Debian Bug report logs -
#926014
bwa: CVE-2019-10269
Reported by: Markus Koschany <apo@debian.org>
Date: Sat, 30 Mar 2019 11:21:02 UTC
Severity: important
Tags: security
Found in versions bwa/0.7.17-2, bwa/0.7.15-2
Fixed in versions bwa/0.7.17-3, bwa/0.7.15-2+deb9u1
Done: Dylan Aïssi <daissi@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/lh4/bwa/pull/232
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#926014; Package bwa.
(Sat, 30 Mar 2019 11:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>.
(Sat, 30 Mar 2019 11:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: bwa
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for bwa.
CVE-2019-10269[0]:
| BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based
| buffer overflow in the bns_restore function in bntseq.c via a long
| sequence name in a .alt file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10269
Please adjust the affected versions in the BTS as needed. Only Stretch
and later versions are affected.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Marked as found in versions bwa/0.7.15-2.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Sat, 30 Mar 2019 11:27:03 GMT) (full text, mbox, link).
Marked as found in versions bwa/0.7.17-2.
Request was from Markus Koschany <apo@debian.org>
to control@bugs.debian.org.
(Sat, 30 Mar 2019 11:27:04 GMT) (full text, mbox, link).
Message sent on
to Markus Koschany <apo@debian.org>:
Bug#926014.
(Sat, 30 Mar 2019 14:21:05 GMT) (full text, mbox, link).
Message #12 received at 926014-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #926014 in bwa reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/med-team/bwa/commit/2f03e0f1fa6b0ca04f6d5ec9f95a488f14508914
------------------------------------------------------------------------
Add patch from upstream to fix CVE-2019-10269. (Closes: #926014)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/926014
Added tag(s) pending.
Request was from Dylan Aïssi <noreply@salsa.debian.org>
to 926014-submitter@bugs.debian.org.
(Sat, 30 Mar 2019 14:21:05 GMT) (full text, mbox, link).
Reply sent
to Dylan Aïssi <daissi@debian.org>:
You have taken responsibility.
(Sat, 30 Mar 2019 14:51:11 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Sat, 30 Mar 2019 14:51:11 GMT) (full text, mbox, link).
Message #19 received at 926014-close@bugs.debian.org (full text, mbox, reply):
Source: bwa
Source-Version: 0.7.17-3
We believe that the bug you reported is fixed in the latest version of
bwa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926014@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <daissi@debian.org> (supplier of updated bwa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Mar 2019 15:18:23 +0100
Source: bwa
Architecture: source
Version: 0.7.17-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Dylan Aïssi <daissi@debian.org>
Closes: 926014
Changes:
bwa (0.7.17-3) unstable; urgency=medium
.
* Team upload.
.
[ Dylan Aïssi ]
* Add patch from upstream to fix CVE-2019-10269.
(Closes: #926014)
.
[ Jelmer Vernooij ]
* Trim trailing whitespace.
Checksums-Sha1:
4990ce53714bd8fe13152b7075b85ba37837eb06 2171 bwa_0.7.17-3.dsc
bbfab3f7bfe998f28304d59eccd538b72280ef0c 8748 bwa_0.7.17-3.debian.tar.xz
f970b646967b5a6e0934c0489e1ee27265e04366 5729 bwa_0.7.17-3_amd64.buildinfo
Checksums-Sha256:
4099c423814af74a1d00d5c2e47257313ee454fb97dad386370af8e2bfdecc32 2171 bwa_0.7.17-3.dsc
19088a5f4e89f922e8b5a9123e973c3e50c86abb1b07b0285174d760b2bc9563 8748 bwa_0.7.17-3.debian.tar.xz
06c3bc95ddbb22f7ff0c748f8266b6203a7496c486cf2cf0a1ec1bdfda18a1c3 5729 bwa_0.7.17-3_amd64.buildinfo
Files:
9fd04a4bebcacc8979f0c7780be5cbc2 2171 science optional bwa_0.7.17-3.dsc
f6f2c4564090750f6a18812d36772c4c 8748 science optional bwa_0.7.17-3.debian.tar.xz
14e460d1469458165ee6afaa8fb5624c 5729 science optional bwa_0.7.17-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAlyfe2cSHGRhaXNzaUBk
ZWJpYW4ub3JnAAoJEGEu8WE+BQ9UsNQP/2NhvPcuYpX043g6vrR145JNkWl2ZNbZ
tMf4osH73ZdgIHuK5JOj4Qqv1QwjyMZ1SIdHY0TS1IOVBQ8YyJJfVKPg2S6bLYH7
hrOg36lXV5S0vBULB/6HFeI10fzCXSpIkdHZUwwymJ4TgkUhdZXxzhg63Ql/S71U
GyiEYHsJ45Vq/BW+0P+b7Hb0A2rPAf+5YRc5/33+cNO9a1WystaZzKQ3IC6OLuSJ
p8qjryXfqW3DS2IJDrGoOv1P+ECWrzPSABEuwzQKdTiF9MSOxG6FND6YTPQG8aZP
JbUgXVtJcTakyON7d6NWo4xemzJE/xgYLj5kmtpXGH3aCmuB4eExfIAxbPtCNftK
t162/AhepEa+chVU62u4wWDz+512EJtiUjyQOp7uxgkT85PvpulbW9G4deGZdo93
/zs6716CwqaBcWmGze7jwcZrIOId94ZFYXzZdY11OzkJPEG3Em3t17WU80AEnjkm
GC8aHq1CIgIlwwSrSnTxvW5EkyUB8Z8KcZCrWZMXnP1Ga9jiEDLniIJPXPO8QQmk
2b+XnvNJmKC8zUDTpYfFFy74RyVLtJiRZm/Su0+Us6cJkuUQLVf+qEdmdlWQ7UX/
fqgBAjfU0e/Yi6Ns/zN+GPQjKzv4aSxKE1Ox+NP5UEWSsJllwNPZzl3YqjNazEM5
a7nFTZNFkYmY
=154O
-----END PGP SIGNATURE-----
Reply sent
to Dylan Aïssi <daissi@debian.org>:
You have taken responsibility.
(Sun, 14 Apr 2019 09:36:12 GMT) (full text, mbox, link).
Notification sent
to Markus Koschany <apo@debian.org>:
Bug acknowledged by developer.
(Sun, 14 Apr 2019 09:36:12 GMT) (full text, mbox, link).
Message #26 received at 926014-close@bugs.debian.org (full text, mbox, reply):
Source: bwa
Source-Version: 0.7.15-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
bwa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 926014@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <daissi@debian.org> (supplier of updated bwa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 06 Apr 2019 09:46:05 +0200
Source: bwa
Binary: bwa libbwa-dev
Architecture: source amd64
Version: 0.7.15-2+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Dylan Aïssi <daissi@debian.org>
Description:
bwa - Burrows-Wheeler Aligner
libbwa-dev - Burrows-Wheeler Aligner source files
Closes: 926014
Changes:
bwa (0.7.15-2+deb9u1) stretch; urgency=medium
.
* Team upload
* Add patch from upstream to fix CVE-2019-10269.
(Closes: #926014)
Checksums-Sha1:
cc5dfde8c0625bdb933f5d563c483e1679643f4b 2218 bwa_0.7.15-2+deb9u1.dsc
14932917e67fa54e224bd75f96d93234c5aaf402 8172 bwa_0.7.15-2+deb9u1.debian.tar.xz
00c053d5ce3fb8d01db26640a07af3fe86f2c2ed 341878 bwa-dbgsym_0.7.15-2+deb9u1_amd64.deb
da66f0097481141a004cdde935909844fb415a24 6342 bwa_0.7.15-2+deb9u1_amd64.buildinfo
88e389c59e42ea79437f69dc6d33ff276c51db7d 193636 bwa_0.7.15-2+deb9u1_amd64.deb
6987fa68905a5b2e58507a11af50269eeb606a23 127694 libbwa-dev_0.7.15-2+deb9u1_amd64.deb
Checksums-Sha256:
0ad021ae5ea0fb266aba7ddeb226a7e217f6b9c5c3ae8012a0065ed23e798f2c 2218 bwa_0.7.15-2+deb9u1.dsc
35034cb22ec7bdb9e87bb6311b29f4edacae2b94d358dfaf02627f3583dad7e3 8172 bwa_0.7.15-2+deb9u1.debian.tar.xz
fde48c479237a81f9aafc7a86ee3d6e45bb1c1f7086a0b970e778431b78dbe50 341878 bwa-dbgsym_0.7.15-2+deb9u1_amd64.deb
7dc026a4014b919b6cd74b45eb98ca37c33a74dff61c774b1c49db6eb4d34f93 6342 bwa_0.7.15-2+deb9u1_amd64.buildinfo
aa3b8c37b7e8816e576e7801803d11050a8d9ff7f8598f9e31d671a6bfba5fe6 193636 bwa_0.7.15-2+deb9u1_amd64.deb
590b8e0277574a2220b778e1b0e9f2d3382774b783020be5c855cff7896a01c3 127694 libbwa-dev_0.7.15-2+deb9u1_amd64.deb
Files:
3dac8b8464b285aff0823b4158c8db7c 2218 science optional bwa_0.7.15-2+deb9u1.dsc
34f70be63db218f102f0d4a78b9644e4 8172 science optional bwa_0.7.15-2+deb9u1.debian.tar.xz
1625678991004073e6aaded8923c2c22 341878 debug extra bwa-dbgsym_0.7.15-2+deb9u1_amd64.deb
4f890fc941fde07dac8a7d241734dedd 6342 science optional bwa_0.7.15-2+deb9u1_amd64.buildinfo
d1c82609492ac043e8490f9969643d1b 193636 science optional bwa_0.7.15-2+deb9u1_amd64.deb
a27539441ba9bb0b7419b0fc9f712c9c 127694 libdevel optional libbwa-dev_0.7.15-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAlyy1zwSHGRhaXNzaUBk
ZWJpYW4ub3JnAAoJEGEu8WE+BQ9Uq04QAKfdxc+NYPRfc4Xn63XTlT8f+sjjn1P3
gQWPZSRUwNVABSzvTvtmtyOnRxe8XpUd3soKB3RFSCicGjyP/imP8TNmCZ9ngLmg
WpYSkZjNbuIieU/gqFWy8KopcF5ZIMr6v9QkaspiDu4Nn9nqJt4/glBt29qi2Dq0
f7OYnCwtzaOusCc+WtK8K0nsvzhi0oP28++4L5xZybuBK9ua+Dkimzbejf65P7jU
SpWNt54wm/BcU1+4/zz1N8qWzHLbgqXwNibK5iIT3NBcfs42rzFFa3oNsXgCbWuB
XErleqyMN2w5VsCFsFjcwrRTu1apWgcGfGfirLrBZZi5ZESpvqqaNkvrk3FG35j6
fWYw1w5/x/dY/14XF5kERoIl6Z0Ttbm/v2Rnxz32boGGR4zAxT6W5UMiVhRiSpB/
dcOzbjRMZ4VZR4JKisXm/5idA0jbNemZ9JvHCw01WQffBkUJIP8K/cRnY3OeyrYX
+A9QsqfVmJBGfynk9rn4xrU/xLgjxv/kAV4GE/C3OY8SaGmKo32BzpdmLGdP4kt2
z02ygNTexuydLCaCwIyd/fzE1HLTkbIKue/zShshmJndPqY2TFI6e6qFAP9Yhr0k
6b6iDLIJk8s4u6o3dd1yekZRhq/7rioDQ5xvvslfGdEr5ZolOWi5RseXJDTz0Ygp
jJyT6Gx34K4A
=TKrQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 13 May 2019 07:25:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:20:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon