Debian Bug report logs -
#677594
CVE-2012-3291: Heap-based buffer overflow in OpenConnect
Reported by: Henri Salo <henri@nerv.fi>
Date: Fri, 15 Jun 2012 08:15:01 UTC
Severity: important
Tags: security
Found in version openconnect/2.25-0.1
Fixed in versions openconnect/3.20-1, 2.25-0.1+squeeze1
Done: Mike Miller <mtmiller@ieee.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Mike Miller <mtmiller@ieee.org>
:
Bug#677594
; Package openconnect
.
(Fri, 15 Jun 2012 08:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Mike Miller <mtmiller@ieee.org>
.
(Fri, 15 Jun 2012 08:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openconnect
Version: 2.25-0.1
Severity: important
Tags: security
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3291 "Heap-based buffer overflow in OpenConnect 3.18 allows remote servers to cause a denial of service via a crafted greeting banner."
squeeze has 2.25-0.1, which seems to be vulnerable
wheezy has 3.20-1, which should be fine
sid has 3.20-2, which should be fine
References:
http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/14cae65318d3ef1f7d449e463b72b6934e82f1c2
http://www.infradead.org/openconnect/changelog.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/079747.html
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.1 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Marked as fixed in versions openconnect/3.20-1.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org
.
(Fri, 15 Jun 2012 08:21:10 GMT) (full text, mbox, link).
Reply sent
to Mike Miller <mtmiller@ieee.org>
:
You have taken responsibility.
(Thu, 21 Jun 2012 00:39:06 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Thu, 21 Jun 2012 00:39:06 GMT) (full text, mbox, link).
Message #12 received at 677594-done@bugs.debian.org (full text, mbox, reply):
Version: 2.25-0.1+squeeze1
This vulnerability was fixed in this security update to squeeze.
http://www.debian.org/security/2012/dsa-2495
--
mike
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 19 Jul 2012 07:35:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:29:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.