Debian Bug report logs -
#988386
ntfs-3g: CVE-2021-33285 CVE-2021-35269 CVE-2021-35268 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263
Reported by: Jeremy Galindo <jgalindo@datto.com>
Date: Tue, 11 May 2021 16:03:02 UTC
Severity: grave
Tags: fixed-upstream, upstream
Found in versions ntfs-3g/1:2017.3.23AR.3-4, 2017.3.23AR.3
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g.
(Tue, 11 May 2021 16:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeremy Galindo <jgalindo@datto.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 16:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ntfs-3g
Version: 2017.3.23AR.3
For CVE's pending from upstream, is everything already mirrored so upstream
fixes are applied in the next release? I'm asking because the upstream
maintainers are trying to identify how soon their fixes will be applied to
your packages.
Thanks,
--
*Jeremy Galindo* Associate Mgr., Offensive Security
Datto, Inc. Direct Line www.datto.com
<http://www.datto.com/datto-signature/>
Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc>
[image: Twitter] <https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385> [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify> [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
Message #10 received at 988386@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + moreinfo
Hi
[disclaimer, not the maintainer here]
On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> Package: ntfs-3g
> Version: 2017.3.23AR.3
>
> For CVE's pending from upstream, is everything already mirrored so upstream
> fixes are applied in the next release? I'm asking because the upstream
> maintainers are trying to identify how soon their fixes will be applied to
> your packages.
Can you be more specific, which CVEs are you referring to?
Regards,
Salvatore
Added tag(s) moreinfo.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 988386-submit@bugs.debian.org.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g.
(Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeremy Galindo <jgalindo@datto.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).
Message #17 received at 988386@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
They're awaiting confirmation from MITRE, but the upstream maintainers
wanted to be able to answer the question:
And what, in your opinion, will be the distributions wanting to do ?
> Either fix their current release version or upgrade to the latest one ?
> Will they want the individual patches or switch to the new tarball ?
> Rebasing the patches to an old version should be easy enough, but this
> could lead to some complexity in managing the update reports (Fedora
> and Ubuntu are not currently releasing the same version).
>
On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Control: tags -1 + moreinfo
>
> Hi
>
> [disclaimer, not the maintainer here]
>
> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> > Package: ntfs-3g
> > Version: 2017.3.23AR.3
> >
> > For CVE's pending from upstream, is everything already mirrored so
> upstream
> > fixes are applied in the next release? I'm asking because the upstream
> > maintainers are trying to identify how soon their fixes will be applied
> to
> > your packages.
>
> Can you be more specific, which CVEs are you referring to?
>
> Regards,
> Salvatore
>
>
--
*Jeremy Galindo* Associate Mgr., Offensive Security
Datto, Inc. Direct Line www.datto.com
<http://www.datto.com/datto-signature/>
Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc>
[image: Twitter] <https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385> [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify> [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
Message #22 received at 988386@bugs.debian.org (full text, mbox, reply):
Control: tags -1 -moreinfo
Hi Jeremy,
On Tue, May 11, 2021 at 11:09 PM Jeremy Galindo <jgalindo@datto.com> wrote:
> They're awaiting confirmation from MITRE, but the upstream maintainers wanted to be able to answer the question:
>
>> And what, in your opinion, will be the distributions wanting to do ?
>> Either fix their current release version or upgrade to the latest one ?
>> Will they want the individual patches or switch to the new tarball ?
>> Rebasing the patches to an old version should be easy enough, but this
>> could lead to some complexity in managing the update reports (Fedora
>> and Ubuntu are not currently releasing the same version).
Current Debian release is in a deep freeze state. Important and
serious bug fixes are still accepted, but not other changes and
especially not new upstream releases.
Next stable Debian will be released with the ntfs-3g 2017.3.23AR.3
version. Can you provide patch(es) for this or should I do those? If
there's sensitive information, we can continue in private until a
coordinated security update. Please include the Security Team in the
communication then.
> On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
>> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
>> > For CVE's pending from upstream, is everything already mirrored so upstream
>> > fixes are applied in the next release? I'm asking because the upstream
>> > maintainers are trying to identify how soon their fixes will be applied to
>> > your packages.
>>
>> Can you be more specific, which CVEs are you referring to?
Thanks Salvatore for the followup, the original mail landed in my
spam folder and wouldn't see that for a day or two otherwise.
Regards,
Laszlo/GCS
Removed tag(s) moreinfo.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 988386-submit@bugs.debian.org.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#988386; Package ntfs-3g.
(Thu, 02 Sep 2021 07:15:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Amr Ibrahim <amribrahim1987@hotmail.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 02 Sep 2021 07:15:02 GMT) (full text, mbox, link).
Message #29 received at 988386@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
ntfs-3g is now on GitHub.
https://github.com/tuxera/ntfs-3g
The security vulnerabilities are resolved in version 2021.8.22.
https://www.openwall.com/lists/oss-security/2021/08/30/1
[Message part 2 (text/html, inline)]
Changed Bug title to 'ntfs-3g: CVE-2021-33285 CVE-2021-35269 CVE-2021-35268 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263' from 'Reporting CVE's from upstream'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).
Marked as found in versions ntfs-3g/1:2017.3.23AR.3-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Sep 3 16:20:34 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon