Debian Bug report logs -
#779173
libuv: CVE-2015-0278: incorrect revocation order while relinquishing privileges
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 25 Feb 2015 06:15:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version libuv/0.10.28-5
Fixed in version libuv/0.10.28-6
Done: Luca Bruno <lucab@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#779173; Package src:libuv.
(Wed, 25 Feb 2015 06:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Wed, 25 Feb 2015 06:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libuv
Version: 0.10.28-5
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for libuv.
CVE-2015-0278[0]:
incorrect revocation order while relinquishing privileges
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0278
[1] https://github.com/libuv/libuv/commit/66ab38918c911bcff025562cf06237d7fedaba0c
[2] https://github.com/libuv/libuv/pull/215
[3] https://groups.google.com/d/msg/libuv/0JZxwLMtsMI/jraczskYWWQJ
Regards,
Salvatore
Reply sent
to Luca Bruno <lucab@debian.org>:
You have taken responsibility.
(Wed, 25 Feb 2015 15:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 25 Feb 2015 15:21:05 GMT) (full text, mbox, link).
Message #10 received at 779173-close@bugs.debian.org (full text, mbox, reply):
Source: libuv
Source-Version: 0.10.28-6
We believe that the bug you reported is fixed in the latest version of
libuv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 779173@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luca Bruno <lucab@debian.org> (supplier of updated libuv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 25 Feb 2015 10:50:58 +0100
Source: libuv
Binary: libuv0.10-dev libuv0.10 libuv0.10-dbg
Architecture: source
Version: 0.10.28-6
Distribution: unstable
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Luca Bruno <lucab@debian.org>
Description:
libuv0.10 - asynchronous event notification library - runtime library
libuv0.10-dbg - asynchronous event notification library - debugging symbols
libuv0.10-dev - asynchronous event notification library - development files
Closes: 779173
Changes:
libuv (0.10.28-6) unstable; urgency=high
.
* Backported: call setgroups before calling setuid/setgid
(Closes: #779173 - CVE-2015-0278)
Checksums-Sha1:
310b995620da7d7a6385c2f70e49a23b1d3811df 2056 libuv_0.10.28-6.dsc
892ca2c1cb6c53ee3619af3ff1874b0e847cb4e6 8244 libuv_0.10.28-6.debian.tar.xz
Checksums-Sha256:
15092c8222efffd880e4624b1e8a99e7c06624d5af52b6308a58f34fed9708b2 2056 libuv_0.10.28-6.dsc
ff9231561a0ad85803a9c3887c8be843d3dd9c401440ed16dbd5479a2adf2215 8244 libuv_0.10.28-6.debian.tar.xz
Files:
326861f04754625ff1b0933a451393f8 2056 libs optional libuv_0.10.28-6.dsc
dca20963f37ae3c0d4f1f4c98942721b 8244 libs optional libuv_0.10.28-6.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJU7djeAAoJEKmDSiJSB45OmDQQAKTkh4DHQHMt7O87m9JcoczM
crC6y4Z7qHYmmd4a7TeSvM1Fa84OHdH+knRgQxb0IUCaXyQVa46FT4bH05+S8r9H
haWNaNHu8QBtAwlfzwsJ9tnHzNJePTTE/irGOKLSijVWzdwcnKbbtbChwIVmhhop
mz7knEQaO6Zvbdk+NjEJWmUGJ528upksvtrRnaRkLka9yDEuU/84TKY1RWIOiM68
aAlhyujszw3H+Kbc8jxURFSTwk2NnXB151LVUCxcEbG3wGuqVHCkgjYVR/i5H3/1
aMUrRM9iplkMRKofikI7i+yfjxfTaFTT6KkX6J2QNcNiObfzmtx6/Hh6NlHCDOGP
AgvR4S4fO0oxKFOY/DRt63zmJw8nhPPJtAnsCYdmZJlhCfsZjVFh8BCGkEuDMd3z
25Zw91/Y10V3nCb5MGOmnJ1p3ZnebyFC17d5XHLiXcov5daNEXsqAm500z05J2Px
NoezQrGqvzCiC+g5pLrqCSSVSAjc3lft53E5mqdYMmtHYSV3H9RDLoeua2KJewo4
g4XXmr+7gkFCudLfOY2vkCa9gXpAnI/M3SCPDuIl4BBmsvYvIlNpGYy0e0nH6PD4
fZre0Pbw1Xrc4XeIOtQx1Cpw9ihUqvnL9dMeRphk8NNqkAV0PiMgSOQFie/CAK6v
fIMFG7SoBV1gJ5O3uP6x
=yguj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 28 Mar 2015 07:28:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:11:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon