Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-17019 CVE-2018-16807

Source

Debian Bug report logs - #908779
bro: CVE-2018-17019: Fix IRC names command parsing

Package: src:bro; Maintainer for src:bro is Hilko Bengen <bengen@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 13 Sep 2018 20:42:02 UTC

Severity: important

Tags: patch, security, upstream

Found in versions bro/2.5.5-1, bro/2.5-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#908779; Package src:bro. (Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Hilko Bengen <bengen@debian.org>. (Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: bro
Version: 2.5-1
Severity: important
Tags: patch security upstream
Control: found -1 2.5.5-1

Hi,

The following vulnerability was published for bro.

CVE-2018-17019[0]:
| In Bro through 2.5.5, there is a DoS in IRC protocol names command
| parsing in analyzer/protocol/irc/IRC.cc.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-17019
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17019
[1] https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30

Regards,
Salvatore

Marked as found in versions bro/2.5.5-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#908779; Package src:bro. (Tue, 29 Jan 2019 00:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. (Tue, 29 Jan 2019 00:09:07 GMT) (full text, mbox, link).

Message #12 received at 908779@bugs.debian.org (full text, mbox, reply):

On Thu, Sep 13, 2018 at 10:39:17PM +0200, Salvatore Bonaccorso wrote:
> Source: bro
> Version: 2.5-1
> Severity: important
> Tags: patch security upstream
> Control: found -1 2.5.5-1
> 
> Hi,
> 
> The following vulnerability was published for bro.
> 
> CVE-2018-17019[0]:
> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
> | parsing in analyzer/protocol/irc/IRC.cc.

ping, can we get this one (and CVE-2018-16807) uploaded still in time
for buster?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#908779; Package src:bro. (Tue, 29 Jan 2019 01:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. (Tue, 29 Jan 2019 01:21:03 GMT) (full text, mbox, link).

Message #17 received at 908779@bugs.debian.org (full text, mbox, reply):

* Moritz Mühlenhoff:

>> CVE-2018-17019[0]:
>> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
>> | parsing in analyzer/protocol/irc/IRC.cc.
>
> ping, can we get this one (and CVE-2018-16807) uploaded still in time
> for buster?

Working on 2.6.1, but I need to get broker (and a new upstream versio
nof actor-framework) into unstable first. Working on that, too.

Cheers,
-Hilko

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#908779; Package src:bro. (Tue, 12 Feb 2019 23:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. (Tue, 12 Feb 2019 23:27:03 GMT) (full text, mbox, link).

Message #22 received at 908779@bugs.debian.org (full text, mbox, reply):

* Hilko Bengen:

>>> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
>>> | parsing in analyzer/protocol/irc/IRC.cc.
>>
>> ping, can we get this one (and CVE-2018-16807) uploaded still in time
>> for buster?
>
> Working on 2.6.1, but I need to get broker (and a new upstream versio
> nof actor-framework) into unstable first. Working on that, too.

So that didn't work out -- bro/2.6.1 is still sitting in NEW, along with
some of its build-dependencies. :-(

I don't know yet if or when I'll be able to backport fixes for the
outstanding CVE-worthy bugs.

Cheers,
-Hilko

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#908779; Package src:bro. (Thu, 14 Mar 2019 22:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. (Thu, 14 Mar 2019 22:27:02 GMT) (full text, mbox, link).

Message #27 received at 908779@bugs.debian.org (full text, mbox, reply):

On Tue, Jan 29, 2019 at 02:19:20AM +0100, Hilko Bengen wrote:
> * Moritz Mühlenhoff:
> 
> >> CVE-2018-17019[0]:
> >> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
> >> | parsing in analyzer/protocol/irc/IRC.cc.
> >
> > ping, can we get this one (and CVE-2018-16807) uploaded still in time
> > for buster?
> 
> Working on 2.6.1, but I need to get broker (and a new upstream versio
> nof actor-framework) into unstable first. Working on that, too.

With buster being in full freeze, can you backport CVE-2018-17019 and
CVE-2018-16807 to 2.5.5, please?

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#908779; Package src:bro. (Thu, 21 Mar 2019 10:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. (Thu, 21 Mar 2019 10:15:04 GMT) (full text, mbox, link).

Message #32 received at 908779@bugs.debian.org (full text, mbox, reply):

* Moritz Mühlenhoff:

>> Working on 2.6.1, but I need to get broker (and a new upstream versio
>> nof actor-framework) into unstable first. Working on that, too.

It's a pity that this did not work out...

> With buster being in full freeze, can you backport CVE-2018-17019 and
> CVE-2018-16807 to 2.5.5, please?

Yes, I'll try. Thanks for reminding me.

Cheers,
-Hilko

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:38:12 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

bro: CVE-2018-17019: Fix IRC names command parsing

Debian Bug report logs - #908779
bro: CVE-2018-17019: Fix IRC names command parsing

Vulmon Search

About

Products

Connect

bro: CVE-2018-17019: Fix IRC names command parsing

Debian Bug report logs - #908779 bro: CVE-2018-17019: Fix IRC names command parsing

Vulmon Search

About

Products

Connect

Debian Bug report logs - #908779
bro: CVE-2018-17019: Fix IRC names command parsing