Debian Bug report logs -
#859821
CVE-2017-5923 CVE-2017-5924 CVE-2016-10210 CVE-2016-10211
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 7 Apr 2017 16:21:19 UTC
Severity: important
Tags: security, upstream
Found in versions yara/3.5.0+dfsg-8, yara/3.1.0-2
Fixed in versions yara/3.5.0+dfsg-9, yara/3.1.0-2+deb8u1
Done: Hilko Bengen <bengen@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#859821; Package src:yara.
(Fri, 07 Apr 2017 16:21:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>.
(Fri, 07 Apr 2017 16:21:21 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: yara
Severity: important
Tags: security
Hi,
please see
https://security-tracker.debian.org/tracker/CVE-2017-5924
https://security-tracker.debian.org/tracker/CVE-2017-5923
https://security-tracker.debian.org/tracker/CVE-2016-10210
https://security-tracker.debian.org/tracker/CVE-2016-10211
Cheers,
Moritz
Marked as found in versions yara/3.5.0+dfsg-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 07 Apr 2017 18:09:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 07 Apr 2017 18:09:05 GMT) (full text, mbox, link).
Reply sent
to Hilko Bengen <bengen@debian.org>:
You have taken responsibility.
(Sun, 09 Apr 2017 11:21:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 09 Apr 2017 11:21:07 GMT) (full text, mbox, link).
Message #14 received at 859821-close@bugs.debian.org (full text, mbox, reply):
Source: yara
Source-Version: 3.5.0+dfsg-9
We believe that the bug you reported is fixed in the latest version of
yara, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated yara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 09 Apr 2017 13:02:37 +0200
Source: yara
Binary: yara libyara3 libyara-dev yara-doc
Architecture: source
Version: 3.5.0+dfsg-9
Distribution: unstable
Urgency: medium
Maintainer: Debian Forensics <forensics-devel@lists.alioth.debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
libyara-dev - YARA development libraries and headers
libyara3 - YARA shared library
yara - Pattern matching swiss knife for malware researchers
yara-doc - HTML documentation for YARA
Closes: 859821
Changes:
yara (3.5.0+dfsg-9) unstable; urgency=medium
.
* Add patches for CVE-2016-10210, CVE-2016-10211, CVE-2017-5923,
CVE-2017-5924 (Closes: #859821)
Checksums-Sha1:
c492d0083c047ec1b4faa6cab4e47804e1078c68 2137 yara_3.5.0+dfsg-9.dsc
065145b2b5bb4ec51f685c0890e4716238f88320 39636 yara_3.5.0+dfsg-9.debian.tar.xz
21b2840b3b139fbf349ae4deedc005965da9ffc4 7541 yara_3.5.0+dfsg-9_source.buildinfo
Checksums-Sha256:
5745b7b29d38c6ba0f22f050682a1edd185b9350d73e55c8d63b4e6fbce71a0b 2137 yara_3.5.0+dfsg-9.dsc
4a115e5ce19a275a8e2d96b7826f5899f0b3161c925dc2beef8d654aca14e91a 39636 yara_3.5.0+dfsg-9.debian.tar.xz
3950b4c10d6135a9a0c2d6f8f5699730266d01f7d39e787a40ba3733bc246368 7541 yara_3.5.0+dfsg-9_source.buildinfo
Files:
ca5a42538dc400c36da81021683c2ece 2137 utils optional yara_3.5.0+dfsg-9.dsc
8916b98a14329cb9a08cf1dce9820a2d 39636 utils optional yara_3.5.0+dfsg-9.debian.tar.xz
f86a216cd0b0830ea48e2df06f3b764f 7541 utils optional yara_3.5.0+dfsg-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAljqFXEACgkQdbcQY1wh
On7UkBAAkuIfdj4frd0fYWjaV3e/ZDs/0qms65y+RLSggB44fLJ/VDRpQzWbDlkw
i1lZ5DaG+YZ9kW71NB3LKyDoHLFpv/koXK1FpvlBZGJ1z77N13EfpEqQmAiZg0Km
0GaTT1yNsnz9UVDj74MKHssMxYcQ+gA4URuLLdUicRvNqqAkDHYCz2ZNCuOmcb5u
f6hEUdhVW5kn1KRlBolm1XPMFEUpZBv07aaY0iuuNDl5xZ58KBqI2m/hawWeQq9y
x3GldhhscevR6oz/t8wT/mTgrelvQkOG8206ny1KQ5V32t+myAHFukLsw4Xd1+Ap
+nUMuETv49smjQezJpv6oPWyO8eLCey2r9j9ZkKFkzsx3CNJr2c7M0tYrkzEmeHD
FwiVQ9+5mP4+UBFAdUo0MwSTJJkVBq74wpGdgRTEsHCoitxcLwtFIvwv2wGOrxk6
f080O4w9qmYITV4jQ1JUky/QjXozDeVYDGjUIr/4u/z9KUKssFjBJIhyRLmMN4XG
ASfsEodpkCQfMqLhoYoYwBuE2d+9MQSJCSrzD5w9Gl2eI9RnantKTwsvnW9qwTma
eHGJjtnbSvxW9RBacaL6GTUkqCk25IgObsjSDxzyY60u95odCLd4mxcU82IIfSEp
WwICm3q20xEnKFBf5HhEZa7iJiApm1ysNo7kMyjlK0y6UMnZOQs=
=iZKc
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Forensics <forensics-devel@lists.alioth.debian.org>:
Bug#859821; Package src:yara.
(Sun, 09 Apr 2017 12:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hilko Bengen <bengen@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Forensics <forensics-devel@lists.alioth.debian.org>.
(Sun, 09 Apr 2017 12:30:03 GMT) (full text, mbox, link).
Message #19 received at 859821@bugs.debian.org (full text, mbox, reply):
Control: found -1 3.1.0-2
The bugs are present in the package present in jessie, too. The same
four patches can be applied there straight away. Preparing a fixed
package right now.
Cheers,
-Hilko
Marked as found in versions yara/3.1.0-2.
Request was from Hilko Bengen <bengen@debian.org>
to 859821-submit@bugs.debian.org.
(Sun, 09 Apr 2017 12:30:03 GMT) (full text, mbox, link).
Reply sent
to Hilko Bengen <bengen@debian.org>:
You have taken responsibility.
(Tue, 25 Apr 2017 21:03:19 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Tue, 25 Apr 2017 21:03:19 GMT) (full text, mbox, link).
Message #26 received at 859821-close@bugs.debian.org (full text, mbox, reply):
Source: yara
Source-Version: 3.1.0-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
yara, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 859821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated yara package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 09 Apr 2017 14:38:30 +0200
Source: yara
Binary: yara libyara3 libyara-dev python-yara python3-yara
Architecture: source amd64
Version: 3.1.0-2+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
libyara-dev - help to identify and classify malwares (development files)
libyara3 - help to identify and classify malwares (shared library)
python-yara - help to identify and classify malwares (Python bindings)
python3-yara - help to identify and classify malwares (Python 3 bindings)
yara - help to identify and classify malwares
Closes: 859821
Changes:
yara (3.1.0-2+deb8u1) jessie; urgency=high
.
* Add patches for CVE-2016-10210, CVE-2016-10211, CVE-2017-5923,
CVE-2017-5924 (Closes: #859821)
Checksums-Sha1:
7dcf4ece9dd57db32ab16b2c676eff5cee8df5e6 2195 yara_3.1.0-2+deb8u1.dsc
f894731030b9cafdbfeb99a26ed3fea215155c13 35236 yara_3.1.0-2+deb8u1.debian.tar.xz
1625d24e84c18cc43be19ca15cead1769f9e54ad 86414 yara_3.1.0-2+deb8u1_amd64.deb
9cfe69e7583860d13b6137c4179001f99e0ba1e1 67802 libyara3_3.1.0-2+deb8u1_amd64.deb
2eface1ef798a048c2eedbd98f02e022dc51baaf 85452 libyara-dev_3.1.0-2+deb8u1_amd64.deb
36eca64ab43af587d35b23b5d6e19361477bb2dd 13442 python-yara_3.1.0-2+deb8u1_amd64.deb
af3be2ff7f322c473aaa5c2714e9590680dfb7c6 13616 python3-yara_3.1.0-2+deb8u1_amd64.deb
Checksums-Sha256:
ac2fc7ea4c01ad7d4e338cdbc5decf67a065dd522c1c0c19be1eda716af60ddb 2195 yara_3.1.0-2+deb8u1.dsc
51635d3fa3e0dcc7c1a94e3a3cbbe2fb11092ff4627e619d567303c5109eb33a 35236 yara_3.1.0-2+deb8u1.debian.tar.xz
2bcea359b5d6211bb767d7bba54734756abbb76120e7e490ef6f4a0db089051e 86414 yara_3.1.0-2+deb8u1_amd64.deb
ebc588eb7847d2786bc76292c2112627615a86c6802aff52693b5def2a4f0d5d 67802 libyara3_3.1.0-2+deb8u1_amd64.deb
c0864b279396f522463064e6aba62bca287eeecc186a1ea8daa3bcf5c2a03aac 85452 libyara-dev_3.1.0-2+deb8u1_amd64.deb
734d1dcad23eb1991612957c3c7b5245e26e255e96bb41e8d247f9576c2ac94b 13442 python-yara_3.1.0-2+deb8u1_amd64.deb
a17b083e9aeeff2b4ee19bb05463979da9bf5ecff2ad6f8c0570a40e8a6dffb7 13616 python3-yara_3.1.0-2+deb8u1_amd64.deb
Files:
d51f0cded153e91d7d8403150d5255d9 2195 utils optional yara_3.1.0-2+deb8u1.dsc
73e627df269ea19c150ca034f0765bdf 35236 utils optional yara_3.1.0-2+deb8u1.debian.tar.xz
71583c939aa16c16568e5d052ab3788f 86414 utils optional yara_3.1.0-2+deb8u1_amd64.deb
3ed5dcfa9f5480d896f8a8d86c66d8a4 67802 libs optional libyara3_3.1.0-2+deb8u1_amd64.deb
58bac76f0cc231cc497676db629d55b2 85452 libdevel optional libyara-dev_3.1.0-2+deb8u1_amd64.deb
fff35ec73c109ce678b1e8ea95968dd0 13442 python optional python-yara_3.1.0-2+deb8u1_amd64.deb
e3f75fccc53197cc7af1cd4e8c03402e 13616 python optional python3-yara_3.1.0-2+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAlj9hPQACgkQdbcQY1wh
On754RAAtmg+zX0Psno5Z19qDD/Ph/bMtzIvElLw8y9QRAK77TaSAJ3fAL/gAhKf
mzS1PMteKHjmMcSkzal78hgkBxwbCmXQWJ1LJhAlAeFlzBgBAxsBuefydsPGQwXr
282rD8Qxjx7jq/4r5eaSuPNk5VRM47AUr34ASvmAgVmNtErrJSdLF+nJiZ1/R1Oe
YHvhSqQ50Sp43taZHgk1g6oi0BdrQ20jyljRc1y/+E1fklt5aAyVbgdv9ZJChkf0
Gx8GoCfVSI6Qgvwj3ZDX4ZmqIPvDBTIYchrZiNbmCk4k0wZqoRsmZW+OAuVPSny2
ojo5UWBXLXv4dr8+AzI16CMmTsuu2fgSG4GwL9IPotn3VFvM5q/knd5dSFb37k86
fx63LkSKlK4o09kZhkLDM1wCBp97gHeO97ATg++IiVva5CshwvpxE3GpXfdjc5qp
tyZ/2/0Tn5tSVXAItMW75q9vuVrjT4xb/eOjeDwFZA0WgcqDYTaO22hP7lFU9xhZ
hF/t8LgZL2wFdPoH4jc+Qp/qK/DNkXvNvPLVB4JU5GTZ6h0lvwVOETmnHIz2R4iD
IyJ4zEDVK8E5ti9ygAqVk6aZS9vdgQ24bDKdV8ajas1sRKFVO6kgXvWI7/DoxrUr
MuTEVvsOZ+ZKcLQXBDGygRuQsDhAS8mrCLbn69O+px0zd3ShPsQ=
=AMeI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 24 May 2017 07:25:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:05 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon