Debian Bug report logs -
#908779
bro: CVE-2018-17019: Fix IRC names command parsing
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Hilko Bengen <bengen@debian.org>
:
Bug#908779
; Package src:bro
.
(Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Hilko Bengen <bengen@debian.org>
.
(Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: bro
Version: 2.5-1
Severity: important
Tags: patch security upstream
Control: found -1 2.5.5-1
Hi,
The following vulnerability was published for bro.
CVE-2018-17019[0]:
| In Bro through 2.5.5, there is a DoS in IRC protocol names command
| parsing in analyzer/protocol/irc/IRC.cc.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-17019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17019
[1] https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30
Regards,
Salvatore
Marked as found in versions bro/2.5.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 13 Sep 2018 20:42:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>
:
Bug#908779
; Package src:bro
.
(Tue, 29 Jan 2019 00:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>
.
(Tue, 29 Jan 2019 00:09:07 GMT) (full text, mbox, link).
Message #12 received at 908779@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 13, 2018 at 10:39:17PM +0200, Salvatore Bonaccorso wrote:
> Source: bro
> Version: 2.5-1
> Severity: important
> Tags: patch security upstream
> Control: found -1 2.5.5-1
>
> Hi,
>
> The following vulnerability was published for bro.
>
> CVE-2018-17019[0]:
> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
> | parsing in analyzer/protocol/irc/IRC.cc.
ping, can we get this one (and CVE-2018-16807) uploaded still in time
for buster?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#908779
; Package src:bro
.
(Tue, 29 Jan 2019 01:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilko Bengen <bengen@debian.org>
:
Extra info received and forwarded to list.
(Tue, 29 Jan 2019 01:21:03 GMT) (full text, mbox, link).
Message #17 received at 908779@bugs.debian.org (full text, mbox, reply):
* Moritz Mühlenhoff:
>> CVE-2018-17019[0]:
>> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
>> | parsing in analyzer/protocol/irc/IRC.cc.
>
> ping, can we get this one (and CVE-2018-16807) uploaded still in time
> for buster?
Working on 2.6.1, but I need to get broker (and a new upstream versio
nof actor-framework) into unstable first. Working on that, too.
Cheers,
-Hilko
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#908779
; Package src:bro
.
(Tue, 12 Feb 2019 23:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilko Bengen <bengen@debian.org>
:
Extra info received and forwarded to list.
(Tue, 12 Feb 2019 23:27:03 GMT) (full text, mbox, link).
Message #22 received at 908779@bugs.debian.org (full text, mbox, reply):
* Hilko Bengen:
>>> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
>>> | parsing in analyzer/protocol/irc/IRC.cc.
>>
>> ping, can we get this one (and CVE-2018-16807) uploaded still in time
>> for buster?
>
> Working on 2.6.1, but I need to get broker (and a new upstream versio
> nof actor-framework) into unstable first. Working on that, too.
So that didn't work out -- bro/2.6.1 is still sitting in NEW, along with
some of its build-dependencies. :-(
I don't know yet if or when I'll be able to backport fixes for the
outstanding CVE-worthy bugs.
Cheers,
-Hilko
Information forwarded
to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>
:
Bug#908779
; Package src:bro
.
(Thu, 14 Mar 2019 22:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>
.
(Thu, 14 Mar 2019 22:27:02 GMT) (full text, mbox, link).
Message #27 received at 908779@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 29, 2019 at 02:19:20AM +0100, Hilko Bengen wrote:
> * Moritz Mühlenhoff:
>
> >> CVE-2018-17019[0]:
> >> | In Bro through 2.5.5, there is a DoS in IRC protocol names command
> >> | parsing in analyzer/protocol/irc/IRC.cc.
> >
> > ping, can we get this one (and CVE-2018-16807) uploaded still in time
> > for buster?
>
> Working on 2.6.1, but I need to get broker (and a new upstream versio
> nof actor-framework) into unstable first. Working on that, too.
With buster being in full freeze, can you backport CVE-2018-17019 and
CVE-2018-16807 to 2.5.5, please?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#908779
; Package src:bro
.
(Thu, 21 Mar 2019 10:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilko Bengen <bengen@debian.org>
:
Extra info received and forwarded to list.
(Thu, 21 Mar 2019 10:15:04 GMT) (full text, mbox, link).
Message #32 received at 908779@bugs.debian.org (full text, mbox, reply):
* Moritz Mühlenhoff:
>> Working on 2.6.1, but I need to get broker (and a new upstream versio
>> nof actor-framework) into unstable first. Working on that, too.
It's a pity that this did not work out...
> With buster being in full freeze, can you backport CVE-2018-17019 and
> CVE-2018-16807 to 2.5.5, please?
Yes, I'll try. Thanks for reminding me.
Cheers,
-Hilko
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:38:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.