Debian Bug report logs -
#627042
security flaw in 2.9.21
Reported by: Wouter Verhelst <wouter@debian.org>
Date: Tue, 17 May 2011 08:30:02 UTC
Severity: serious
Tags: security
Found in version nbd/1:2.9.21-1
Fixed in version nbd/1:2.9.22-1
Done: Wouter Verhelst <wouter@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#627042; Package nbd-server.
(Tue, 17 May 2011 08:30:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Wouter Verhelst <wouter@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Tue, 17 May 2011 08:30:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nbd-server
Version: 1:2.9.21-1
Severity: normal
Tags: security
nbd 2.9.21 contains a security issue in the negotiation phase (remote
DoS). It should not migrate, ever.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'oldstable'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages nbd-server depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.39 Debian configuration management sy
ii libc6 2.13-4 Embedded GNU C Library: Shared lib
ii libglib2.0-0 2.28.6-1 The GLib library of C routines
ii ucf 3.0025+nmu2 Update Configuration File: preserv
nbd-server recommends no packages.
nbd-server suggests no packages.
-- debconf information excluded
Severity set to 'serious' from 'normal'
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Wed, 18 May 2011 10:42:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Wouter Verhelst <wouter@debian.org>:
Bug#627042; Package nbd-server.
(Wed, 18 May 2011 10:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Wouter Verhelst <wouter@debian.org>.
(Wed, 18 May 2011 10:45:06 GMT) (full text, mbox, link).
Message #12 received at 627042@bugs.debian.org (full text, mbox, reply):
On Tue, May 17, 2011 09:38, Wouter Verhelst wrote:
> nbd-server 2.9.21 has a NULL-pointer dereference in its negotiation
> phase, which allows unauthenticated users to DoS the server by causing
> the negotiation to fail (e.g., by specifying a non-existing name for an
> export).
Please use CVE-2011-1925.
Cheers,
Thijs
Reply sent
to Wouter Verhelst <wouter@debian.org>:
You have taken responsibility.
(Sun, 29 May 2011 08:51:30 GMT) (full text, mbox, link).
Notification sent
to Wouter Verhelst <wouter@debian.org>:
Bug acknowledged by developer.
(Sun, 29 May 2011 08:51:50 GMT) (full text, mbox, link).
Message #17 received at 627042-close@bugs.debian.org (full text, mbox, reply):
Source: nbd
Source-Version: 1:2.9.22-1
We believe that the bug you reported is fixed in the latest version of
nbd, which is due to be installed in the Debian FTP archive:
nbd-client-udeb_2.9.22-1_amd64.udeb
to main/n/nbd/nbd-client-udeb_2.9.22-1_amd64.udeb
nbd-client_2.9.22-1_amd64.deb
to main/n/nbd/nbd-client_2.9.22-1_amd64.deb
nbd-server_2.9.22-1_amd64.deb
to main/n/nbd/nbd-server_2.9.22-1_amd64.deb
nbd_2.9.22-1.dsc
to main/n/nbd/nbd_2.9.22-1.dsc
nbd_2.9.22-1.tar.gz
to main/n/nbd/nbd_2.9.22-1.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 627042@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Wouter Verhelst <wouter@debian.org> (supplier of updated nbd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 29 May 2011 09:40:55 +0200
Source: nbd
Binary: nbd-server nbd-client nbd-client-udeb
Architecture: source amd64
Version: 1:2.9.22-1
Distribution: unstable
Urgency: low
Maintainer: Wouter Verhelst <wouter@debian.org>
Changed-By: Wouter Verhelst <wouter@debian.org>
Description:
nbd-client - Network Block Device protocol - client
nbd-client-udeb - Network Block Device protocol - client for Debian Installer (udeb)
nbd-server - Network Block Device protocol - server
Closes: 557809 627042
Changes:
nbd (1:2.9.22-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2011-1925; Closes: #627042.
- Fixes a number of data corruption bugs in the handling of oversized
requests.
- Has far better test suite coverage.
- Adds -d option to nbd-server to run non-detached; Closes: #557809.
Checksums-Sha1:
a58ff147728866ec5fc0ad7779cb52c0fa94a38f 1542 nbd_2.9.22-1.dsc
784da9b6bb3403f258924cffe88abdc50cde66b2 1041380 nbd_2.9.22-1.tar.gz
6ae991774901ffeaeaf08cfc60f53a8dc0bacf32 65998 nbd-server_2.9.22-1_amd64.deb
512dbd496f104a34d45b200b9e139b0e2964ffd8 54896 nbd-client_2.9.22-1_amd64.deb
c77a89eba2199f0240351ba089a591cc8d817fd4 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
Checksums-Sha256:
888f0c2c8fec2e547b0d9082c087c4b90da6a3e28d35a3ac1a072a333f096860 1542 nbd_2.9.22-1.dsc
79b5b1ada333483f5a0a46006fefd07b68ef4c5e8d29eb46655fdae8344c946b 1041380 nbd_2.9.22-1.tar.gz
b0bb122b8ceaed9e2650b517f0f1b15c581e0da9194a5383cd548424275384dc 65998 nbd-server_2.9.22-1_amd64.deb
e90460e94134cc68e6b83868d53d90952cf1ea91f83e50fa2a73d0e06e8adc4d 54896 nbd-client_2.9.22-1_amd64.deb
c050eab121a9b805562408e44384b0d995321af5e81f6198a74142f0f77a9042 7764 nbd-client-udeb_2.9.22-1_amd64.udeb
Files:
7067bafc01a9748d759d97e37ead058f 1542 admin optional nbd_2.9.22-1.dsc
5a2f0755860466f290af48336fdfa549 1041380 admin optional nbd_2.9.22-1.tar.gz
1235a641b27265382c5c6f75a7dfbd99 65998 admin optional nbd-server_2.9.22-1_amd64.deb
1c13b4cd8285e8c0cfaf723d766b889f 54896 admin optional nbd-client_2.9.22-1_amd64.deb
12d6e448d776af0982bfb1f4bc14c22d 7764 debian-installer optional nbd-client-udeb_2.9.22-1_amd64.udeb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBAgAGBQJN4gBdAAoJEMKUD5Ub3wqdzoUQALcsoWCHrRBOqsJf3u4UvCXq
w9oHiZ1bxZdAwHC1begz8KONK3sbcsPdqQkdh4JRa3atPOP4xnBTT5t98FPCMzi+
NA+FsdKUYjSDt8aErP6kAjWEpUo68TxRN9sBL6EdszD8llSvkpmnsV5W4fQ76G41
uxxmypeGnlwp7QjXX/40mdJZ666NUEyyAzem+dBLp6vXkeQc1l4lLZlbGRHW5s2V
pc4AojMqbp2uYbdiS/P1uE9MF8g9bnTxOpiW/m+UwZ5tRyAvb4EP+BXWrD6r9FBA
rzAFegyykSO//P16dxnlwk1JoHYv4oFa8GAB5XOe0QTpWts3m+4Yw1SbpPuZ6t6g
Np/0hBK5EwgiMzo+HeUnbwufkK+40sX+4VThdsBC/VyiblXzi16CfspfHxpRDkDR
9jqudI85WYUnDx5fOm9JeikST4Ho7bN87xJwEsRPpsr5IhU5Qex/c0WLQWV6gWcJ
4thXWEaeJdEpJ2W0hgkUMkJFFxCgu2GeoeVpCooqBvomK2JJGKqdFKfYY8mkSoic
D8iMcZhwv4XKv140Y8zCjzt/UljbcaAoarSlAU9EZ3FUOfGOLLWTaWMa6ZoxiOjT
5hYTUn18MCaovGukTtYflji0VCFT3mPVrMr0m/4YrZzUQTy2hhnlA+LvJb7QyehG
4mnM84OQuj5x4TiUz6WA
=CN96
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jul 2011 07:34:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:42:34 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon