Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-11468

Related Vulnerabilities: CVE-2017-11468  

Source

Debian Bug report logs - #869242
CVE-2017-11468

version graph

Package: src:docker-registry; Maintainer for src:docker-registry is pkg-go <pkg-go-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 21 Jul 2017 21:39:01 UTC

Severity: important

Tags: security

Found in version docker-registry/2.6.0~rc.1+git20161216.38.28602af3-1

Fixed in version docker-registry/2.6.2~ds1-1

Done: Konstantinos Margaritis <markos@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#869242; Package src:docker-registry. (Fri, 21 Jul 2017 21:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>. (Fri, 21 Jul 2017 21:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-11468
Date: Fri, 21 Jul 2017 23:35:10 +0200
Source: docker-registry
Severity: important
Tags: security

Please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11468

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#869242; Package src:docker-registry. (Fri, 21 Jul 2017 22:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Tianon Gravi <tianon@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-go <pkg-go-maintainers@lists.alioth.debian.org>. (Fri, 21 Jul 2017 22:21:05 GMT) (full text, mbox, link).

Message #10 received at 869242@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>
To: 869242@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: [pkg-go] Bug#869242: CVE-2017-11468
Date: Fri, 21 Jul 2017 15:17:30 -0700
On 21 July 2017 at 14:35, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Please see
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11468

Thanks for the report!  I've started looking into the fix, and will
include my notes here:

https://github.com/docker/distribution/releases/tag/v2.6.2 is the
release which fixes this (and it links to
https://github.com/docker/distribution/commit/29fa466debaabb64f8559116bbffd20a289d523c
as the specific commit which does so).

A plain "dch -v 2.6.2~ds1-1" is _not_ sufficient to get a working
build (needs some dependency updates, I think, since we're currently
on v2.6.0-rc.1 + a few commits and upstream has obviously made some
changes since then).

Given that the package is only in unstable, I'll likely commit my WIP
bump to 2.6.2 to Git once I'm done looking around at how much it's
going to take to update (whether it's building successfully or not).


♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Information forwarded to debian-bugs-dist@lists.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#869242; Package src:docker-registry. (Fri, 21 Jul 2017 22:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Tianon Gravi <tianon@debian.org>:
Extra info received and forwarded to list. Copy sent to pkg-go <pkg-go-maintainers@lists.alioth.debian.org>. (Fri, 21 Jul 2017 22:21:06 GMT) (full text, mbox, link).

Message #15 received at 869242@bugs.debian.org (full text, mbox, reply):

From: Tianon Gravi <tianon@debian.org>
To: 869242@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: [pkg-go] Bug#869242: CVE-2017-11468
Date: Fri, 21 Jul 2017 15:19:50 -0700
On 21 July 2017 at 15:17, Tianon Gravi <tianon@debian.org> wrote:
> https://github.com/docker/distribution/releases/tag/v2.6.2 is the
> release which fixes this (and it links to
> https://github.com/docker/distribution/commit/29fa466debaabb64f8559116bbffd20a289d523c
> as the specific commit which does so).

The also updated the 2.5 branch in
https://github.com/docker/distribution/releases/tag/v2.5.2, so if we
end up cherry-picking the CVE fixing patch instead of bumping,
https://github.com/docker/distribution/commit/58d239d723efbc2b2935ddc8816b51d355525989
might apply easier (haven't looked at applying either, just noting it
for completeness).

♥,
- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

Information forwarded to debian-bugs-dist@lists.debian.org, pkg-go <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#869242; Package src:docker-registry. (Fri, 21 Jul 2017 22:45:03 GMT) (full text, mbox, link).

Message #18 received at 869242@bugs.debian.org (full text, mbox, reply):

From: pkg-go-maintainers@lists.alioth.debian.org
To: 869242@bugs.debian.org, 869242-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the golang-github-docker-distribution package
Date: Fri, 21 Jul 2017 22:40:08 +0000
tag 869242 + pending
thanks

Some bugs in the golang-github-docker-distribution package are closed
in revision 700cebb06dd653d22515e6a5e6a342fc2983f9d2 in branch
'master' by Tianon Gravi

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-go/packages/golang-github-docker-distribution.git/commit/?id=700cebb

Commit message:

    Update to 2.6.2 upstream release
    
    - Fixes CVE-2017-11468 (Closes: #869242)
    - https://github.com/docker/distribution/releases/tag/v2.6.2

Added tag(s) pending. Request was from pkg-go-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Fri, 21 Jul 2017 22:45:04 GMT) (full text, mbox, link).

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#869242. (Fri, 21 Jul 2017 22:45:08 GMT) (full text, mbox, link).

Marked as found in versions docker-registry/2.6.0~rc.1+git20161216.38.28602af3-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 22 Jul 2017 06:39:03 GMT) (full text, mbox, link).

Reply sent to Konstantinos Margaritis <markos@debian.org>:
You have taken responsibility. (Wed, 09 Aug 2017 15:15:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Wed, 09 Aug 2017 15:15:03 GMT) (full text, mbox, link).

Message #30 received at 869242-close@bugs.debian.org (full text, mbox, reply):

From: Konstantinos Margaritis <markos@debian.org>
To: 869242-close@bugs.debian.org
Subject: Bug#869242: fixed in docker-registry 2.6.2~ds1-1
Date: Wed, 09 Aug 2017 15:10:55 +0000
Source: docker-registry
Source-Version: 2.6.2~ds1-1

We believe that the bug you reported is fixed in the latest version of
docker-registry, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869242@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Konstantinos Margaritis <markos@debian.org> (supplier of updated docker-registry package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 09 Aug 2017 17:29:31 +0300
Source: docker-registry
Binary: docker-registry golang-github-docker-distribution-dev
Architecture: source amd64 all
Version: 2.6.2~ds1-1
Distribution: unstable
Urgency: medium
Maintainer: pkg-go <pkg-go-maintainers@lists.alioth.debian.org>
Changed-By: Konstantinos Margaritis <markos@debian.org>
Description:
 docker-registry - Docker toolset to pack, ship, store, and deliver content
 golang-github-docker-distribution-dev - Docker toolset to pack, ship, store, and deliver content (source)
Closes: 869242
Changes:
 docker-registry (2.6.2~ds1-1) unstable; urgency=medium
 .
   [ Tianon Gravi ]
   * Update to 2.6.2 upstream release
     - Fixes CVE-2017-11468 (Closes: #869242)
     - https://github.com/docker/distribution/releases/tag/v2.6.2
 .
   [ Konstantinos Margaritis ]
   * Replace golang-go with golang-any in Build-Depends, remove golang-go from
     Depends
Checksums-Sha1:
 ab4e2f0d3adad01356da8c35180c80b093d92cab 3033 docker-registry_2.6.2~ds1-1.dsc
 91b089dce68831ebf437b9cfe112570059fd6844 790081 docker-registry_2.6.2~ds1.orig.tar.gz
 aab6f8b74fa7ed09ab1d6f25944e02240097b9c0 7664 docker-registry_2.6.2~ds1-1.debian.tar.xz
 97bfe90deffb2aca2b3c2a33b61e6a4c5418d1e4 10627 docker-registry_2.6.2~ds1-1_amd64.buildinfo
 fea1ec44a706932238530648645192d855ef12e7 3107206 docker-registry_2.6.2~ds1-1_amd64.deb
 82677a60da01f459d965b492c59f3a01e3378a75 403900 golang-github-docker-distribution-dev_2.6.2~ds1-1_all.deb
Checksums-Sha256:
 e51eec3301237bfa0279f8e5ad975c51de2d7f99fa69b3385da4817fc2bcbbd9 3033 docker-registry_2.6.2~ds1-1.dsc
 b537385de23b2415e771cb7cce05e2cdd4a156f4c55e89f89517ffac97d4c290 790081 docker-registry_2.6.2~ds1.orig.tar.gz
 b4ba6f2334f54de5bbc3aec2e654dddb7ab16544b1a979d661c61c1fc2c9d6ff 7664 docker-registry_2.6.2~ds1-1.debian.tar.xz
 594428681c31010ab67e3d272420e5c3dc9b4b8f63c47f1048e7f05d16d167cd 10627 docker-registry_2.6.2~ds1-1_amd64.buildinfo
 b17fa87aa8c2cc5dfd09fc46dbb4d98cb73ff333d01b8120e76f3c641414a421 3107206 docker-registry_2.6.2~ds1-1_amd64.deb
 91b7aa2d7b6743cfede238b9b28e7ecf4a71713ea32f09c16258926138df1e18 403900 golang-github-docker-distribution-dev_2.6.2~ds1-1_all.deb
Files:
 f9008d64022ceca0fa37cad517cba15a 3033 utils extra docker-registry_2.6.2~ds1-1.dsc
 5c66820011fd960db828d51ae1461e97 790081 utils extra docker-registry_2.6.2~ds1.orig.tar.gz
 6c64418329e931a8c8b5c3cfa60c4de5 7664 utils extra docker-registry_2.6.2~ds1-1.debian.tar.xz
 9b74fa8a9803051a3d7a821c0ac060e9 10627 utils extra docker-registry_2.6.2~ds1-1_amd64.buildinfo
 0cfbf1167128e3bc29e589091cb46061 3107206 utils extra docker-registry_2.6.2~ds1-1_amd64.deb
 40283656a9c776de6c4536d43bdfa943 403900 utils extra golang-github-docker-distribution-dev_2.6.2~ds1-1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP8Nzkf7N08tVAXEhZgYCf2Q3EkwFAlmLHP0ACgkQZgYCf2Q3
Ekz2WA/9EuMRt2z3i/aVqIF2H7Xg0lOaftuvxpAhIN5xrkTS4Fyf7bthNa2WqY5L
oSasi5fJb5TA760pJF+kx4rS9HBBT1UdxVrPRVPVRziZLZQTBheQTx3roi08ajkQ
wz0CfmvlpP4G1HjLzTQFnv6hA3gMLsjfv1+YVkOG1Mt5mxr/+5v+0Ft6mNJ4JvKm
2mKop+LL+o9lcsc4qUwd39sDrqny1Hdn2kCd/3dxJ1LeG0YeaBChi91c3qOySwQq
PkXBAiWJyvtv6rmvcIgEG938ZMew1Gmh73S3lB2oS3kHc085qfRkbEUe/DbAvYWe
Hvw0PlSoCxKRvJREPT3vKk8ptZOHQJzPgJ6H20NpTyNRG27ldTl+y5hV6ucgo/MX
1fQkyzbF+dea6oeO1/aRUQCQA1EsiTlJ0exNKrS3O+1ckAoLhwEWncU+Npy6iykT
GjSUGUiwzZOMQUaP8A5VERIDNnB7PlGJXEPMMCP0QZcXHfQIJuJ5F1qXbVWcxXPa
DF7VGKhdpfzhFi4EwZEqosACJ4Cjb6Hu06Dexsyo3uGPifW08rbTfh8OOTbzgHw6
Be0PbHYVHgNbslOgQLF5Wb2Uq4785T4xmIIY/5tbmiEl3GrEAiDP4/zcGgcALVAt
AhYvvpu5azO+4GEQNfOZ2AAAt/+D33z9tIA6SQvuHNd9n+5K/iA=
=YVKP
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Sep 2017 07:27:23 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:10:19 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started