Debian Bug report logs -
#856399
libxdmcp: CVE-2017-2625: Weak entropy usage for session keys in libxdm
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 28 Feb 2017 15:54:02 UTC
Severity: important
Tags: security, upstream
Found in version libxdmcp/1:1.1.1-1
Fixed in version libxdmcp/1:1.1.2-2
Done: Emilio Pozuelo Monfort <pochu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#856399; Package src:libxdmcp.
(Tue, 28 Feb 2017 15:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian X Strike Force <debian-x@lists.debian.org>.
(Tue, 28 Feb 2017 15:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxdmcp
Version: 1:1.1.1-1
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for libxdmcp.
CVE-2017-2625[0]:
Weak entropy usage for session keys in libxdm
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2625
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Tue, 28 Feb 2017 22:09:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 28 Feb 2017 22:09:09 GMT) (full text, mbox, link).
Message #10 received at 856399-close@bugs.debian.org (full text, mbox, reply):
Source: libxdmcp
Source-Version: 1:1.1.2-2
We believe that the bug you reported is fixed in the latest version of
libxdmcp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856399@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated libxdmcp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 28 Feb 2017 22:47:22 +0100
Source: libxdmcp
Binary: libxdmcp6 libxdmcp6-udeb libxdmcp6-dbg libxdmcp-dev
Architecture: source
Version: 1:1.1.2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
libxdmcp-dev - X11 authorisation library (development headers)
libxdmcp6 - X11 Display Manager Control Protocol library
libxdmcp6-dbg - X11 authorisation library (debug package)
libxdmcp6-udeb - X11 Display Manager Control Protocol library (udeb)
Closes: 856399
Changes:
libxdmcp (1:1.1.2-2) unstable; urgency=medium
.
* CVE-2017-2625: Build-depend on libbsd-dev for arc4random_buf.
Closes: #856399.
Checksums-Sha1:
c0ef7500f74847cd8396cc567eab3aa624623695 2116 libxdmcp_1.1.2-2.dsc
486a7fea7c7e43df0b9032ae23f592420728ad52 404115 libxdmcp_1.1.2.orig.tar.gz
1903212db509e778ef7fc1d18322b28aae7d4d70 17613 libxdmcp_1.1.2-2.diff.gz
bd8f963a955d7e1882ff5c19008c6b364aebba2b 4852 libxdmcp_1.1.2-2_source.buildinfo
Checksums-Sha256:
e1327f050ad5e096e8f15144fea60983e7c4763dbe0cc4efcedadd2ce7a5a280 2116 libxdmcp_1.1.2-2.dsc
6f7c7e491a23035a26284d247779174dedc67e34e93cc3548b648ffdb6fc57c0 404115 libxdmcp_1.1.2.orig.tar.gz
824a2daa892f3195ac9355ffd969c9a56144b35e9e3e6c978f15b0b825146a4d 17613 libxdmcp_1.1.2-2.diff.gz
267fb9b9e9ac6d646a8389988c011467b1c802aec6a44ab0ef06f6d102a9504d 4852 libxdmcp_1.1.2-2_source.buildinfo
Files:
8de05b41a8e176b77573260c9916b1ce 2116 x11 optional libxdmcp_1.1.2-2.dsc
ab0d6a38f0344a05d698ec7d48cfa5a8 404115 x11 optional libxdmcp_1.1.2.orig.tar.gz
ddbd21c13fde923b762b37cb139554b5 17613 x11 optional libxdmcp_1.1.2-2.diff.gz
425d39d183161df3d22d46327be3f8c4 4852 x11 optional libxdmcp_1.1.2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAli18AYACgkQnUbEiOQ2
gwJ4dhAAiqk7+AppBAZCGnpvliVATgWwCvxEeTVlUkoziDvnYBEIswiqLxF5cXwX
xw02uq3y0Y8GaKSkkh8ZOOM4zz+fRLOQSlzauTZ2UjCE74bftw2Bd5KrFUSNqQ/D
sfQCHaBOx1m5P6TDAHMyG+gQ0SvJBP35VqWHldxCEebssnbilKJ49V2gUyuNoFjJ
H9SPKdvt4DK4iXSsVXWX2t64xbhyTe7+6V08vZZZyLrdjIhMyGACfjORFpIGAJNe
fTWNlmm+Nof6uOwLssKtc+lTsXgUosdCsURLe7bCoUSc3EjqvduyLXnrT4Y2fsLW
rj25UGIdJbVxpnZhIgSE+gEDkXgDnt5dPKIQIzhDm2djsritPsH8WNDz58gUishC
jfsrJdBo8B9HH1oarUEUyZ2geeIfcVSnmMYhLBx5M1F1H+bQYWKFBW5INr+xf1fM
i8C2nzZrcI0rBSgqV+vdJ5Q6lpQvW+nYV1MwiVlJzxAiSY+Jsvm655rvtt5Gy+s2
n81GCE9WG+cyg75IlX+Q9401Roi7iO8Ha4XVd+j8LQFdpdt8P5NXiWPm36/IWa7e
u2BrlqhdzzlXCCKIh+N9rMC3mC4Li6WSkfCF8rL1yjucy5hijn7Bag5Id6lKQhQa
rt1qFabx1RVZxnsJzqzpUmo2STlCI2WeK0gdUk5YTtCcIYMKSz4=
=EhGb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Apr 2017 07:30:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:56:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon