ntopng: Several vulnerabilities fixed upstream in 1.2.1

Debian Bug report logs - #760990
ntopng: Several vulnerabilities fixed upstream in 1.2.1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ntopng: Several vulnerabilities fixed upstream in 1.2.1

Date: Tue, 09 Sep 2014 20:06:58 +0200

Source: ntopng
Severity: grave
Tags: security upstream fixed-upstream

Hi Ludovico,

Marking this bugreport as grave, as more information seem a bit
scarce, so was not able to identify the issues. There is an upstream
report [1] which mentions several fixes were done in ntopng 1.2.1.

 [1] http://www.ntop.org/ndpi/released-ndpi-1-5-1-and-ntopng-1-2-1/

> Fixes for
>  - CVE-2014-5464 

>  - CVE-2014-4329

Strangely this was marked as fixed in 1.2.0+dfsg1-1 in the security
tracker at [2]. Is this information correct?

 [2] https://security-tracker.debian.org/tracker/CVE-2014-4329

>  - CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514,
>    CVE-2014-5515

No information referenced for these in the advisory.

Could you have a look at them and also clarify if CVE-2014-4329
version information is wrong in the tracker?

Regards,
Salvatore

Message #10 received at 760990@bugs.debian.org (full text, mbox, reply):

From: Ludovico Cavedon <cavedon@debian.org>

To: Luca Deri <deri@ntop.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 760990@bugs.debian.org

Subject: Re: Bug#760990: ntopng: Several vulnerabilities fixed upstream in 1.2.1

Date: Tue, 9 Sep 2014 17:14:12 -0700

Hi Luca,

my understanding (supported by a simple test and code check) was that
CVE-2014-4329 was fixed in version 1.2.0
https://svn.ntop.org/bugzilla/show_bug.cgi?id=379

However, as Salvatore noticed, it is announced as being fixed in version 1.2.1.

Can you confirm which version fixed it, please?

Thanks,
Ludovico

On Tue, Sep 9, 2014 at 11:06 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: ntopng
> Severity: grave
> Tags: security upstream fixed-upstream
>
> Hi Ludovico,
>
> Marking this bugreport as grave, as more information seem a bit
> scarce, so was not able to identify the issues. There is an upstream
> report [1] which mentions several fixes were done in ntopng 1.2.1.
>
>  [1] http://www.ntop.org/ndpi/released-ndpi-1-5-1-and-ntopng-1-2-1/
>
>> Fixes for
>>  - CVE-2014-5464
>
>>  - CVE-2014-4329
>
> Strangely this was marked as fixed in 1.2.0+dfsg1-1 in the security
> tracker at [2]. Is this information correct?
>
>  [2] https://security-tracker.debian.org/tracker/CVE-2014-4329
>
>>  - CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514,
>>    CVE-2014-5515
>
> No information referenced for these in the advisory.
>
> Could you have a look at them and also clarify if CVE-2014-4329
> version information is wrong in the tracker?
>
> Regards,
> Salvatore

Message #15 received at 760990@bugs.debian.org (full text, mbox, reply):

From: Luca Deri <deri@ntop.org>

To: Ludovico Cavedon <cavedon@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 760990@bugs.debian.org

Subject: Re: Bug#760990: ntopng: Several vulnerabilities fixed upstream in 1.2.1

Date: Wed, 10 Sep 2014 08:52:28 +0200

Ludovico
correct it is already fixed in 1.2.0 but in 1.2.1 we have improved the security checks

Luca

On 10 Sep 2014, at 02:14, Ludovico Cavedon <cavedon@debian.org> wrote:

> Hi Luca,
> 
> my understanding (supported by a simple test and code check) was that
> CVE-2014-4329 was fixed in version 1.2.0
> https://svn.ntop.org/bugzilla/show_bug.cgi?id=379
> 
> However, as Salvatore noticed, it is announced as being fixed in version 1.2.1.
> 
> Can you confirm which version fixed it, please?
> 
> Thanks,
> Ludovico
> 
> On Tue, Sep 9, 2014 at 11:06 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
>> Source: ntopng
>> Severity: grave
>> Tags: security upstream fixed-upstream
>> 
>> Hi Ludovico,
>> 
>> Marking this bugreport as grave, as more information seem a bit
>> scarce, so was not able to identify the issues. There is an upstream
>> report [1] which mentions several fixes were done in ntopng 1.2.1.
>> 
>> [1] http://www.ntop.org/ndpi/released-ndpi-1-5-1-and-ntopng-1-2-1/
>> 
>>> Fixes for
>>> - CVE-2014-5464
>> 
>>> - CVE-2014-4329
>> 
>> Strangely this was marked as fixed in 1.2.0+dfsg1-1 in the security
>> tracker at [2]. Is this information correct?
>> 
>> [2] https://security-tracker.debian.org/tracker/CVE-2014-4329
>> 
>>> - CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514,
>>>   CVE-2014-5515
>> 
>> No information referenced for these in the advisory.
>> 
>> Could you have a look at them and also clarify if CVE-2014-4329
>> version information is wrong in the tracker?
>> 
>> Regards,
>> Salvatore

Message #20 received at 760990-close@bugs.debian.org (full text, mbox, reply):

From: Ludovico Cavedon <cavedon@debian.org>

To: 760990-close@bugs.debian.org

Subject: Bug#760990: fixed in ntopng 1.2.1+dfsg1-1

Date: Sat, 13 Sep 2014 19:04:40 +0000

Source: ntopng
Source-Version: 1.2.1+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
ntopng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 760990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated ntopng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 09 Sep 2014 21:57:04 -0700
Source: ntopng
Binary: ntopng ntopng-dbg ntopng-data
Architecture: source amd64 all
Version: 1.2.1+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Ludovico Cavedon <cavedon@debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description:
 ntopng     - High-Speed Web-based Traffic Analysis and Flow Collection Tool
 ntopng-data - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
 ntopng-dbg - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
Closes: 760990
Changes:
 ntopng (1.2.1+dfsg1-1) unstable; urgency=medium
 .
   * Imported Upstream version 1.2.1+dfsg1 (Closes: #760990, CVE-2014-5464,
     CVE-2014-5511, CVE-2014-5512, CVE-2014-5513, CVE-2014-5514,
     CVE-2014-5515).
   * Remove patches merged upstream: build-flags.patch, libndpi-external.patch,
     manpage.patch, no-svn.patch, path-defaults.patch, remove-libs.patch, and
     rickshaw.patch.
   * Add no-librt.patch to avoid not needed linking against librt.
   * Fix typos in copyright and removed stanzas for removed files.
Checksums-Sha1:
 d6e9a2a0918bf0d8d7d5b983261d6fb35ddc11f9 2184 ntopng_1.2.1+dfsg1-1.dsc
 a10e983e3557f6d17f770786a848b64645ed101c 1978757 ntopng_1.2.1+dfsg1.orig.tar.gz
 4f9aa5677e1f3441b86a28a6130d18da07a02561 21328 ntopng_1.2.1+dfsg1-1.debian.tar.xz
 7f67b503ff2d3919af4d02ceb9b30d30b2d1515a 167592 ntopng_1.2.1+dfsg1-1_amd64.deb
 132390519d91f2a97d8a89d72555669cc84e7364 790786 ntopng-dbg_1.2.1+dfsg1-1_amd64.deb
 c0ee156effacead2ea80af2954420ccab46009a7 924170 ntopng-data_1.2.1+dfsg1-1_all.deb
Checksums-Sha256:
 92930138f717b6ee5d0707c3a24b026cb9e9977648f4f887e6914a96409a246b 2184 ntopng_1.2.1+dfsg1-1.dsc
 0536e761ed7dfadd755bab25139742c26eb178de31a7df4a5eadf5d63e314b53 1978757 ntopng_1.2.1+dfsg1.orig.tar.gz
 b99af4cbb678dcef524f4c84facb59de59518c253635733ed67de95f5a7cbbd7 21328 ntopng_1.2.1+dfsg1-1.debian.tar.xz
 4f2961dd26c99391a53acdcc070253aae90d06eee4b5b7723222a3b811c2eff9 167592 ntopng_1.2.1+dfsg1-1_amd64.deb
 0ac83366fe77caeb9e166579313abb69a115c8081beeae9f4e08a47ae24f2a93 790786 ntopng-dbg_1.2.1+dfsg1-1_amd64.deb
 02909cc7e79c011d024a6099d322e61241625818253338ed37d18f050666479f 924170 ntopng-data_1.2.1+dfsg1-1_all.deb
Files:
 53ef126b8dc90debc563644dee8077e5 167592 net extra ntopng_1.2.1+dfsg1-1_amd64.deb
 3c77ed6bb51bd7ca2314ff004c826821 790786 debug extra ntopng-dbg_1.2.1+dfsg1-1_amd64.deb
 bcc236717def4c1cd61ea179a6ba3595 924170 net extra ntopng-data_1.2.1+dfsg1-1_all.deb
 5f728ab1b008909dcdd16846b031553d 2184 net extra ntopng_1.2.1+dfsg1-1.dsc
 bb5b41ffa50f1bd00576c53f49299a47 1978757 net extra ntopng_1.2.1+dfsg1.orig.tar.gz
 d500bdcc6aeb43a04c786cf2b000fc1f 21328 net extra ntopng_1.2.1+dfsg1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUFJLKAAoJEBPAtWZ6OLCwwpQQAJEazvp50F9m9vKYF0lweMUE
9uXCqnv3dCvJo1EQxNohhUAwCMihCMCkbozhjXdZvj8X0sZHmU8BrmlKLbGnfFYm
wjzgpot8qj8Qr/AIQ2t/+jTLdbPdfE/q2N6x11q95KfQAUDvxsAD2aixLaHrtoVR
fRuRqTWnwkKUXZS8EGHrWDYhW8aWc8rTWR5MUEByhbHrva86L/IdCeMS19W0inep
qMlROFQvkm4V5kruhHmtVbZY9hRxpElaUUoxCPCfNlSGLTk7Q9J+pWRXo2uXKuP2
rDYNtuLa6LsV3DyYSHgxp7a/jXZuRXm03SbBkdUFSBH3f6fT2oyAOdFOhwL05BaG
MtpNBh7LR3rJYs8Nze0JKJaYgrB+ILtOafn+l+0jqaVzmQ4NeKtm776m6sQll+Xa
Q59s6kMI/qGFydqFA1bAvk7zWnd3IaqaJgBviPt2B7Bc0XS0shfsiOHaXFXTQLPn
fsd05OiScO2e0t7XJMC0L7Aiq24BCYy6vUBv5GM/YaFKs/cVJB2v1LDGPBVxs/U/
iM8rzPIdvNkBqlpQBxezNAqomTQrG2OS5nz9obMLpI/Y4zlBKsgfXbykmoe+kmg+
GscbelFO2JJbgFH3+3XYIHzU2amZ+Ch9WYEw7dvnjttqFDir77HV5yNBL9moAa1c
vcukvo3nFQUmZrzJw2dX
=XWCi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.