.3+deb8u3_amd64.deb
1b4d1183696b051afdab84f1457df3c9 2849662 net optional quassel_0.10.0-2.3+deb8u3_amd64.deb
f2f6a0b285424426072b0979fbccd6ed 23094 net optional quassel-data_0.10.0-2.3+deb8u3_all.deb
3d86c66106701f5f1e1597eb700a7232 839152 net optional quassel-client-kde4_0.10.0-2.3+deb8u3_amd64.deb
7b78a4e34125d425a23fda6a6631098c 1076862 net optional quassel-kde4_0.10.0-2.3+deb8u3_amd64.deb
ca39a4383c32ccecd4ec4166ed4cf054 625600 net optional quassel-data-kde4_0.10.0-2.3+deb8u3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXWx6KAAoJEP4ixv2DE11F76AQAKFwGbyQW6wrXPKs5hO1ZPbQ
EoFw/qpPQSegxvzM3ZVMCa63VNgF4whQ8iOlYrGAWDAq/61Ks3U6uIYOIxSn05R+
YTLT4ER2YzKXnySGw7k6gI4P2/QLBFNGcXbZJBJDQumxxTjfs5d0qt7YpfGYCAi7
V4KZldIyX8Pwy6xEKjzF3N/uHpwEqcl+oKhNz7cbFpQ+BNnt1q0lpqYiujJUF4yC
k9sokClSdLbbYZ8a2oVnjQXTVDQR3+oe0ur2WZ51Ev+JRgN18iGs65HKA7uqPDMp
ptV+Nwx2YLz1cA98bDw+fPBmpL0hOnOwJ1edeHSTZYCr0iR50rwrJ9LAqt9ByOjF
Ixu2pbZZUEIqUiNOj0ADakE+25ctVwRflStq8QbUqQpGTb9fxjepAMeZab00KXrX
uBougChTBRQTIbrUKYQANKkJsRoaZxgxU7saIX6ZlWaXbzpIZFxqTXngoNCYj8LX
83NneaW3PUWji6bbWluFv9mI+eSlw4O/c3Vdb7gUTke0Rl1OMMxgAnwHrS9od4pw
qTzMMMLYBTwOcAP4ihGKE+4PVAK5DFMsg/wGaDrpwtxW7ANlsRCIY0REULfBz9p8
B+zgt/FMdKGkvg+nVzS1uzm+ZsUt8uBlSsfbgPkJ3UhFpl7Wc7/zxL5n5zb+IZwI
MUqmUgum201KP287X3xF
=2/rz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 12 Jul 2016 07:25:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:41:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon