Debian Bug report logs -
#1036114
libcap2: CVE-2023-2602 CVE-2023-2603
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 15 May 2023 17:48:02 UTC
Severity: important
Tags: security, upstream
Found in version libcap2/1:2.66-3
Fixed in version libcap2/1:2.66-4
Done: Christian Kastner <ckk@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Christian Kastner <ckk@debian.org>:
Bug#1036114; Package src:libcap2.
(Mon, 15 May 2023 17:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Christian Kastner <ckk@debian.org>.
(Mon, 15 May 2023 17:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libcap2
Version: 1:2.66-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for libcap2.
CVE-2023-2602[0]:
| LCAP-CR-23-01 (Correct the check of pthread_create()'s return value)
CVE-2023-2603[1]:
| LCAP-CR-23-02 (Large strings can confuse libcap's internal strdup
| code)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-2602
https://www.cve.org/CVERecord?id=CVE-2023-2602
[1] https://security-tracker.debian.org/tracker/CVE-2023-2603
https://www.cve.org/CVERecord?id=CVE-2023-2603
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Christian Kastner <ckk@debian.org>:
You have taken responsibility.
(Mon, 15 May 2023 21:06:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 May 2023 21:06:03 GMT) (full text, mbox, link).
Message #10 received at 1036114-close@bugs.debian.org (full text, mbox, reply):
Source: libcap2
Source-Version: 1:2.66-4
Done: Christian Kastner <ckk@debian.org>
We believe that the bug you reported is fixed in the latest version of
libcap2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036114@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Kastner <ckk@debian.org> (supplier of updated libcap2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 May 2023 20:34:57 +0200
Source: libcap2
Architecture: source
Version: 1:2.66-4
Distribution: unstable
Urgency: medium
Maintainer: Christian Kastner <ckk@debian.org>
Changed-By: Christian Kastner <ckk@debian.org>
Closes: 1036114
Changes:
libcap2 (1:2.66-4) unstable; urgency=medium
.
* Apply upstream patches for CVE-2023-2602, CVE-2023-2603
(Closes: #1036114)
Checksums-Sha1:
61fd102a5500d02e5c780c549968faea496476d5 2204 libcap2_2.66-4.dsc
70f32bb975da697995f6b2d5543feb770572c2eb 21468 libcap2_2.66-4.debian.tar.xz
7d3e6c8067269ebc9b2224378cdf25551f46a5aa 5861 libcap2_2.66-4_source.buildinfo
Checksums-Sha256:
ab4aaa349c824acaebfb63bec2d2bc10e7cee10ec6725ac6f21f1fe12aa9d8fb 2204 libcap2_2.66-4.dsc
5379eec3a05e40c2485ebe451506883c1f2f99d552c6ded29607080fd278dd7c 21468 libcap2_2.66-4.debian.tar.xz
a9d2c0ddce53e7e1b6f7b240569eb1d9337fe3bc1dd063396b7be6b68e2f71ae 5861 libcap2_2.66-4_source.buildinfo
Files:
2a332f4dcf78e0c2ff6038c18f2c2294 2204 libs optional libcap2_2.66-4.dsc
87d4b91e92b732e64902e7f69de4d001 21468 libs optional libcap2_2.66-4.debian.tar.xz
61ec428a1848235d6b661af279a8fb08 5861 libs optional libcap2_2.66-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEQZ9+mkfDq5UZ8bCjOZU6N95Os2sFAmRimygACgkQOZU6N95O
s2sJMxAAk6XRu7vIpZFeyDn2BN2162Rn6Zrykq8MunFYDdRcRq7wPfA0x+alViSh
5eK6HljZZgBd7MVZ8RsmTvJPelxuRXB7mULInjyws4hTfaxGDBDl0IMtOZf8UBTI
de0KGAxmZDSR7Gsq027BRn93HHk3AiHPgZDRp3jicjC2PZBeLCG9MWmafg3ZPoDN
S+scgEBigcfXTxjfog5/OX8sVE9gxEOXPN/3osnHOjKhPQyHb0Vas9tE6m8Y5LvP
8tPL4Hmuszh41IjbUm8V7UgFkZ1CKigSYFtH1YkJQvTNZDRgb6qqWMW8UdwkJz5C
U+zAXPfVYx7K2KeootpY2Wy+M5gda6xu43gpSi/LjQvCAOsU1JWZeQ53pdocpAuJ
FqJJG3SHhsLuTuV71y1a0IM8Te14jqcain9axld+vkO/7CQN0BBYdiM4CVeOgWWY
AZKtnN/owp9ZYQowSkiC1qUX/fNzy3uBVFs/vLb6xfoEsxaPrj/zDZ7YtqTrd9rE
34pbDbCkoO2XTNY8bT340MVW7YsBgLrKaN2hvaJ2dEGS6sOYMwMngwe/aH/A24wz
bgAiJtagpDtK9sDcigCRyXCXJbrLwrU5P0H3UUgb136GFkGVjW1KJ1XpWfcpAk+i
hxWJZbodscjJ/SNqaLeiH+I7iNcrD/8bljerHSyL4kphok0JPzM=
=XfhF
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue May 16 13:13:14 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon