Debian Bug report logs -
#920476
mumble: CVE-2019-1000029: DoS due to changing # of allowed users in root channel
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Christopher Knadle <Chris.Knadle@coredump.us>:
Bug#920476; Package mumble.
(Fri, 25 Jan 2019 23:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Knadle <Chris.Knadle@coredump.us>:
New Bug report received and forwarded. Copy sent to Christopher Knadle <Chris.Knadle@coredump.us>.
(Fri, 25 Jan 2019 23:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: mumble
Version: 1.3.0~git20190114.9fcc588+dfsg-1
Severity: serious
Tags: security fixed-upstream pending
A vulnerability has been discovered whereby a remote unauthenticated user
connected to the server can send a crafted packet to change the number of
allowed users in the root channel to 0, thereby disallowing users to connect to
the server and causing a Denial of Service. All version of mumble-server prior
to the fix in Mumble issue #3586 on 2019-01-25 are affected.
https://github.com/mumble-voip/mumble/issues/3585
A new upload of mumble is being prepared to fix this issue.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Christopher Knadle <Chris.Knadle@coredump.us>:
You have taken responsibility.
(Sat, 26 Jan 2019 20:51:13 GMT) (full text, mbox, link).
Notification sent
to Chris Knadle <Chris.Knadle@coredump.us>:
Bug acknowledged by developer.
(Sat, 26 Jan 2019 20:51:13 GMT) (full text, mbox, link).
Message #10 received at 920476-close@bugs.debian.org (full text, mbox, reply):
Source: mumble
Source-Version: 1.3.0~git20190125.440b173+dfsg-1
We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 920476@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher Knadle <Chris.Knadle@coredump.us> (supplier of updated mumble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 Jan 2019 03:33:10 +0000
Source: mumble
Binary: mumble mumble-server
Architecture: source
Version: 1.3.0~git20190125.440b173+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Christopher Knadle <Chris.Knadle@coredump.us>
Changed-By: Christopher Knadle <Chris.Knadle@coredump.us>
Description:
mumble - Low latency encrypted VoIP client
mumble-server - Low latency encrypted VoIP server
Closes: 919453 920237 920476
Changes:
mumble (1.3.0~git20190125.440b173+dfsg-1) unstable; urgency=high
.
[ Helmut Grohne ]
* debian/patches:
- Add 60-crossbuild.diff to remove hard coded call to pkg-config
to allow Mumble to be cross buildable
Fixes "FTCBFS: builds for the wrong architecture" (Closes: #919453)
* debian/rules:
- Merge qmake call into dh_auto_configure so qmake gets called only once
.
[ Christopher Knadle ]
* New upstream git snapshot from 2019-01-25
- Fixes "security issue: DoS due to changing # of allowed users in root
channel" (Closes: #920476)
Thanks to "The Zom.bi Community" for finding the bug and fixing it
upstream.
- Fixes "lost list of server configurated" (Closes: #920237)
Thanks to petrohs <petrohs@gmail.com> for reporting the bug, and to
Antoine Beaupré <anarcat@debian.org> for discussing the bug upstream
more in issue #1702 to verify that the prior fix was insufficient
* debian/copyright:
- Update directory location for codecs to be under 3rdparty/ rather than
softlinks
Checksums-Sha1:
d13653956b8fc31e32dc42145c6d7017ad03fbc7 2435 mumble_1.3.0~git20190125.440b173+dfsg-1.dsc
b6056729de1a1e14b80243b58fb41e4d9545ef10 7011554 mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
1f5e974c83b58e10f25479de035c13f59bec36ab 38676 mumble_1.3.0~git20190125.440b173+dfsg-1.debian.tar.xz
0f843a5307ad3bbb87e62ab167ac22f54ac2800e 5821 mumble_1.3.0~git20190125.440b173+dfsg-1_source.buildinfo
Checksums-Sha256:
bc60039d696392f458d35314c8f0bc0b7246e54891430e3272ea0058723745fd 2435 mumble_1.3.0~git20190125.440b173+dfsg-1.dsc
3340d7915f42b86c82a175d524d34b7b7f4523c2fe459f80913775f72480c944 7011554 mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
66eea06c78c4ae9151deeae27a58618877b94fbae4666f356cc2bcb60ca42f8c 38676 mumble_1.3.0~git20190125.440b173+dfsg-1.debian.tar.xz
31b97a8c1436a6627f1a94d097c47ad31e8568753df8081cc2f968bf435baad4 5821 mumble_1.3.0~git20190125.440b173+dfsg-1_source.buildinfo
Files:
d2143437b8b8d6cba2a5ab7fbc10bb40 2435 sound optional mumble_1.3.0~git20190125.440b173+dfsg-1.dsc
086cef3df42034b2ff4951ed005cd8f5 7011554 sound optional mumble_1.3.0~git20190125.440b173+dfsg.orig.tar.gz
1b62e4234f0f21832585794a385f118c 38676 sound optional mumble_1.3.0~git20190125.440b173+dfsg-1.debian.tar.xz
a33e5d8b184c0e7f0b6e16faaa3d24f9 5821 sound optional mumble_1.3.0~git20190125.440b173+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEe1KzyGmRW/4DhtV6ieLKD9m6RHAFAlxMvfgACgkQieLKD9m6
RHCcNQ/8CMSKCz9PtR0xVpLs41ctUdJZpzu4jygc7jxirRj4M4xIEcp+zs54c+Sl
Lo+Ke7Dp2U93DjVDJqhwCY25uMc6vHSMqgxFhpGAwMlR+dMAxyAYQbrJbYp6wvbI
eoqD0hsD+Pa4U9GQtIIgNqwYnxe39V6KjXvECdgUw9Dq3Jo+CcZo4aKnC4Kfndep
fnexES3X4NK7BQvRZ9/l6b2dOynKgDQ/gIeip43NO6ode1UyH/YQn7W+VnjEULLr
oC3exylYNiXd1FIlUHoTqoqhn0O1DvKFXv0b//89RjwSKxF2wfwxJODh4XIYbGGe
TGqlScIy8T0WMIJoFe8o4Jvk5Zj8NAt/zV2c1gUHgFx9eTaN9vn08NrjQf/i7xXO
UcQ1TvN8UJdKof1aTDQvvFAP0Yvtr5iBmXyXw41FvKyRCi+c67XeOMSh4MaDRocb
TeVGit4fklP8h4IJ3UgZH9yQ/3nHNxXzij9xvVWy6+/Q/0UiIbgSHpTRBpKzx7yS
xlkmzHK536tp9YIypwpJUHpF78UN+suTQsZFOIZa8YtV/zgB41KGHM8/BMrc+JLT
/ik5MLfPqhId2CC6Eedm3KPEFytI6A/7eLkT1WMALKW/szBMbEzTb1aLWDgHHuXu
WqqfHH3YLRqgPscN6d5xoaF+I3YuNSAg/ZVd7aofxTg6sCJYNWo=
=WfA9
-----END PGP SIGNATURE-----
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 27 Jan 2019 20:45:05 GMT) (full text, mbox, link).
Changed Bug title to 'mumble: CVE-2019-1000029: DoS due to changing # of allowed users in root channel' from 'security issue: DoS due to changing # of allowed users in root channel'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 19 Feb 2019 05:24:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Mar 2019 07:31:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:53:16 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon