Debian Bug report logs -
#778895
trafficserver: CVE-2014-10022
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sat, 21 Feb 2015 13:27:01 UTC
Severity: grave
Tags: patch, security
Fixed in version 5.3.0-1
Done: Aron Xu <aron@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Arno Töll <arno@debian.org>
:
Bug#778895
; Package trafficserver
.
(Sat, 21 Feb 2015 13:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Arno Töll <arno@debian.org>
.
(Sat, 21 Feb 2015 13:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: trafficserver
Severity: grave
Tags: security
Justification: user security hole
Hi,
this has been assigned CVE-2014-10022:
https://issues.apache.org/jira/browse/TS-3223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10022
Fix:
https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;a=commit;h=8b5f0345dade6b2822d9b52c8ad12e63011a5c12
Cheers,
Moritz
Added tag(s) patch.
Request was from Arnaud Fontaine <arnau@debian.org>
to control@bugs.debian.org
.
(Tue, 10 Mar 2015 07:30:11 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#778895.
(Tue, 10 Mar 2015 07:30:15 GMT) (full text, mbox, link).
Message #10 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello,
I have prepared an NMU for trafficserver fixing #778895 RC bug
(CVE-2014-10022) and considering that a new upstream release has already
been uploaded to unstable, I would like to upload to
testing-proposed-updates. I'm Cc'ing the maintainer of this package to
get his approval as well.
I have attached the NMU patch to this email. The package builds fine in
a Jessie chroot and all the tests ran during the build pass.
Regards,
--
Arnaud Fontaine
[trafficserver_5.0.1-1+deb8u1.debdiff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#778895.
(Tue, 10 Mar 2015 08:03:19 GMT) (full text, mbox, link).
Message #13 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):
Hi,
Please file a proper unblock request, so that it's easy to track.
On Tue, Mar 10, 2015 at 04:24:13PM +0900, Arnaud Fontaine wrote:
> I have prepared an NMU for trafficserver fixing #778895 RC bug
> (CVE-2014-10022) and considering that a new upstream release has already
> been uploaded to unstable, I would like to upload to
> testing-proposed-updates. I'm Cc'ing the maintainer of this package to
> get his approval as well.
>
> I have attached the NMU patch to this email. The package builds fine in
> a Jessie chroot and all the tests ran during the build pass.
Please go ahead, but use jessie as distribution instead of
testing-proposed-updates.
Cheers,
Ivo
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#778895.
(Tue, 10 Mar 2015 08:30:04 GMT) (full text, mbox, link).
Message #16 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Ivo De Decker <ivodd@debian.org> writes:
> Please file a proper unblock request, so that it's easy to track.
>
> On Tue, Mar 10, 2015 at 04:24:13PM +0900, Arnaud Fontaine wrote:
>> I have prepared an NMU for trafficserver fixing #778895 RC bug
>> (CVE-2014-10022) and considering that a new upstream release has already
>> been uploaded to unstable, I would like to upload to
>> testing-proposed-updates. I'm Cc'ing the maintainer of this package to
>> get his approval as well.
>>
>> I have attached the NMU patch to this email. The package builds fine in
>> a Jessie chroot and all the tests ran during the build pass.
>
> Please go ahead, but use jessie as distribution instead of
> testing-proposed-updates.
Ok, before uploading and filing a proper unblock request, I will wait
for the maintainer ACK until Friday if that's ok with you.
Cheers,
--
Arnaud Fontaine
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#778895
; Package trafficserver
.
(Tue, 10 Mar 2015 14:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Arno Töll <arno@debian.org>
:
Extra info received and forwarded to list.
(Tue, 10 Mar 2015 14:03:05 GMT) (full text, mbox, link).
Message #21 received at 778895@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
On Tuesday 10 March 2015 17:27:04 Arnaud Fontaine wrote:
> Ok, before uploading and filing a proper unblock request, I will wait
> for the maintainer ACK until Friday if that's ok with you.
I'm fine with your NMU, but please note it's only part of the problem. We never
bothered for the (easy) fix for #778895 because of other security problems we
cannot easily fix in particular CVE-2014-3624 and #749846 - both fixed in Sid.
However, the Release Team was uncomfortable to unblock that package (cf.
#769689). I'm afraid, that we better ask for removal of that package in
Testing rather than bothering with it, as we - as maintainers - cannot
guarantee for the security of it already, even less so over the lifespan of a
Debian Release, and upstream is moving faster than us.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#778895.
(Fri, 13 Mar 2015 08:33:20 GMT) (full text, mbox, link).
Message #24 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: rm
Hello,
Considering that trafficserver is currently affected by 3 security bugs
(CVE-2014-3624, CVE-2014-10022 (#778895) and #749846) fixed in Sid but
which was not uploaded on time to testing before the freeze, and that
these bugs cannot be easily fixed, it would probably be better to remove
it from testing as suggested by Arno Töll, the maintainer of
trafficserver, on #778895:
"However, the Release Team was uncomfortable to unblock that package
(cf. #769689). I'm afraid, that we better ask for removal of that
package in Testing rather than bothering with it, as we - as
maintainers - cannot guarantee for the security of it already, even
less so over the lifespan of a Debian Release, and upstream is moving
faster than us."
Thanks in advance.
Regards,
--
Arnaud Fontaine
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug#778895.
(Sat, 14 Mar 2015 09:45:18 GMT) (full text, mbox, link).
Message #27 received at 778895-submitter@bugs.debian.org (full text, mbox, reply):
On 2015-03-13 09:29, Arnaud Fontaine wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: rm
>
> Hello,
>
> Considering that trafficserver is currently affected by 3 security bugs
> (CVE-2014-3624, CVE-2014-10022 (#778895) and #749846) fixed in Sid but
> which was not uploaded on time to testing before the freeze, and that
> these bugs cannot be easily fixed, it would probably be better to remove
> it from testing as suggested by Arno Töll, the maintainer of
> trafficserver, on #778895:
>
> "However, the Release Team was uncomfortable to unblock that package
> (cf. #769689). I'm afraid, that we better ask for removal of that
> package in Testing rather than bothering with it, as we - as
> maintainers - cannot guarantee for the security of it already, even
> less so over the lifespan of a Debian Release, and upstream is moving
> faster than us."
>
> Thanks in advance.
>
> Regards,
>
Ack, I have added a removal hint for trafficserver. Hopefully things
will look better for Stretch.
Thanks,
~Niels
Reply sent
to Aron Xu <aron@debian.org>
:
You have taken responsibility.
(Fri, 12 Jun 2015 13:27:35 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Fri, 12 Jun 2015 13:27:35 GMT) (full text, mbox, link).
Message #32 received at 778895-close@bugs.debian.org (full text, mbox, reply):
Source-Version: 5.3.0-1
This CVE is closed in trafficserver/5.3.0-1.
Thanks,
Aron
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 19 Jul 2015 07:49:24 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:59:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.