Debian Bug report logs -
#854092
Multiple security issues in libevent
Reported by: Guido Günther <agx@sigxcpu.org>
Date: Fri, 3 Feb 2017 23:45:02 UTC
Severity: important
Tags: security
Found in version 2.0.21-stable-2
Fixed in versions libevent/2.0.21-stable-3, libevent/2.0.21-stable-2+deb8u1
Done: Balint Reczey <balint@balintreczey.hu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#854092; Package libevent.
(Fri, 03 Feb 2017 23:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Fri, 03 Feb 2017 23:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libevent
Severity: important
Tags: security
Hi,
the following vulnerabilities were published for libevent.
CVE-2016-10197[0]
CVE-2016-10196[1]
CVE-2016-10195[2]
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197
[1] https://security-tracker.debian.org/tracker/CVE-2016-10196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196
[2] https://security-tracker.debian.org/tracker/CVE-2016-10195
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195
Please adjust the affected versions in the BTS as needed.
Cheers,
-- Guido
Reply sent
to Balint Reczey <balint@balintreczey.hu>:
You have taken responsibility.
(Sun, 12 Feb 2017 21:21:09 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Sun, 12 Feb 2017 21:21:09 GMT) (full text, mbox, link).
Message #10 received at 854092-close@bugs.debian.org (full text, mbox, reply):
Source: libevent
Source-Version: 2.0.21-stable-3
We believe that the bug you reported is fixed in the latest version of
libevent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <balint@balintreczey.hu> (supplier of updated libevent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 12 Feb 2017 21:43:18 +0100
Source: libevent
Binary: libevent-dev libevent-dbg libevent-2.0-5 libevent-core-2.0-5 libevent-extra-2.0-5 libevent-pthreads-2.0-5 libevent-openssl-2.0-5
Architecture: source
Version: 2.0.21-stable-3
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Balint Reczey <balint@balintreczey.hu>
Description:
libevent-2.0-5 - Asynchronous event notification library
libevent-core-2.0-5 - Asynchronous event notification library (core)
libevent-dbg - Asynchronous event notification library (debug symbols)
libevent-dev - Asynchronous event notification library (development files)
libevent-extra-2.0-5 - Asynchronous event notification library (extra)
libevent-openssl-2.0-5 - Asynchronous event notification library (openssl)
libevent-pthreads-2.0-5 - Asynchronous event notification library (pthreads)
Closes: 854092
Changes:
libevent (2.0.21-stable-3) unstable; urgency=medium
.
* Fix three vulnerabilites (Closes: #854092):
- DNS remote stack overread vulnerability (CVE-2016-10195)
- (Stack) buffer overflow in evutil_parse_sockaddr_port()
(CVE-2016-10196)
- Out-of-bounds read in search_make_new() (CVE-2016-10197)
* Add myself as an uploader
* ACK NMU
Checksums-Sha1:
7b22ec0291b3b318979dcad58c490e2190e9ea1d 2432 libevent_2.0.21-stable-3.dsc
9f452abca559f50eb6e48ef00299d81b20f68f31 15592 libevent_2.0.21-stable-3.debian.tar.xz
Checksums-Sha256:
cddbe5e9b5f9cb801cdfba755337da63d57249b9e43fc26a8faa025711013456 2432 libevent_2.0.21-stable-3.dsc
059ea5982bb163b288225d41653b8d340c5682628b92b8db729b0d1cb9f65a2c 15592 libevent_2.0.21-stable-3.debian.tar.xz
Files:
3c9359068c5c1368cac40a41d631fc19 2432 libs optional libevent_2.0.21-stable-3.dsc
fe687400bd216b4fc70e73240707e998 15592 libs optional libevent_2.0.21-stable-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYoMzbAAoJEPZk0la0aRp9rCMQAKGdLIAZAbRuZgXTkGkUtV4P
Gb8+DGSlzIYSf31xy5aDnbTRoAKw2hG5em3bB/QakCe2gNqOWU+qRzlfoKlX2mL0
c1aINMMNVLInHllIxJP8P6AynMUU3k6iuNjZbFg+DwLb65z9wDW4KVBKYc7WYMqs
DWnJqKfAGHT20NgGMTGVRyzMvw3syokRNRDgIxZjry0u2lvHj9kej6pmxpebChL1
jFbnmoDyKdEKL5nLQ4vc7bsOayPTfBXRedTeas6yxwJ3fZeOE6GDEu1oAUACxLta
ETuuxCnok8GpxPJgSW1dNaKDQQqhJeHHyjmAXPPw/JrBZ9+G8Q7aISUCQPCFtXVs
kF9vmDPFFC2yhqAt0uaQjfFlvcdrHM5NZvqu72ikQ3bWhdasOgEhSE8XfcQwZM3X
GDlDgMumpZ4dRmxebnTCittHRFWIwC9JfbzmeB/GIkDhy4GLPkqXfGzvHj2juV4Y
RbQ+ViuB9dLJPTUXlTzTCmmz+wOnK8DNuqrINHJSgFE+aUrKbm0uDaIMU5KZqBat
81PvvDK7v3flW6leW7iewjFOKsunwhb8TiPiandPHOHvxGWUa+/SsApBnuuhGfma
YhmC7uKiQl5rqaf6T1ZI4LH/XM8czSrM9muup7O1uTByn0MiPIF9C39DFCVIyeMZ
5L5uHBWEcY7F5lhWSpjL
=Bi92
-----END PGP SIGNATURE-----
Marked as found in versions 2.0.21-stable-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 14 Feb 2017 07:45:03 GMT) (full text, mbox, link).
Reply sent
to Balint Reczey <balint@balintreczey.hu>:
You have taken responsibility.
(Sat, 18 Feb 2017 23:36:14 GMT) (full text, mbox, link).
Notification sent
to Guido Günther <agx@sigxcpu.org>:
Bug acknowledged by developer.
(Sat, 18 Feb 2017 23:36:14 GMT) (full text, mbox, link).
Message #17 received at 854092-close@bugs.debian.org (full text, mbox, reply):
Source: libevent
Source-Version: 2.0.21-stable-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
libevent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 854092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Balint Reczey <balint@balintreczey.hu> (supplier of updated libevent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Feb 2017 00:05:29 +0100
Source: libevent
Binary: libevent-dev libevent-dbg libevent-2.0-5 libevent-core-2.0-5 libevent-extra-2.0-5 libevent-pthreads-2.0-5 libevent-openssl-2.0-5
Architecture: source amd64
Version: 2.0.21-stable-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Balint Reczey <balint@balintreczey.hu>
Description:
libevent-2.0-5 - Asynchronous event notification library
libevent-core-2.0-5 - Asynchronous event notification library (core)
libevent-dbg - Asynchronous event notification library (debug symbols)
libevent-dev - Asynchronous event notification library (development files)
libevent-extra-2.0-5 - Asynchronous event notification library (extra)
libevent-openssl-2.0-5 - Asynchronous event notification library (openssl)
libevent-pthreads-2.0-5 - Asynchronous event notification library (pthreads)
Closes: 854092
Changes:
libevent (2.0.21-stable-2+deb8u1) jessie-security; urgency=high
.
* Fix three vulnerabilites (Closes: #854092):
- DNS remote stack overread vulnerability (CVE-2016-10195)
- (Stack) buffer overflow in evutil_parse_sockaddr_port()
(CVE-2016-10196)
- Out-of-bounds read in search_make_new() (CVE-2016-10197)
* Add myself as an uploader
Checksums-Sha1:
603384067beef2be03ea1d11cb83ca322f6524cb 2460 libevent_2.0.21-stable-2+deb8u1.dsc
3e6674772eb77de24908c6267c698146420ab699 850772 libevent_2.0.21-stable.orig.tar.gz
a8ce182cd465f1c06e0df2e8dd4cc6b33f348349 13900 libevent_2.0.21-stable-2+deb8u1.debian.tar.xz
d91f6842d2bc4e41ad30133f256a1538cdac76ef 248052 libevent-dev_2.0.21-stable-2+deb8u1_amd64.deb
9a48b20089d4d36609148b315e5d78c4a72af993 666916 libevent-dbg_2.0.21-stable-2+deb8u1_amd64.deb
8518a9b0898031fc7a3f3ae15efe14550f9f1b93 151710 libevent-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
b8cfdf92439d0a6a7f4e57a2ad5dee765deda57b 107952 libevent-core-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
c482a65c87377f07f918d17d3471a5b55fbb9357 90704 libevent-extra-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
d06ce8d65dc54079874135dd3bbab64c4c214baa 44072 libevent-pthreads-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
82399492c4935e9e7e16b7b2263d82e3deb3799e 49960 libevent-openssl-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
Checksums-Sha256:
54c4e18472229cfc33b4eef8f0e6191ce362cd71ab8995c3b4f6ba79e5feb69e 2460 libevent_2.0.21-stable-2+deb8u1.dsc
22a530a8a5ba1cb9c080cba033206b17dacd21437762155c6d30ee6469f574f5 850772 libevent_2.0.21-stable.orig.tar.gz
5cf722d138ffd789ea54d0b6703e1187bc0170d1580e528d3db635d397f8aaf6 13900 libevent_2.0.21-stable-2+deb8u1.debian.tar.xz
d2674d502449ac9873c757b96e2a1b0ee190a919de4469bd8f99c592364e9f58 248052 libevent-dev_2.0.21-stable-2+deb8u1_amd64.deb
8cee4d6475f0403ede467bfab8fdc463131c39d6cff77496f8ae7463b541ab6c 666916 libevent-dbg_2.0.21-stable-2+deb8u1_amd64.deb
3651fc8112c10272d2911f4ce9badd3a2af59d9b8b13aefed24247f3a4ba6105 151710 libevent-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
a9de7ccd5c959e9781c325215e18aa4d2e707bf4d73b23eb2bae2014a8ca5d6c 107952 libevent-core-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
1d60a8c4e025fcdff3fcdd351cd75aecf01cfe44d1f4843546fb0d372be24441 90704 libevent-extra-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
cc6548255c080077654a9e07cfaf704b40567657224510834af1bcb8a2158f55 44072 libevent-pthreads-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
9a85c5de873e543360f1c0e6dddc3d2547ffabb41b9d075d658cf3e21c9d8141 49960 libevent-openssl-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
Files:
49adb74501073b5771c621fa333c62c5 2460 libs optional libevent_2.0.21-stable-2+deb8u1.dsc
b2405cc9ebf264aa47ff615d9de527a2 850772 libs optional libevent_2.0.21-stable.orig.tar.gz
9809cfd91b7a7dd0a6c4a2dc27296e89 13900 libs optional libevent_2.0.21-stable-2+deb8u1.debian.tar.xz
17c6b8e53ba24ab971f75af175176138 248052 libdevel optional libevent-dev_2.0.21-stable-2+deb8u1_amd64.deb
5ade9369075c37948ecf32f7cc8db6cf 666916 debug extra libevent-dbg_2.0.21-stable-2+deb8u1_amd64.deb
4c0719a022bb6126dd3935732921dbfc 151710 libs standard libevent-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
43f7ccf6e183246b7723e6cd9ae20d35 107952 libs optional libevent-core-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
c0e6268d988a084a6ae032e836dbb2fa 90704 libs optional libevent-extra-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
17ad653358239ec1e36522a311a2dd1e 44072 libs optional libevent-pthreads-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
a038da5453a3b709b2d6807125db9085 49960 libs optional libevent-openssl-2.0-5_2.0.21-stable-2+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYpAdvAAoJEPZk0la0aRp9TBEP/3YluKGe9wOPVjztpz6egmYX
U8EqPN9hBiARn4qcl/Ck3HJFAJpdxRtiM4RMbYTpYsLf3ZlqB4TtcVyVLKJCrHWv
262D+8GK++6nxLDL2o/jC/CnfXL//rLarXEE7SHrIoLVLw7NXK/PmdX6p6xzPAqh
dz/t2zs9rw/AKetFgT1GZ//xE27tkx3SaGrsC6pi4n9g2il4uO6kgPgcpXK+Fu2/
Ia1tZBG52Mo8ZKulRIbHM9KakmmcU0jqEPx3HW/O6Z50IwRbK/cNZ3bX+hx5MSTP
H5Ge+iOvdD2UmPl0p9jcWV3GvVFMJBg1QcgkhL0f2l6ugBefROfZp4FuJL7yVI0F
Arknb6no9glyyVYLyBz6eRzunxr7Nbgx4wYF+m2kYD5tT07tloqvczZkH3AmwDl+
vB4HB6bbbNZHu8L58oNGhVsGa8OS/sQRlAX3LQ8jqpRfT6D1oZvRcsiHMtC40lz4
CugCn5GC0lU/s3J+BW0yWsBgCJlze92XnzxMpuhkvPouKE+n/fZH90RsH6DNZOif
RZPSVs5HUpTIhL8C/ZNWkb1rSQUk8lLinZPKaJSKMimuQBsLVltFaPFWOWJVFdva
n1WjtZTt0tLMP8qR5apzAR58CQ+PzKrMUop9g+alWvvB/FqX6AqVPaavYfO4XAZ4
qbhVu3IxtFfPasqkPY6E
=I1W5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 19 Mar 2017 07:29:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:14:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon