guile-2.0: CVE-2016-8606

Debian Bug report logs - #840555
guile-2.0: CVE-2016-8606

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: guile-2.0: CVE-2016-8606

Date: Wed, 12 Oct 2016 20:32:24 +0200

Source: guile-2.0
Version: 2.0.11+1-9
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for guile-2.0.

CVE-2016-8606[0]:
REPL server vulnerable to HTTP inter-protocol attacks

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-8606
[1] http://seclists.org/oss-sec/2016/q4/100
[2] http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03

Regards,
Salvatore

Message #10 received at 840555@bugs.debian.org (full text, mbox, reply):

From: Antonio Ospite <ao2@ao2.it>

To: Debian Bug Tracking System <840555@bugs.debian.org>

Subject: guile-2.0: New upstream release 2.0.13 available

Date: Tue, 18 Oct 2016 12:14:53 +0200

Package: guile-2.0
Version: 2.0.11+1-12+b1
Followup-For: Bug #840555

Dear Maintainer,

the CVE fixes are also in the new upstream release 2.0.13

Packaging that _might_ also help with getting the lilypond package in
shape for Stretch[1], since guile 2.0.12 contains some fixes to bugs
exposed by lilypond (e.g. [2]).

Thanks,
   Antonio

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746005
[2] https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19883

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (900, 'unstable'), (500, 'unstable-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.utf8, LC_CTYPE=it_IT.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages guile-2.0 depends on:
ii  guile-2.0-libs  2.0.11+1-12+b1

guile-2.0 recommends no packages.

Versions of packages guile-2.0 suggests:
pn  guile-2.0-doc  <none>

-- no debconf information
-- 
Antonio Ospite
https://ao2.it
https://twitter.com/ao2it

A: Because it messes up the order in which people normally read text.
   See http://en.wikipedia.org/wiki/Posting_style
Q: Why is top-posting such a bad thing?

Message #15 received at 840555@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: Antonio Ospite <ao2@ao2.it>, 840555@bugs.debian.org

Subject: Re: Bug#840555: guile-2.0: New upstream release 2.0.13 available

Date: Tue, 18 Oct 2016 11:07:47 -0500

Antonio Ospite <ao2@ao2.it> writes:

> Package: guile-2.0
> Version: 2.0.11+1-12+b1
> Followup-For: Bug #840555
>
> Dear Maintainer,
>
> the CVE fixes are also in the new upstream release 2.0.13
>
> Packaging that _might_ also help with getting the lilypond package in
> shape for Stretch[1], since guile 2.0.12 contains some fixes to bugs
> exposed by lilypond (e.g. [2]).

Thanks.  I've already backported both of the CVE fixes for a possible
jessie update, and after I file the relevant proposal with the release
managers, I'm planning to prepare a 2.0.13 upload for unstable.

Thanks
-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message #20 received at 840555-close@bugs.debian.org (full text, mbox, reply):

From: Rob Browning <rlb@defaultvalue.org>

To: 840555-close@bugs.debian.org

Subject: Bug#840555: fixed in guile-2.0 2.0.13+1-1

Date: Sun, 23 Oct 2016 23:00:36 +0000

Source: guile-2.0
Source-Version: 2.0.13+1-1

We believe that the bug you reported is fixed in the latest version of
guile-2.0, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840555@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Rob Browning <rlb@defaultvalue.org> (supplier of updated guile-2.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 22 Oct 2016 16:21:42 -0500
Source: guile-2.0
Binary: guile-2.0 guile-2.0-dev guile-2.0-doc guile-2.0-libs
Architecture: source amd64 all
Version: 2.0.13+1-1
Distribution: unstable
Urgency: medium
Maintainer: Rob Browning <rlb@defaultvalue.org>
Changed-By: Rob Browning <rlb@defaultvalue.org>
Description:
 guile-2.0  - GNU extension language and Scheme interpreter
 guile-2.0-dev - Development files for Guile 2.0
 guile-2.0-doc - Documentation for Guile 2.0
 guile-2.0-libs - Core Guile libraries
Closes: 840555
Changes:
 guile-2.0 (2.0.13+1-1) unstable; urgency=medium
 .
   * Merge upstream version 2.0.13.
     Remove patches that are no longer needed:
       0002-Recognize-more-ARM-targets.patch
       0003-Recognize-m68k-s390x-and-sh4-as-compilation-targets.patch
       0004-Do-not-assume-that-64-bit-integers-will-be-64-bit-al.patch
       0005-VM-Use-register-a3-for-IP_REG-on-m68k.patch
       0006-build-Use-libtoolize-in-autogen.sh.patch
       0007-VM-ASM_MUL-for-ARM-Add-earlyclobber-constraint-to-th.patch
       0008-VM-Allow-the-C-compiler-to-choose-FP_REG-on-ARM.patch
       0009-web-Keep-the-default-size-for-the-client-s-in-kernel.patch
       0010-Fix-shrinking-of-contiguous-bytevectors-as-from-get-.patch
       0011-Fix-bit-count-bug.patch
       0012-Handle-p-in-format-warnings.patch
       0013-Document-prefix-option-in-use-module-clauses.patch
       0014-Fix-SCM_SMOB_OBJECT-_-_0_-_1_-_2_-_3_-LOC.patch
       0015-peval-Handle-optional-argument-inits-that-refer-to-p.patch
     (Closes: 840555 840556)
 .
   * Update debian/copyright for 2.0.13
Checksums-Sha1:
 8dea2bc83e7d7a355083597658f5001672116f45 2118 guile-2.0_2.0.13+1-1.dsc
 afc61899f4c8273a06d36248df2121416df17c98 3444256 guile-2.0_2.0.13+1.orig.tar.xz
 0e4de973882c08e5a49ae8bdc6d0ceeb0e3d7806 18420 guile-2.0_2.0.13+1-1.debian.tar.xz
 2ee8ef90ddbeb61a84b207af460df478adf9fa90 699408 guile-2.0-dev_2.0.13+1-1_amd64.deb
 65768f6304f8f2488897d31beb317eae081420c0 872080 guile-2.0-doc_2.0.13+1-1_all.deb
 742857aae09c62cb0f5574ff06e5170f060d724b 965442 guile-2.0-libs-dbgsym_2.0.13+1-1_amd64.deb
 ee56a0a5a2ba13fe90a4861a9cd4c7fbbe5e45b3 2229966 guile-2.0-libs_2.0.13+1-1_amd64.deb
 e6d68f60c20dedc13c1d1878a47884c62c2cb713 17560 guile-2.0_2.0.13+1-1_amd64.deb
Checksums-Sha256:
 1134cb13ca5076421a3863a0b9eb728f9771b56948e98ee0c872ed252003ee6f 2118 guile-2.0_2.0.13+1-1.dsc
 ecf63aa152cf962752325c2dcd6af1bd575441b984fde847a280ea852ff9eddd 3444256 guile-2.0_2.0.13+1.orig.tar.xz
 33fb9d860887554b83323ca4fe53bc4e5a751a843b29a2fd65427d2a30eafe7c 18420 guile-2.0_2.0.13+1-1.debian.tar.xz
 b3770ec9676b1104ca6a208355f1648a5832a4253447bf10e384a15caa3d9425 699408 guile-2.0-dev_2.0.13+1-1_amd64.deb
 a928170f3564ccf607e45217f5c7582d5ff303a53eb01d4d178f75cdbe7df943 872080 guile-2.0-doc_2.0.13+1-1_all.deb
 67f27b90f4f5da022bed98e999c699eaaa1b1d763b7c17bcdaa78c427e1a3c85 965442 guile-2.0-libs-dbgsym_2.0.13+1-1_amd64.deb
 62b2d092c574e078ab33b43c15d5ede6e0caf211de88cc2ee02c40fb628a78f7 2229966 guile-2.0-libs_2.0.13+1-1_amd64.deb
 c72de049958040fb4fd6fc69bf716f81d3fbdea9350591ebf6d0ac40ccc1a6c2 17560 guile-2.0_2.0.13+1-1_amd64.deb
Files:
 e20346248a34391da4bb5ac8ec423b99 2118 interpreters optional guile-2.0_2.0.13+1-1.dsc
 c87d12709c257f5bb59aabc8a05e3ee1 3444256 interpreters optional guile-2.0_2.0.13+1.orig.tar.xz
 21dd8f0d13bb476d58001dad185a298d 18420 interpreters optional guile-2.0_2.0.13+1-1.debian.tar.xz
 e2e8d025210eae5c839d21189d6e1bee 699408 lisp optional guile-2.0-dev_2.0.13+1-1_amd64.deb
 e971b75b0d477bff0b220ee64bcdb399 872080 doc optional guile-2.0-doc_2.0.13+1-1_all.deb
 e4728889ea99a46d050047963917a3d0 965442 debug extra guile-2.0-libs-dbgsym_2.0.13+1-1_amd64.deb
 6ba4becc6b2797267a386d4423bb007b 2229966 lisp optional guile-2.0-libs_2.0.13+1-1_amd64.deb
 e48b583fa8025bd7c2424cc232e5059d 17560 lisp optional guile-2.0_2.0.13+1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAcBQJYC+uOFRxybGJAZGVmYXVsdHZhbHVlLm9yZwAKCRDu8RbFWlpC
8R1vD/9aD9kVPQXjTCAfFM72mcbbZjXLmO8zYE/tLBTyvMLne6E9NnZqS35/Ujx5
8uo/DkooSyRwYXNjW42gHgbVx+UapWuTgoARPHcKqtKTGy1Lp07ehA+mlNQRqzBh
FlNS3NGFkaEh0E9P/LcBTnkuwhJMp3VNpV1BTmfebnJcxp/QTkivKOpGauUFgbjX
ABrUM6klq0If6LCaZqkhoj0L2pKiSlHtxqq0RbZPOn+ZQk7ARBR4jzU3d0ysUk/s
elmSLlgPqNeokINmdP7ZPyFKhuDh7LP5htYb28W54ZoovL0GJwFRp1/pi7zuSb+6
dwR7Y/5TZUrQ+UfGumkTcF+Nf22FGfEjmGbbc7hqSxXLN3uTZC2MlXTO3g4RkKHD
Th4hTErHYnPWpbPEDnuPbtza7higfzeQz29Of94o9f3+KEodnsrQqrJ3hFW39gQJ
hE0p7RvMNpPaoYtg6AuC2ymqMaKj8jHukRD+qxf3IktzmoJrRlJX08zDPkY6AHxw
3pZsrE1Z2td3aOTYoQy2gmVrmBXyztjll+88W651QbuZDB6PNpONULGHX8dOYeuV
/SpnaSniFsxrDopFhbCNbaKaOe7+8WRKUD7NulTKaWW3HLmydy8oSZST3EjArKtC
bb4pgipqcWuLG5+ZCFc5qOJqGREFtdeyy1idcO2OugIBbJar/g==
=poLw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.