Debian Bug report logs -
#848009
libcrypto++: CVE-2016-9939: denial-of-service in ASN1 decoder
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#848009; Package src:libcrypto++.
(Tue, 13 Dec 2016 05:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 13 Dec 2016 05:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcrypto++
Version: 5.6.4-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/weidai11/cryptopp/issues/346
Hi,
the following vulnerability was published for libcrypto++.
CVE-2016-9939[0]:
denial-of-service in ASN1 decoder
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9939
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9939
Please adjust the affected versions in the BTS as needed, at least sid
is sourcewise affected afaics, older versions not checked.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 23 Dec 2016 21:36:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 23 Dec 2016 21:36:07 GMT) (full text, mbox, link).
Message #10 received at 848009-close@bugs.debian.org (full text, mbox, reply):
Source: libcrypto++
Source-Version: 5.6.4-5
We believe that the bug you reported is fixed in the latest version of
libcrypto++, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated libcrypto++ package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 23 Dec 2016 20:54:36 +0000
Source: libcrypto++
Binary: libcrypto++6 libcrypto++6-dbg libcrypto++-dev libcrypto++-utils libcrypto++-doc
Architecture: source amd64 all
Version: 5.6.4-5
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libcrypto++-dev - General purpose cryptographic library - C++ development
libcrypto++-doc - General purpose cryptographic library - documentation
libcrypto++-utils - General purpose cryptographic library - utilities and data files
libcrypto++6 - General purpose cryptographic library - shared library
libcrypto++6-dbg - General purpose cryptographic library - debug symbols
Closes: 848009
Changes:
libcrypto++ (5.6.4-5) unstable; urgency=high
.
* Fix CVE-2016-9939: possible DoS in ASN.1 decoders (closes: #848009).
Checksums-Sha1:
786af56ba06558359c8c9123aa3c6077641f650e 2072 libcrypto++_5.6.4-5.dsc
42000e484e1980685903adff2fd38248bf84ff51 16636 libcrypto++_5.6.4-5.debian.tar.xz
172e82d9c0d497e93247299f3ed2b97be050f2fe 1295712 libcrypto++-dev_5.6.4-5_amd64.deb
c52f871d46e9632d94713ec28edd696e6c1e5301 4162464 libcrypto++-doc_5.6.4-5_all.deb
6d9f5c5afc2a7f6815a0f60532a53287ff8086e6 3238932 libcrypto++-utils_5.6.4-5_amd64.deb
e85f070dbac91a56e3e85d3064ba71e2aa1cd418 12201414 libcrypto++6-dbg_5.6.4-5_amd64.deb
eca927add2381bb1115789b0eca531ed4893ebae 828760 libcrypto++6_5.6.4-5_amd64.deb
2c9e46b8430cfd835996ceca606b1446054396af 6461 libcrypto++_5.6.4-5_amd64.buildinfo
Checksums-Sha256:
9e3d45de4514f16755b13ec65c051b7024c50b3932e438cc5a574b2c82f6f348 2072 libcrypto++_5.6.4-5.dsc
b8c94b3029b7705b04fd89576a06efcd61e2adba01b4279411040d53e51ac866 16636 libcrypto++_5.6.4-5.debian.tar.xz
ee235ed06223983d0fe9c296ebc3fc4fa2d0f49ae2770c5af0269e553da6b4ed 1295712 libcrypto++-dev_5.6.4-5_amd64.deb
cea3a1b9fb5b7443e6753d3405f4d6bff8c55b441c22a56d3f3b03d50f762e15 4162464 libcrypto++-doc_5.6.4-5_all.deb
c2076ad53ece47603733b14ab294d3863ea42eb598a52a305a927c1179fa6c42 3238932 libcrypto++-utils_5.6.4-5_amd64.deb
559bdf1eb7d5642ab09216d97ecc89202af51ac3b75f6eecfef22fa810048d21 12201414 libcrypto++6-dbg_5.6.4-5_amd64.deb
7bb7857f15a8d13faedb5faa95c2e363bf042711884acbcb9594b4eed9ff88d6 828760 libcrypto++6_5.6.4-5_amd64.deb
45d1c297ad8b2f714c4d3d8166176076c467aef987da748582e3bc06acc39d3e 6461 libcrypto++_5.6.4-5_amd64.buildinfo
Files:
d9d9a124403699378b5e70b8458f08f0 2072 libs optional libcrypto++_5.6.4-5.dsc
d9e0a4d2e49769228bc91a89cbb796aa 16636 libs optional libcrypto++_5.6.4-5.debian.tar.xz
da5569bc5856ef918cc9395630f65869 1295712 libdevel optional libcrypto++-dev_5.6.4-5_amd64.deb
5dc3286ed3ef6c5eafed1eea6c034080 4162464 doc optional libcrypto++-doc_5.6.4-5_all.deb
0e42b3e648c1599f75888be7803d2512 3238932 utils optional libcrypto++-utils_5.6.4-5_amd64.deb
15a2cf4bb9207ae5b1337d77ce3e6647 12201414 debug extra libcrypto++6-dbg_5.6.4-5_amd64.deb
d068dcb4736e3e8a9f3d756b10297818 828760 libs optional libcrypto++6_5.6.4-5_amd64.deb
3b8c7f2913609ffe45e2452416f4d397 6461 libs optional libcrypto++_5.6.4-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlhdk14ACgkQ3OMQ54ZM
yL+u5Q//cZ5a4OABFKJqfEQOg/IMsJeBQIkVZGof92umDWEtBXlTIf6nWv7FK4EW
neXXwBSVp8LRqBSlVcDrC88aZGjSDt0PxZJg/jHEwEt2zB2q2j5QXqaD7PCGX/Op
6rV7F6zftH2T2wyzY5VVK3UluMQDHF3nWGPZhDBR3AZ238po8Mno/IE0kKUbaGXM
psRTvPQ5IfE38L2VBHSnWJuNvU1YDplSIcyYdLyvSi1jOdWATui5TUfidyekRi2+
RL2Njgd6KCFefa7C+KRhviPtSF9fjUdISfN1uoi1viraeStMvQNxxCoy+cPP9xrk
YhZODT2fUhhDoX5xDvMTBe2gMuW5qe+zeaUzOppV1h/FQItUQCZkeK6VMVw3Q4dc
JpEXRWOD84fsGNKGL9M0u8K2bVAL/XzAIx7F8WsAKqqisSu0SfRzy9qNbFp2XWsU
ut9VU1z1+Zis+C4nqewuKSROHFB3dtJjvSC8sOMdLZ/fhDboxJVvLDq9z750Gc4F
qDZXTzhjdeVWqot/D/iugCNm8jOziaBmFZtFZgfiEMvOv1i8uIntbwfDoaTmBF3L
tdkShGpYndZMSbDqMx9lJ/X0pANft4ccN0/DQjxKPZNSZ5KNVMO0jRD/sW2HXkrU
p4W3mW7UzzQpbnzDWk/qFNhzhsExwEoMJeEcIidt1BdNz/vkQi0=
=7GDB
-----END PGP SIGNATURE-----
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 31 Dec 2016 21:03:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 31 Dec 2016 21:03:09 GMT) (full text, mbox, link).
Message #15 received at 848009-close@bugs.debian.org (full text, mbox, reply):
Source: libcrypto++
Source-Version: 5.6.1-6+deb8u3
We believe that the bug you reported is fixed in the latest version of
libcrypto++, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 848009@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated libcrypto++ package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 24 Dec 2016 08:31:34 +0000
Source: libcrypto++
Binary: libcrypto++9 libcrypto++9-dbg libcrypto++-dev libcrypto++-utils libcrypto++-doc
Architecture: source all amd64
Version: 5.6.1-6+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
libcrypto++-dev - General purpose cryptographic library - C++ development
libcrypto++-doc - General purpose cryptographic library - documentation
libcrypto++-utils - General purpose cryptographic library - utilities and data files
libcrypto++9 - General purpose cryptographic library - shared library
libcrypto++9-dbg - General purpose cryptographic library - debug symbols
Closes: 848009
Changes:
libcrypto++ (5.6.1-6+deb8u3) jessie-security; urgency=high
.
* Fix CVE-2016-9939: possible DoS in ASN.1 decoders (closes: #848009).
Checksums-Sha1:
5c4e59e08e18eff3187a215f531722a0be2ce225 2097 libcrypto++_5.6.1-6+deb8u3.dsc
35813fa8226f7c8f42b9f89adc76692c50d6ea8f 25852 libcrypto++_5.6.1-6+deb8u3.debian.tar.xz
323d716b0ee53b18a42108b799a2628931464269 2501978 libcrypto++-doc_5.6.1-6+deb8u3_all.deb
bca8c210e854a70a8cda39861e570ee067d64185 875996 libcrypto++9_5.6.1-6+deb8u3_amd64.deb
cd7758ab1567e947f07b68e0d88eac023f02c390 5969384 libcrypto++9-dbg_5.6.1-6+deb8u3_amd64.deb
afcb4036baa559cf251bf69752eed13f31cc1fa6 1438312 libcrypto++-dev_5.6.1-6+deb8u3_amd64.deb
1df40cd63d0b84ab63e6047c8cbd8819670271dd 649792 libcrypto++-utils_5.6.1-6+deb8u3_amd64.deb
Checksums-Sha256:
f8ae94897327ccf54e80441bb5182662c5a22564263d2d0683c8cee65c70a10f 2097 libcrypto++_5.6.1-6+deb8u3.dsc
2c8178c9ecae65f8c53c8f7c7065e36d83a65d151f7d454cc63355dc668888f1 25852 libcrypto++_5.6.1-6+deb8u3.debian.tar.xz
dda3462c54b51053a74becddeee6d9efe9d51cabb2e263daed32d76259ad80d7 2501978 libcrypto++-doc_5.6.1-6+deb8u3_all.deb
e8c6db8213cdaf21c6c9382e0d41f3ceb98afc5574d815fb6d2e2df0e338ea52 875996 libcrypto++9_5.6.1-6+deb8u3_amd64.deb
60d17fc4d1df352511038646d024d7ec1dc9e645afad8a613568d7b0d7856a06 5969384 libcrypto++9-dbg_5.6.1-6+deb8u3_amd64.deb
026ba159382cc01538d82ad3b4a215dada618f4a44a4c608c6754e56705027e5 1438312 libcrypto++-dev_5.6.1-6+deb8u3_amd64.deb
86bacf859361f27ee43ebe12ef5868b1831a24619f300eb879206ef451113a41 649792 libcrypto++-utils_5.6.1-6+deb8u3_amd64.deb
Files:
c0b601762c214dd66a0647216e18783a 2097 libs optional libcrypto++_5.6.1-6+deb8u3.dsc
6f9afed09a9b5ca4d1614dcbaa4d7808 25852 libs optional libcrypto++_5.6.1-6+deb8u3.debian.tar.xz
a6019f5328293eb8637d2f55ec2ae3f9 2501978 doc optional libcrypto++-doc_5.6.1-6+deb8u3_all.deb
0aeadc88463105cefc2e5d87bb1f8c86 875996 libs optional libcrypto++9_5.6.1-6+deb8u3_amd64.deb
04a7e4ad64096e3c1e8d438f5ec6f144 5969384 debug extra libcrypto++9-dbg_5.6.1-6+deb8u3_amd64.deb
877437d38a8fce4e2d0bfa05deb30521 1438312 libdevel optional libcrypto++-dev_5.6.1-6+deb8u3_amd64.deb
0e668eaeb3af9540df52f962ca20ae7b 649792 utils optional libcrypto++-utils_5.6.1-6+deb8u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlheSwEACgkQ3OMQ54ZM
yL9mOA//feH6qfrWG+r8hmkevpK+o+COxIVkDbBzvUylWHz8YBPRb6rsAE4qgq+I
F6Rjtk7nAW2UR/44ShgY5V98OrDA97jMV572tVCvbm4y6szUXuTadNWpTFm9wc7H
Z4SrRZ6J5C+lzLwTbcnVidNyiZonTqjRto7SqiDYjBkAYh4U8EFoadlwXOOmEQAL
/nX5ikV379FTmnKay9AC/lgrZHoDLzi040I5+1z2ChUG0bJqpbAsidqsOxX9pXRn
RYBS8AyKW3mrx9Kyz3s+V+wYEKILF6lcgO+OApOFkcQ7f4bc1Z1WexDBytFeD4Cz
vzEUsmgmtsJzCbVSYSAVrOaxHJzWUK2xoPpaRpl07/inWhD6C9rOeRZrVPnuwMYH
E3hcEnJDyD09zn5va3cm4PbA3ZLJT4fXEBrlhTm93MyKL0J9mTBd+TG3jsVT2h4h
tpZDXTc42yEpJ5Av7IUqJpzqhuM6UZJPMBaP2rqx16H+bW5NaqTeosa13gfV5C0f
21GRWSCmLgfm3HpmoDf/q3cIWtSZmgcpBqF59K2cXvvhoqUZyh4Z9obVPUF648VR
FU9dpd3RyE/e5RKY0Yt+tEtuE/RMpwU748d1f17Cu6tjTATWHO1v1W8R8GGOwwus
1/JtSrunqGDotlR8VWOq13PtiOaxALAOT/KBTskznJUlvp7pA2I=
=S5pv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 02 Feb 2017 07:25:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:22:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon