Debian Bug report logs -
#827116
iperf3: CVE-2016-4303: JSON parsing vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 12 Jun 2016 12:57:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version iperf3/3.0.7-1
Fixed in version iperf3/3.1.3-1
Done: Raoul Gunnar Borenius <borenius@dfn.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Raoul Gunnar Borenius <borenius@dfn.de>:
Bug#827116; Package src:iperf3.
(Sun, 12 Jun 2016 12:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Raoul Gunnar Borenius <borenius@dfn.de>.
(Sun, 12 Jun 2016 12:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: iperf3
Version: 3.0.7-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for iperf3.
CVE-2016-4303[0]:
JSON parsing vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4303
[1] https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Raoul Gunnar Borenius <borenius@dfn.de>:
Bug#827116; Package src:iperf3.
(Mon, 20 Jun 2016 12:09:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Raoul Borenius <borenius@dfn.de>:
Extra info received and forwarded to list. Copy sent to Raoul Gunnar Borenius <borenius@dfn.de>.
(Mon, 20 Jun 2016 12:09:11 GMT) (full text, mbox, link).
Message #10 received at 827116@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Salvatore,
On Sun, Jun 12, 2016 at 02:52:11PM +0200, Salvatore Bonaccorso wrote:
> Source: iperf3
> Version: 3.0.7-1
> Severity: grave
> Tags: security upstream fixed-upstream
>
> Hi,
>
> the following vulnerability was published for iperf3.
>
> CVE-2016-4303[0]:
> JSON parsing vulnerability
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-4303
> [1] https://raw.githubusercontent.com/esnet/security/master/cve-2016-4303/esnet-secadv-2016-0001.txt.asc
Thanks for pointing that out! I've packaged the newest iperf3 and
uploaded it to mentors:
https://mentors.debian.net/package/iperf3
Could you sponsor the upload to unstable?
Fixing the vulnerability in stable is not possible for me.
Do I need to/Can I contact the security team for support?
Thanks,
Raoul
[smime.p7s (application/x-pkcs7-signature, attachment)]
Reply sent
to Raoul Gunnar Borenius <borenius@dfn.de>:
You have taken responsibility.
(Wed, 22 Jun 2016 22:27:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 Jun 2016 22:27:05 GMT) (full text, mbox, link).
Message #15 received at 827116-close@bugs.debian.org (full text, mbox, reply):
Source: iperf3
Source-Version: 3.1.3-1
We believe that the bug you reported is fixed in the latest version of
iperf3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 827116@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raoul Gunnar Borenius <borenius@dfn.de> (supplier of updated iperf3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Jun 2016 17:01:13 +0200
Source: iperf3
Binary: iperf3 libiperf0 libiperf-dev
Architecture: source
Version: 3.1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Raoul Gunnar Borenius <borenius@dfn.de>
Changed-By: Raoul Gunnar Borenius <borenius@dfn.de>
Description:
iperf3 - Internet Protocol bandwidth measuring tool
libiperf-dev - Internet Protocol bandwidth measuring tool (development files)
libiperf0 - Internet Protocol bandwidth measuring tool (runtime files)
Closes: 827116
Changes:
iperf3 (3.1.3-1) unstable; urgency=medium
.
* new upstream version which fixes CVE-2016-4303 (Closes: #827116)
* enabled hardening flags
* bumped standards version to 3.9.8
Checksums-Sha1:
106d5271f887e41ad091ce2244ec1914591e050a 1797 iperf3_3.1.3-1.dsc
04fdab968f7c20fe5410fb5e1c88b18b1c5ac29a 546899 iperf3_3.1.3.orig.tar.gz
0088a874371e0a3409a8d0dfd498ac0372c6b117 4276 iperf3_3.1.3-1.debian.tar.xz
Checksums-Sha256:
9b3fa476200bdac4ede98dbeeb469ef3fceecf0174ea9eeb553e4bfbc05bf262 1797 iperf3_3.1.3-1.dsc
60d8db69b1d74a64d78566c2317c373a85fef691b8d277737ee5d29f448595bf 546899 iperf3_3.1.3.orig.tar.gz
cb506206a77caab6c746b65b38528af07c4ec21d9cedbe17b9bb2ffbdf645076 4276 iperf3_3.1.3-1.debian.tar.xz
Files:
76225b0b0aa27b4cea361c7282f40764 1797 net optional iperf3_3.1.3-1.dsc
3fb849c24a2370af60687cf673b67bc7 546899 net optional iperf3_3.1.3.orig.tar.gz
1eab2db9936b956d021abb4d7b0533e0 4276 net optional iperf3_3.1.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXawicAAoJED0Hh6qvbGHdAy8QAKwpTRlD1GDiY/4/XH1oNdnV
DD6ynhD4nvzpxZTaT13dX0MN5ZuN1kK+VTdBojZ367UPzO2yCYr2RFuQpmK5NTBn
N2OgVSs4rc3AILACyG9tlgsFSJuhF4Mg4HWgDkzqGV5RBLFSlBtE8XHCjNzjnwJx
Cb+s9MLNaOTYofetgGwMrrJmsFf7OMnEYEYld9agX5AVLY31pjtSRhkS1/jg7vaI
0dHmOjmJs6xiu2RmvYV16TM12Oh+VYS+lvlTMEjgiVKN63b1I0a2pXu3HwSE4uVn
5MPTmsUR4LdztotqpL8pXhE6zIGSubsctPHUrjPfPFqzUg/pfU6+uFkrojEwrwX4
Xj7Ba0MaGim66a6rla0qqQ6A1ploGmppGrOuMT9bIzPyFUj9MxCmMT7jNiTgQoCs
Qv97aPghtatwk5tzDb3MopzWRC/Cy1GCH6TfuNXRO7Qgv8tlkZgUD9gpHmPDb0q1
87kg4mBSsN9i0hkgLFHe0h9bn0XcW818K8BNeGf24q+h8mv8Y69JNF6qvCbrF/vB
rMjSFfqPzS1gF4D4KjRezMGEYxxHJH5ltFxfLEp68pbKM1yR9gsaZJ9rfkRFtwgZ
XPdzi8wk9JSg67qzfA3clVs1qI0ui/llaRfBPNXlBhascstGTANUWEwVlMpTwZS1
/VJu7dkkieicmfXmTt2Z
=HcD/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 08:05:36 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:49:16 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:31:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon