Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

needrestart: Security fix in new release (3.6)

Related Vulnerabilities: CVE-2022-30688  

Source

Debian Bug report logs - #1011154
needrestart: Security fix in new release (3.6)

version graph

Package: needrestart; Maintainer for needrestart is Patrick Matthäi <pmatthaei@debian.org>; Source for needrestart is src:needrestart (PTS, buildd, popcon).

Reported by: Amin Vakil <info@aminvakil.com>

Date: Tue, 17 May 2022 15:48:01 UTC

Severity: normal

Tags: fixed-upstream, security, upstream

Found in versions needrestart/3.4-5, needrestart/3.5-5, needrestart/3.5-4

Fixed in versions 3.5-4+deb11u1, 3.6-1, 3.4-5+deb10u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, info@aminvakil.com, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#1011154; Package needrestart. (Tue, 17 May 2022 15:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Amin Vakil <info@aminvakil.com>:
New Bug report received and forwarded. Copy sent to info@aminvakil.com, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>. (Tue, 17 May 2022 15:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Amin Vakil <info@aminvakil.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: needrestart: Security fix in new release (3.6)
Date: Tue, 17 May 2022 20:14:52 +0430
Package: needrestart
Version: 3.4-5
Severity: normal
Tags: security

CVE-2022-30688: Anchor interpreter regex to prevent local privilege escalation.
(responsibly reported by Jakub Wilk)
https://github.com/liske/needrestart/releases/tag/v3.6

-- Package-specific info:
needrestart output:



-- System Information:
Debian Release: 10.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-20-cloud-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages needrestart depends on:
ii  binutils                   2.31.1-16
ii  dpkg                       1.19.7
ii  gettext-base               0.19.8.1-9
ii  libintl-perl               1.26-2
ii  libmodule-find-perl        0.13-1
ii  libmodule-scandeps-perl    1.27-1
ii  libproc-processtable-perl  0.56-1
ii  libsort-naturally-perl     1.03-2
ii  libterm-readkey-perl       2.38-1
ii  perl                       5.28.1-6+deb10u1
ii  xz-utils                   5.2.4-1+deb10u1

Versions of packages needrestart recommends:
ii  libpam-systemd  241-7~deb10u8

Versions of packages needrestart suggests:
pn  iucode-tool                          <none>
pn  needrestart-session | libnotify-bin  <none>

-- no debconf information

Marked as fixed in versions 3.6-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 15:54:03 GMT) (full text, mbox, link).

Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 15:54:03 GMT) (full text, mbox, link).

Notification sent to Amin Vakil <info@aminvakil.com>:
Bug acknowledged by developer. (Tue, 17 May 2022 15:54:04 GMT) (full text, mbox, link).

Marked as fixed in versions 3.5-4+deb11u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 15:54:04 GMT) (full text, mbox, link).

Marked as fixed in versions 3.4-5+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 15:54:05 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 15:54:05 GMT) (full text, mbox, link).

Message sent on to Amin Vakil <info@aminvakil.com>:
Bug#1011154. (Tue, 17 May 2022 15:54:07 GMT) (full text, mbox, link).

Message #20 received at 1011154-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 1011154-submitter@bugs.debian.org
Subject: closing 1011154, closing 1011154, closing 1011154, tagging 1011154
Date: Tue, 17 May 2022 17:51:00 +0200
close 1011154 3.6-1
close 1011154 3.5-4+deb11u1
close 1011154 3.4-5+deb10u1
tags 1011154 + upstream fixed-upstream
thanks

Marked as found in versions needrestart/3.5-4. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 19:03:02 GMT) (full text, mbox, link).

Marked as found in versions needrestart/3.5-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 May 2022 19:03:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 18 13:12:27 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started