Debian Bug report logs -
#901093
node-sshpk: CVE-2018-3737
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#901093; Package src:node-sshpk.
(Fri, 08 Jun 2018 21:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 08 Jun 2018 21:12:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-sshpk
Version: 1.13.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/joyent/node-sshpk/issues/44
Hi,
The following vulnerability was published for node-sshpk.
CVE-2018-3737[0]:
| sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3737
[1] https://github.com/joyent/node-sshpk/issues/44
[2] https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 14 Jun 2018 17:24:04 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>:
You have taken responsibility.
(Tue, 16 Apr 2019 05:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 16 Apr 2019 05:21:03 GMT) (full text, mbox, link).
Message #12 received at 901093-close@bugs.debian.org (full text, mbox, reply):
Source: node-sshpk
Source-Version: 1.13.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
node-sshpk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 901093@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-sshpk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Apr 2019 06:57:20 +0200
Source: node-sshpk
Architecture: source
Version: 1.13.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 901093
Changes:
node-sshpk (1.13.1+dfsg-2) unstable; urgency=medium
.
* Team upload
.
[ Pirate Praveen ]
* Enable nocheck build profile
.
[ Xavier Guimard ]
* Declare compliance with policy 4.3.0
* Add patch to fix ReDoS when parsing crafted invalid public keys
(Closes: #901093, CVE-2018-3737)
* Fix VCS fields
* Fix debian/copyright format URL
* Add descriptions in patches
* Add upstream/metadata
Checksums-Sha1:
ef078532a01abac9a5e7c1f61743320297103839 2473 node-sshpk_1.13.1+dfsg-2.dsc
9f0a84c2c850f9c89288c9e3f45d55a285ebde1b 4528 node-sshpk_1.13.1+dfsg-2.debian.tar.xz
Checksums-Sha256:
141e7b0bedea36c3bc0a4cca2f618a47494323dcdd8ba28a7adaf101521f8b1c 2473 node-sshpk_1.13.1+dfsg-2.dsc
0ae81d1b2ff201a173721231d01a0288d7d144eec2e752594546db776b8a32fd 4528 node-sshpk_1.13.1+dfsg-2.debian.tar.xz
Files:
f32c695554eeb04eaff4fd317840b4a7 2473 javascript optional node-sshpk_1.13.1+dfsg-2.dsc
8bd337316b391f62d41e4f30fb7c331a 4528 javascript optional node-sshpk_1.13.1+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAly1YoAACgkQ9tdMp8mZ
7ulYGQ/9HfkrSJgDEU4KPsSwFA4T3HjUDh5kPDnmpPUnUosADu6DyOA8/kpZ40AD
AL+VtshPv7I4ix0wiAZgREg+e0RoLZIe9ci+VvUPBYPCNj7ZFMYyYjly5psLya8F
epDkR5hj9XwjVyApW+k9DqRGiV1WlR+OdmCd64/OxpcHd+YplnhvjFnUEzIQiIKz
3DOSr4bpVc5U0JYafwiEzc/2zFo3P3gkzuaD85AIsiUOUI7saPNoCvkq5ekQQ1/c
ci2GLP7G47TBaY36VPuRyJgstutBkTrX2c75fXx22fT6FmgcgFMH7H7pMx/tt7Uu
/LyXTfI0M7Aa9cYQrifx5lKp2aYDRNtXXQgsMhGGf3hb9ULlGGQ2UfQIw1TcTmvV
CNsXA47gMrxpfQdtxcqpstiGnxwBju4m2kHAXdXKebfq7HYphMerlxFdTYwLhAbg
V35JOBzrfknE5FCq1tKQ4L4oX2SEthdQ4atNCBbOXH3tdQcubY+hAw5fQrXSTLyb
D57kMTc7G+WwJnyuJUztjNyopeYF7FkN3fswi5/H2mvvzRzaJlKb+Nq9pYq5HuwX
NB1EKNrKZL5xpOSnbHGNaMOg2mP95H/K0vcNZZ+wZsL4stSpsdW0y7CWIL+KOuW1
eNE7Yp0H52w0bONyNkLpK65e8wQfvAjnD766KSUYpjGcxq7gXTE=
=7jts
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 May 2019 07:27:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:45:21 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon