Debian Bug report logs -
#923008
CVE-2018-16886
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>:
Bug#923008; Package src:etcd.
(Fri, 22 Feb 2019 22:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Go Packaging Team <pkg-go-maintainers@lists.alioth.debian.org>.
(Fri, 22 Feb 2019 22:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: etcd
Severity: grave
Tags: security
Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16886 and
https://security-tracker.debian.org/tracker/CVE-2018-16886
Cheers,
Moritz
Marked as found in versions etcd/3.2.18+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 22:54:03 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 22:54:04 GMT) (full text, mbox, link).
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Sat, 23 Feb 2019 21:39:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 23 Feb 2019 21:39:07 GMT) (full text, mbox, link).
Message #16 received at 923008-close@bugs.debian.org (full text, mbox, reply):
Source: etcd
Source-Version: 3.2.26+dfsg-1
We believe that the bug you reported is fixed in the latest version of
etcd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 923008@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Shengjing Zhu <zhsj@debian.org> (supplier of updated etcd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Feb 2019 02:26:48 +0800
Source: etcd
Architecture: source
Version: 3.2.26+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Shengjing Zhu <zhsj@debian.org>
Closes: 923008
Changes:
etcd (3.2.26+dfsg-1) unstable; urgency=medium
.
* Team upload.
.
[ Arnaud Rebillout ]
* {Build-,}Depends on golang-github-xiang90-probing-dev (>= 0.0.1~)
* Build-Depends on golang-any (>= 2:1.10~)
.
[ Shengjing Zhu ]
* New upstream release v3.2.26
+ Address CVE-2018-16886 (Closes: #923008)
Disable CommonName authentication for gRPC-gateway
gRPC-gateway proxy requests to etcd server use the etcd
client server TLS certificate. If that certificate contains
CommonName we do not want to use that for authentication as
it could lead to permission escalation.
* Remove pgpsigurlmangle in debian/watch.
Upstream didn't sign the source tarball since v3.2.26
* Update pkg-go team address to team+pkg-go@tracker.debian.org
* Update debhelper and compat to 11
* Update etcd server default env from upstream docs
* Remove etcd-dump-db, etcd-dump-logs in etcd-client package
upstream didn't provide these tools in v3.2.26 tarball
* Add golang-go.uber-zap-dev to {Build-,}Depends
* Remove socket files created during test phase
Checksums-Sha1:
bb25ff5bd7d7282b6f08ebf05b97f1cc74f6def3 3322 etcd_3.2.26+dfsg-1.dsc
34361315751680213f0f81eaedc3fecc5ce0f952 1003372 etcd_3.2.26+dfsg.orig.tar.xz
0a6a907c1db12db006ea201218cee9f2c7de9951 22136 etcd_3.2.26+dfsg-1.debian.tar.xz
bbf08337c151ff9d304df91ea8b334f005582903 12104 etcd_3.2.26+dfsg-1_amd64.buildinfo
Checksums-Sha256:
8060d0d75c45114608c6fe32ac52100616199a1bd817c99c6a09ef383553219a 3322 etcd_3.2.26+dfsg-1.dsc
b372c18626b884ce810cc1086a9eec7019967776e03d6b91151064398a4bb2fa 1003372 etcd_3.2.26+dfsg.orig.tar.xz
8edb9215addc981c7061d433cc6a2c19d76e95765da8ce7488b81d5335642175 22136 etcd_3.2.26+dfsg-1.debian.tar.xz
cc689ed3d823bdc29e5f5d9e7259792b8fa5d77f0e7836fd8ab4234458917a36 12104 etcd_3.2.26+dfsg-1_amd64.buildinfo
Files:
f22ac2e27a38055263d1280d411bdb20 3322 net optional etcd_3.2.26+dfsg-1.dsc
c0b93d28d7551fabc825b1678c95e2bd 1003372 net optional etcd_3.2.26+dfsg.orig.tar.xz
b32fb415fae778820b3db4ce17472a11 22136 net optional etcd_3.2.26+dfsg-1.debian.tar.xz
429ee8547a397da7a6e940ae9f458581 12104 net optional etcd_3.2.26+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFEBAEBCgAuFiEE85F2DZP0aJKsSKyHONAPABi+PjUFAlxxpgEQHHpoc2pAZGVi
aWFuLm9yZwAKCRA40A8AGL4+NWl+B/9FwSWXNYmxlNjxacO0olaAHXjhvIPwbWYX
8XGO9F5SPlCUPuVSV8S25lwwtAot4/b/fR354KdLS14ptltykO4n2Y10y09Y26rT
hepByVoFiCp5jdpzNdzaC+cLzDfPYZq+W9EqWs9NmRFLk6jD7embRram1GH2gvDj
MxO3vzkU6dXpXT++I70EkIIxe88j1UDKCfWeNxVnaf6ZHtlNCV2+zY++ocwxzSr0
19k/wFD8E8xk0cpipd/KhFGs5lYk/V6VZUBVXWdxja0c+7hltwdnc7SkpgTEbzSj
XV4kr9ksh4JqYQvNBrPE0cprYqBbURqW2zLT0bbLfsAoR6ubfB59
=G+5f
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Mar 2019 07:25:20 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:57:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon