Debian Bug report logs -
#872844
connman: [CVE-2017-12865] stack overflow in dns proxy feature
Reported by: Luciano Bello <luciano@debian.org>
Date: Mon, 21 Aug 2017 19:42:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version connman/1.21-1.2
Fixed in versions connman/1.35-1, connman/1.33-3+deb9u1, connman/1.21-1.2+deb8u1
Done: Luciano Bello <luciano@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-, Alexander Sack <asac@debian.org>:
Bug#872844; Package connman.
(Mon, 21 Aug 2017 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-, Alexander Sack <asac@debian.org>.
(Mon, 21 Aug 2017 19:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: connman
X-Debbugs-CC: team@security.debian.org secure-testing-
team@lists.alioth.debian.org
Severity: grave
Version: 1.33-3
Tags: security patch
Hi,
the following vulnerability was published for connman.
CVE-2017-12865[0]:
stack overflow in dns proxy feature
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The commit that fix the vulnerability can be found here: https://
git.kernel.org/pub/scm/network/connman/connman.git/commit/?
id=5c281d182ecdd0a424b64f7698f32467f8f67b71
The vulnerability was fixed in 1.35, therefore sid and buster are not
affected.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12865
Please adjust the affected versions in the BTS as needed.
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Aug 2017 19:48:07 GMT) (full text, mbox, link).
Marked as found in versions connman/1.21-1.2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Aug 2017 19:48:07 GMT) (full text, mbox, link).
Added tag(s) patch, security, fixed-upstream, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Aug 2017 19:48:08 GMT) (full text, mbox, link).
Marked as fixed in versions connman/1.35-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 21 Aug 2017 19:51:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#872844; Package connman.
(Wed, 30 Aug 2017 10:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>.
(Wed, 30 Aug 2017 10:18:03 GMT) (full text, mbox, link).
Message #18 received at 872844@bugs.debian.org (full text, mbox, reply):
Hello Alf,
The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of connman:
https://security-tracker.debian.org/tracker/CVE-2017-12865
Would you like to take care of this yourself?
If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of connman updates
for the LTS releases.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply sent
to Luciano Bello <luciano@debian.org>:
You have taken responsibility.
(Thu, 07 Sep 2017 21:21:03 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Thu, 07 Sep 2017 21:21:03 GMT) (full text, mbox, link).
Message #23 received at 872844-close@bugs.debian.org (full text, mbox, reply):
Source: connman
Source-Version: 1.33-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
connman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872844@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated connman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Aug 2017 10:25:30 -0400
Source: connman
Binary: connman connman-vpn connman-dev connman-doc
Architecture: source amd64 all
Version: 1.33-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Alexander Sack <asac@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
connman - Intel Connection Manager daemon
connman-dev - Development files for connman
connman-doc - ConnMan documentation
connman-vpn - Intel Connection Manager daemon - VPN daemon
Closes: 872844
Changes:
connman (1.33-3+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844)
Checksums-Sha1:
2973809c20cfe8a79a32c76b959885cd77e9ba4b 2362 connman_1.33-3+deb9u1.dsc
cd5fa114a3148f74953c5722022d36bb97e8d14a 958059 connman_1.33.orig.tar.gz
339c7788e6154ff3fb8279b677c8b7e4d9a086d4 12720 connman_1.33-3+deb9u1.debian.tar.xz
e9665dd87130ec31d03854cba5d7e94e5058f81a 1249786 connman-dbgsym_1.33-3+deb9u1_amd64.deb
df1832656f32b54704f83cffb2c5dc2d4fdf92c9 26898 connman-dev_1.33-3+deb9u1_amd64.deb
dc40c554eebc65cc492bd78aeb7c309970cab338 62332 connman-doc_1.33-3+deb9u1_all.deb
551bdaa26c3934bcf1b87628895683b93cc8dbc6 398600 connman-vpn-dbgsym_1.33-3+deb9u1_amd64.deb
e23ba31c96bb498f2ec7dcdde0a7ae8d11207966 122800 connman-vpn_1.33-3+deb9u1_amd64.deb
fb5dc24369f9ea6471ca82478a0c635112e2da38 9315 connman_1.33-3+deb9u1_amd64.buildinfo
d1dccabaf7096ee51d5e31e05b7eb5513139be54 389784 connman_1.33-3+deb9u1_amd64.deb
Checksums-Sha256:
0bc1bbcdad34144b6a643e684154fcf938a41f55b1eec4fcccb9492e49806ac0 2362 connman_1.33-3+deb9u1.dsc
5a9abae1573fa367269df8bd92792de407fd15c7ac6c1448d07a24a5d6b5b831 958059 connman_1.33.orig.tar.gz
82add34e73aa3eb8031d11be5180c6d23471547757b458448de8c095b6cc2d71 12720 connman_1.33-3+deb9u1.debian.tar.xz
99cf9b319635d6f62d3a48cbd571392136cee7be87683be7de8abd751ea1d3d0 1249786 connman-dbgsym_1.33-3+deb9u1_amd64.deb
f9cc2c5e359c661ac38c862806a2fd0b9fa6835a28b856da8316d89f6914e56d 26898 connman-dev_1.33-3+deb9u1_amd64.deb
a17b7e6465eaefd71b4b8c933ecdab1f7646e4b816980746013cad4c6d23da4f 62332 connman-doc_1.33-3+deb9u1_all.deb
ed2347ee6e3ff203894dcc7e8b6db171a5575a888e6861e7b5ba3ea5816899b6 398600 connman-vpn-dbgsym_1.33-3+deb9u1_amd64.deb
14766adfa9a9e4af3c16344962ec3dd1b13277806dc99161f2bea8557b26d9f2 122800 connman-vpn_1.33-3+deb9u1_amd64.deb
bed503b05b9308ad9aae6662ed71eddbf2b327e1f8750f85ce88bf7c8260fde4 9315 connman_1.33-3+deb9u1_amd64.buildinfo
7bbad0ca6f61dfeb703e24977f25e1e9c9cf5c368fe7357e12dace4a6a5dbc30 389784 connman_1.33-3+deb9u1_amd64.deb
Files:
0937bf11dc210cb6c9fe94107d76eded 2362 net optional connman_1.33-3+deb9u1.dsc
48d3e878d31efd4854fc9b66e29622c1 958059 net optional connman_1.33.orig.tar.gz
3427d084c84207f9ed2fee2ef59a3020 12720 net optional connman_1.33-3+deb9u1.debian.tar.xz
b108262ba5eff77b0e2fac8dd9c05bff 1249786 debug extra connman-dbgsym_1.33-3+deb9u1_amd64.deb
15f225b4d1506547464069a1f7741a6e 26898 devel optional connman-dev_1.33-3+deb9u1_amd64.deb
b5467b2fcc0a6aeecf3144ef8ccf8b08 62332 doc optional connman-doc_1.33-3+deb9u1_all.deb
ef536f052452c802bd90d234b3da8839 398600 debug extra connman-vpn-dbgsym_1.33-3+deb9u1_amd64.deb
8c1aaa09536c09611a9d2a571fdfe008 122800 net optional connman-vpn_1.33-3+deb9u1_amd64.deb
fdb03352bc82611465e50f00918ffa79 9315 net optional connman_1.33-3+deb9u1_amd64.buildinfo
c2bcb220676d15e0f7d71d16f46e0021 389784 net optional connman_1.33-3+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmjO+kACgkQbsLe9o/+
N3QTww/9EU+mG4JYHN20qG5XZh52KEpHqzwcM3PKiIrBFzI/ufJg5lilbPTkNvuD
b8JCL0e1iiNSd3OdVJF9V12v+MMzOUCSFk7vOrWjMXmWKqFLpeZowQBbtFlaGI0j
D0SUphRmxVpuhiD9BExqlYTYvSN4CcM/bRNPLZOjd54oQqzFF/Pm5ZMk3CuELgFj
VgM7kgfD5zdTQW2aycNnDvaMkLGlcIShmuYD3jnqs8w/V3CE/8YAXCyO3UfkaPK5
V+lWCQboBFVxVXM3UNR9hR43k7mUO1mHMUa2k69C+QFwfvsBv13/H6M6Rge/4XWs
AkJoKlQXyraqV6BSF6o3Lto3lA4syglxGt/DFQZ7Gy66sli5wL7ho/0gMnnJJnug
Whmrd/fFca9cGP+9pnTf/tDQZXdHUR6l3YTk37yLTkjGkc3+yZo/m0nW2kMKr4wT
hd/BF0JbqN9xGVlw0ONBG7XOiIozI6sapvmnkpUiGZyZV4+pAG1XOMEAgiTdOTfx
3o6Z4Dks2X6I3gx9rxybXMOegfa1HgkU4KPvHAbcEJrF18mK+jq0wbv8jG/hj14j
+gYDxbMhNJ0yKfWXG+++82x0bWu2izs67BW6R3kzyicUFuPhf6Ivmjls58CucrYw
94ivvCnBgVl25jWYX5iYYOHYL2/t8ddzrITRT6ZYQGJQ3Jyi5bE=
=WsnJ
-----END PGP SIGNATURE-----
Reply sent
to Luciano Bello <luciano@debian.org>:
You have taken responsibility.
(Fri, 08 Sep 2017 21:21:06 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Fri, 08 Sep 2017 21:21:06 GMT) (full text, mbox, link).
Message #28 received at 872844-close@bugs.debian.org (full text, mbox, reply):
Source: connman
Source-Version: 1.21-1.2+deb8u1
We believe that the bug you reported is fixed in the latest version of
connman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 872844@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <luciano@debian.org> (supplier of updated connman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Aug 2017 10:29:30 -0400
Source: connman
Binary: connman connman-vpn connman-dev connman-doc
Architecture: source amd64 all
Version: 1.21-1.2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Alexander Sack <asac@debian.org>
Changed-By: Luciano Bello <luciano@debian.org>
Description:
connman - Intel Connection Manager daemon
connman-dev - Development files for connman
connman-doc - ConnMan documentation
connman-vpn - Intel Connection Manager daemon - VPN daemon
Closes: 872844
Changes:
connman (1.21-1.2+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2017-12865: Fix crash on malformed DNS response (Closes: #872844)
Checksums-Sha1:
e4ea70680b9b2dcdf3944657e41576f19cb66e72 2306 connman_1.21-1.2+deb8u1.dsc
d86def5830061b437cb3129563abb374a4595200 574726 connman_1.21.orig.tar.gz
4ab1a10bd4b782f19368ce88e116afcf43e5ae98 11276 connman_1.21-1.2+deb8u1.debian.tar.xz
16f82dc2a0fd7c40d5cb8ef4523e8046867b8cfa 330872 connman_1.21-1.2+deb8u1_amd64.deb
3ef87bdd38f4dfbc8160c48f8d047a14641b8f05 106328 connman-vpn_1.21-1.2+deb8u1_amd64.deb
826362fd4356cb3ceda1e0b1e07b567d4c5c67ec 23618 connman-dev_1.21-1.2+deb8u1_amd64.deb
b2f3fcdd4b0dad05fda92dca9ef320c52868b2f2 57636 connman-doc_1.21-1.2+deb8u1_all.deb
Checksums-Sha256:
a940bb31a0f60eaef94ca70d70e35fbe7619603e73b879c06a96e18f3accf037 2306 connman_1.21-1.2+deb8u1.dsc
bfb4f2af3c57f5c64a27af2cde5d2a166668149ab139b8ba41cdbeffd7a6a6f4 574726 connman_1.21.orig.tar.gz
ad78607af60ce03a203bbb929e0b671e0ca5eb3332c8639001f78a0ffff3c238 11276 connman_1.21-1.2+deb8u1.debian.tar.xz
83b1f3cea4f95c43be98cae17540bf407cf78e8b0571b657bd04cf6092dc3960 330872 connman_1.21-1.2+deb8u1_amd64.deb
12f4fcf2c44897711ffe52fed74665c968461c27183094b5abe685648c54f0fb 106328 connman-vpn_1.21-1.2+deb8u1_amd64.deb
c033866a9a894373008a3030bda5e0941be78f9de6b1ca4e0c88afa7bac92f77 23618 connman-dev_1.21-1.2+deb8u1_amd64.deb
6e606f269304c5459301964efdeefb0a57023aafad4f4ac7e1621722abdc7ed4 57636 connman-doc_1.21-1.2+deb8u1_all.deb
Files:
8d6af1eef316fd2ef2fa71c7c5ef715a 2306 net optional connman_1.21-1.2+deb8u1.dsc
14cc40636eb24d22c9c78065059ba69e 574726 net optional connman_1.21.orig.tar.gz
7f5dd0e026cd422921a80afca2b21461 11276 net optional connman_1.21-1.2+deb8u1.debian.tar.xz
ab1474f121b70c2637f1b5e3afd4f396 330872 net optional connman_1.21-1.2+deb8u1_amd64.deb
eb32ab75af5b1479826da759febbab03 106328 net optional connman-vpn_1.21-1.2+deb8u1_amd64.deb
7da1851c1e2b4875c82a8277a5192e68 23618 devel optional connman-dev_1.21-1.2+deb8u1_amd64.deb
075654a830232be5d8a2f36b07b2f0d6 57636 doc optional connman-doc_1.21-1.2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlmjO9cACgkQbsLe9o/+
N3Qdpg//Zn6NDyVZrg03jqgCC3PbAsxWT0Sve2g842/6572NOaM8iCG7g/nWJz4W
bLf8V2NW9qAj4IhJyaw7qVrJwd3Rahq/xw/8uVILf9MtBbTFFxOnXy5VJ57Ooa9m
3usTbO6eDOR9nIynMyCqLEQ5Yj5xSSBKsu3fU1+PlH/icIO55dW5fViop5PvkUtB
tp1+J9Z3l9WljOnZPPNHi6pxDNhUg81wbm2FX4MvbCDZVlnoPFa2VMNEPog81pHQ
9wZyzeDY6jNtd3hxuvUNPFhW2iMvB4Q52pW7Jav5qt8H6vV0c8TTmKscozRvfSK8
wBLwxC5tGFoWghJf0MQxbvOMh7BIIt9VTPVH4bJ7cIg74r2XjEzfxR0sKA60jqcu
aq4bsQo1KmYQ/k+HuySVX5JjDDIP9hHQXSvToX4OokD0OOfUIc6zJB0LKiz58s4g
KwOC+9J5XduTr5AOJsz3zt1A3jnTPS4XHmziUKyX3thPjfB4S7buN3BHyi2wZsLn
TMFIyijahCv9l+5/676BI11pTpn1G9QAGZcC4/Kzb8Jz+THkpVohFaxAx9MFO3nf
T/5kC/UXMuy/7ojuZ1Y0QFdHjBvVJ7g640CGXCKur1AYp7vx3aBe+PxDFLIq17KH
a0/iCoZrpRCUNxKxrgU0VSQdkavZ87tk5muSxBm62JEC7jfHgyc=
=hfj1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Oct 2017 07:28:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:30:55 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon