Debian Bug report logs -
#911263
tcpflow: CVE-2018-18409
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Dima Kogan <dkogan@debian.org>:
Bug#911263; Package src:tcpflow.
(Wed, 17 Oct 2018 19:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Dima Kogan <dkogan@debian.org>.
(Wed, 17 Oct 2018 19:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tcpflow
Version: 1.5.0+repack1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/simsong/tcpflow/issues/195
Hi,
The following vulnerability was published for tcpflow.
CVE-2018-18409[0]:
| A stack-based buffer over-read exists in setbit() at iptree.h of
| TCPFLOW 1.5.0, due to received incorrect values causing incorrect
| computation, leading to denial of service during an address_histogram
| call or a get_histogram call.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-18409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18409
[1] https://github.com/simsong/tcpflow/issues/195
Regards,
Salvatore
Marked as found in versions tcpflow/1.4.5+repack1-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 17 Oct 2018 19:15:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 22 Oct 2018 20:03:44 GMT) (full text, mbox, link).
Reply sent
to Dima Kogan <dkogan@debian.org>:
You have taken responsibility.
(Thu, 22 Nov 2018 02:15:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 22 Nov 2018 02:15:10 GMT) (full text, mbox, link).
Message #14 received at 911263-close@bugs.debian.org (full text, mbox, reply):
Source: tcpflow
Source-Version: 1.5.2+repack1-1
We believe that the bug you reported is fixed in the latest version of
tcpflow, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 911263@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dima Kogan <dkogan@debian.org> (supplier of updated tcpflow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Nov 2018 10:06:45 -0800
Source: tcpflow
Binary: tcpflow tcpflow-nox
Architecture: source amd64
Version: 1.5.2+repack1-1
Distribution: unstable
Urgency: medium
Maintainer: Dima Kogan <dkogan@debian.org>
Changed-By: Dima Kogan <dkogan@debian.org>
Description:
tcpflow - TCP flow recorder
tcpflow-nox - TCP flow recorder - version without X11 dependencies
Closes: 911263
Changes:
tcpflow (1.5.2+repack1-1) unstable; urgency=medium
.
* New upstream release (Closes: #911263)
Checksums-Sha1:
e8bac5698fb03bc83546e0b857e74fc4cee158c2 2049 tcpflow_1.5.2+repack1-1.dsc
549b46cb54d86330cd828f54d510fb37748c699b 1045375 tcpflow_1.5.2+repack1.orig.tar.gz
a50ed35096888e7c994d9f9e1930eddbe6776983 9308 tcpflow_1.5.2+repack1-1.debian.tar.xz
107ef8614ae3451de0a602f7a109925213f566f1 4877740 tcpflow-dbgsym_1.5.2+repack1-1_amd64.deb
7100e12d9ef496331497019d0d2ca373d164ded9 3719432 tcpflow-nox-dbgsym_1.5.2+repack1-1_amd64.deb
a68cf27ce868dfbaa66895462afdbd997f61d562 223936 tcpflow-nox_1.5.2+repack1-1_amd64.deb
5ca29fe59458ecd3b4692df5613e45a67425dfa1 8940 tcpflow_1.5.2+repack1-1_amd64.buildinfo
367ed36c97cb52ac2124d9e405934b7f8e1a4ec4 279208 tcpflow_1.5.2+repack1-1_amd64.deb
Checksums-Sha256:
2bf6b7cbf9139096f5948038da65b277cd6b3523669e40aae72da564bcea140c 2049 tcpflow_1.5.2+repack1-1.dsc
d074b6291077e7a6ed2c647580c6f3771ce12a00d873c80ebcb700153bbbf100 1045375 tcpflow_1.5.2+repack1.orig.tar.gz
ec1b493cdb4486519bb2ab7bae7d42ce4a673a1986531394bf33d49c05e59643 9308 tcpflow_1.5.2+repack1-1.debian.tar.xz
8c805b926c0ce188127cf82cdef554c9acf497e5cd9f911632e7ba9be23f5e6d 4877740 tcpflow-dbgsym_1.5.2+repack1-1_amd64.deb
6a867f9b747fc5cadbe4e114ec19317eaf76a779cd500240cae80133becfa5f1 3719432 tcpflow-nox-dbgsym_1.5.2+repack1-1_amd64.deb
5e1d6f1e6b5a95d196976f7ed06107e96acbc2b695bce61c6872d6ad36c904be 223936 tcpflow-nox_1.5.2+repack1-1_amd64.deb
4b18abde5b19ff06a12de997cd1502a1262890a2053df68c6c8538da5f8ec50c 8940 tcpflow_1.5.2+repack1-1_amd64.buildinfo
b39f4fb7c24739d3bd95fd3df233fabf261049a2a887af81347b9bafb91865c5 279208 tcpflow_1.5.2+repack1-1_amd64.deb
Files:
81984d59f7ae336ca881da81cc53c32b 2049 net optional tcpflow_1.5.2+repack1-1.dsc
4348cdfa9e1d61a459d1f696204fbeff 1045375 net optional tcpflow_1.5.2+repack1.orig.tar.gz
a814d82438d5541a03855380f5b92b71 9308 net optional tcpflow_1.5.2+repack1-1.debian.tar.xz
57c81e9f7d77a47f36ee16b2d533e87a 4877740 debug optional tcpflow-dbgsym_1.5.2+repack1-1_amd64.deb
11815306757d3527aadab73c4c1553ce 3719432 debug optional tcpflow-nox-dbgsym_1.5.2+repack1-1_amd64.deb
22e51129256df4cde44f7bb3e26ed640 223936 net optional tcpflow-nox_1.5.2+repack1-1_amd64.deb
944a9e74bb9d0c34bdd3d61f25a2f4f8 8940 net optional tcpflow_1.5.2+repack1-1_amd64.buildinfo
40611f5c791f68b0e0e3723de5046c3c 279208 net optional tcpflow_1.5.2+repack1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEEdRwTXcLOAUM4CFTz7WO2ElodFWEFAlv19mYSHGRrb2dhbkBk
ZWJpYW4ub3JnAAoJEO1jthJaHRVhqxgP/0VY1FfYXIGZagBo1J/DJu7gACzVrq6W
rZQ0soQy7tYt3QJvT9+PdPGxPwY0NJ1uiBlaHiZmCLJvZFbB7oXfHHd159tmww71
UtTnhQ3oE4O+q/UoKoum50RoGD8sHz4zY3cQ6sqCQ+r8pLKhcAVq7dF6Uc+1xmsO
QLyTMOJ5oiG5u4c+5l3qXxK2Baw6u4DklTIjDvUhkD9eErz19Glm5YKlC/yn/wZK
Z1pn7r2OKvQCkOODbuwZRCb7GUzNtxpKEQN4ac7k4TxNh7Y21bw1bp46ItvUFonm
uviJ2UHWko8byAsW3kfeNi16tzkJjjaFeoBwvGZXcAbQ1C3TTMQlOf5lShF4wOuN
MJNTBuC+cW+5oyHRD0Hq6mL9AupkO9jd7MX9QHnzg2QsbhnpEH4t4ZLZ7CfRFz22
6DeScnfI5O3hXptOMnQAw80b2kdebaIs/cDxsgYUXeD8KtryoJTA8APHrSIG2H7z
TuHIpIHZEb537l72PMOGGJNmodk6+NMQ2bKBiDDAK1Wn3auLhthZxkongUwsesI2
mc9BqUAsYuqmdb1UFKh/I3CIezeyHSRtHcwOPjeurR+4QVLeFkQC//+umvhpPbxp
9nnPfL6dB6AEArOucZ8vsH+1M5FHiwSycptjyNmm16hUUgJ2Xsz8cujjRnmwc0IJ
GtNAUqyT+eiV
=Kvkc
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 25 Dec 2018 07:30:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:16:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon