Debian Bug report logs -
#917030
python-pykmip: CVE-2018-1000872
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#917030; Package src:python-pykmip.
(Fri, 21 Dec 2018 18:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian OpenStack <openstack-devel@lists.alioth.debian.org>.
(Fri, 21 Dec 2018 18:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: python-pykmip
Version: 0.7.0-2
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/OpenKMIP/PyKMIP/issues/430
Hi,
The following vulnerability was published for python-pykmip.
CVE-2018-1000872[0]:
| OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399:
| Resource Management Errors (similar issue to CVE-2015-5262)
| vulnerability in PyKMIP server that can result in DOS: the server can
| be made unavailable by one or more clients opening all of the
| available sockets. This attack appear to be exploitable via A client
| or clients open sockets with the server and then never close them.
| This vulnerability appears to have been fixed in 0.8.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1000872
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000872
[1] https://github.com/OpenKMIP/PyKMIP/issues/430
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 27 Dec 2018 17:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenStack <openstack-devel@lists.alioth.debian.org>:
Bug#917030; Package src:python-pykmip.
(Tue, 19 Feb 2019 21:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <openstack-devel@lists.alioth.debian.org>.
(Tue, 19 Feb 2019 21:39:04 GMT) (full text, mbox, link).
Message #12 received at 917030@bugs.debian.org (full text, mbox, reply):
On Fri, Dec 21, 2018 at 07:13:52PM +0100, Salvatore Bonaccorso wrote:
> Source: python-pykmip
> Version: 0.7.0-2
> Severity: important
> Tags: patch security upstream
> Forwarded: https://github.com/OpenKMIP/PyKMIP/issues/430
>
> Hi,
>
> The following vulnerability was published for python-pykmip.
>
> CVE-2018-1000872[0]:
> | OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399:
> | Resource Management Errors (similar issue to CVE-2015-5262)
> | vulnerability in PyKMIP server that can result in DOS: the server can
> | be made unavailable by one or more clients opening all of the
> | available sockets. This attack appear to be exploitable via A client
> | or clients open sockets with the server and then never close them.
> | This vulnerability appears to have been fixed in 0.8.0.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000872
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000872
> [1] https://github.com/OpenKMIP/PyKMIP/issues/430
This is fixed in https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
can we please get the patch in buster?
Cheers,
Moritz
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org.
(Fri, 22 Feb 2019 22:33:06 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#917030.
(Sun, 24 Feb 2019 17:57:03 GMT) (full text, mbox, link).
Message #17 received at 917030-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #917030 in python-pykmip reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/python/python-pykmip/commit/3a64ac798175adfc846a6e4176b1dbac5d4052ea
------------------------------------------------------------------------
* CVE-2018-1000872: Resource Management Errors (similar issue to
CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
server can be made unavailable by one or more clients opening all of the
available sockets. Applied upstream patch: Fix a denial-of-service bug by
setting the server socket timeout (Closes: #917030).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/917030
Added tag(s) pending.
Request was from Thomas Goirand <zigo@debian.org>
to 917030-submitter@bugs.debian.org.
(Sun, 24 Feb 2019 17:57:03 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#917030.
(Sun, 24 Feb 2019 17:57:06 GMT) (full text, mbox, link).
Message #22 received at 917030-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #917030 in python-pykmip reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/openstack-team/python/python-pykmip/commit/e5f467144e4c9fa115f223c8f569baa84e69cfd4
------------------------------------------------------------------------
* CVE-2018-1000872: Resource Management Errors (similar issue to
CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
server can be made unavailable by one or more clients opening all of the
available sockets. Applied upstream patch: Fix a denial-of-service bug by
setting the server socket timeout (Closes: #917030).
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/917030
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 24 Feb 2019 18:24:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Feb 2019 18:24:07 GMT) (full text, mbox, link).
Message #27 received at 917030-close@bugs.debian.org (full text, mbox, reply):
Source: python-pykmip
Source-Version: 0.7.0-3
We believe that the bug you reported is fixed in the latest version of
python-pykmip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pykmip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Feb 2019 17:30:07 +0100
Source: python-pykmip
Binary: python-pykmip python3-pykmip
Architecture: source all
Version: 0.7.0-3
Distribution: unstable
Urgency: high
Maintainer: Debian OpenStack <team+openstack@tracker.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pykmip - implementation of the Key Management Interoperability Protocol -
python3-pykmip - KMIP v1.1 library - Python 3.x
Closes: 917030
Changes:
python-pykmip (0.7.0-3) unstable; urgency=high
.
[ Ondřej Nový ]
* d/control: Add trailing tilde to min version depend to allow
backports
* d/control: Use team+openstack@tracker.debian.org as maintainer
.
[ Thomas Goirand ]
* CVE-2018-1000872: Resource Management Errors (similar issue to
CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
server can be made unavailable by one or more clients opening all of the
available sockets. Applied upstream patch: Fix a denial-of-service bug by
setting the server socket timeout (Closes: #917030).
Checksums-Sha1:
b2588a52063c45accae7c3b2414389a6db3bc9ef 2579 python-pykmip_0.7.0-3.dsc
1d05b65a003a46a26d4a84dba7b30e57ea0b9b19 5284 python-pykmip_0.7.0-3.debian.tar.xz
f36446db24f2420c5c553ad1ff0295fef682ff3f 123156 python-pykmip_0.7.0-3_all.deb
1c4692222c30a3ef3cdd33167e427f48bd122e6f 9395 python-pykmip_0.7.0-3_amd64.buildinfo
774d34b0d8ecaf4f5b66e96c020ba75c78a37305 118328 python3-pykmip_0.7.0-3_all.deb
Checksums-Sha256:
83045bb9bb0ff5b50bc70b6550e60117d19bd6e84db781895ce806c261424dd7 2579 python-pykmip_0.7.0-3.dsc
788e357347de57d6c97c9c2cd28d58092c0f455b0ab3576574731eeb751e134e 5284 python-pykmip_0.7.0-3.debian.tar.xz
3d64d97c3bb0e12bd8b6a510df6fd1448e97a57d54891fbfb7ebdb6ca4fac934 123156 python-pykmip_0.7.0-3_all.deb
f10d18f6a9364d92eb5c1a1a5e029673dd1b944ada48bfab428813d818360ec0 9395 python-pykmip_0.7.0-3_amd64.buildinfo
3c328101d17d7f317cea86f85e30dd7a8d8cf0d5f22b32f9ffab989ccf10d987 118328 python3-pykmip_0.7.0-3_all.deb
Files:
0abcd1c94ad4fc247d6d079f94ce9ad0 2579 python optional python-pykmip_0.7.0-3.dsc
87009bc93fb7d27494a46ef45725df76 5284 python optional python-pykmip_0.7.0-3.debian.tar.xz
6c445e5437f91ffaec59f71c99bc3417 123156 python optional python-pykmip_0.7.0-3_all.deb
e447749001c8f319797d5cdaee8e2cac 9395 python optional python-pykmip_0.7.0-3_amd64.buildinfo
51ff4705b496e8546f931353e42c808c 118328 python optional python3-pykmip_0.7.0-3_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEoLGp81CJVhMOekJc1BatFaxrQ/4FAlxy2yUACgkQ1BatFaxr
Q/55bBAAoNPNNRqq3ccMcFBUjBOSZLvwSOJSSaFiIioemZkjXP1X5yghqI1FY/SQ
/rVcz5DwfCiOoCRFnHJmPACWaHvAtMY8hbBuZ8b2Y1zcQU9kSdWrU7pHzpzGsDfG
ZxmhzthWWuuEuraJktr1sXsP9bm8sFwdI8SlYRyZ5rnniGPoihfDyszwShLYXWts
x+bNVY/2YPOrfnBPGTggc6ItQQkYq9JIwsaAk7qDmO4NVcByW8ZWKIzqweh4UYsD
Qd22f4rSIl5LXlrtVlwmP00eaYjxrzLjfCbMFMq06eRvTJEzB5dq7cogoQbP6x/V
gqbkjcdUEhkWNpE66JY3cAtT6jMm6HvH699euxqy+37ACwqBtxzOveZvHByPjx1i
gMdm/WYRU3IcUjxKulL8QRyAykoGmVi7wSkn5dF65wR3jBnKQYMNki9wI9NQCubw
k3bNETsgOJkfLuF8ydNZsMcOKJ5LHOLSLdG+ZRbvh+UpTR/QTXFQYokZ3bAepjkV
iXU6nBZT4kvGhKCMXWF0A8PaDrKIyh6soktCazkVPk1DWUzvmaBhP/lbAskCeMOW
AaThsuxJ8hIu79ple4tke6rUyJcYwk+9O+ayYKlqjyrgNEZjkTfCavR8LJhz4bIW
UXcqYC6tLAHPSBgJ2gY9iKfkiwnWz24TeRjigBeniWjZDaCI5bU=
=bZXS
-----END PGP SIGNATURE-----
Reply sent
to Thomas Goirand <zigo@debian.org>:
You have taken responsibility.
(Sun, 10 Mar 2019 13:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Mar 2019 13:36:05 GMT) (full text, mbox, link).
Message #32 received at 917030-close@bugs.debian.org (full text, mbox, reply):
Source: python-pykmip
Source-Version: 0.5.0-4+deb9u1
We believe that the bug you reported is fixed in the latest version of
python-pykmip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917030@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated python-pykmip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Feb 2019 17:43:42 +0100
Source: python-pykmip
Binary: python-pykmip python3-pykmip
Architecture: source all
Version: 0.5.0-4+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description:
python-pykmip - implementation of the Key Management Interoperability Protocol -
python3-pykmip - KMIP v1.1 library - Python 3.x
Closes: 917030
Changes:
python-pykmip (0.5.0-4+deb9u1) stretch; urgency=medium
.
* CVE-2018-1000872: Resource Management Errors (similar issue to
CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
server can be made unavailable by one or more clients opening all of the
available sockets. Applied upstream patch: Fix a denial-of-service bug by
setting the server socket timeout (Closes: #917030).
Checksums-Sha1:
be5b8d09ee14fcfad1082932304b652ac0b7b1d2 2676 python-pykmip_0.5.0-4+deb9u1.dsc
e41770a74f3285fea56218f241e9c93ba4637981 4704 python-pykmip_0.5.0-4+deb9u1.debian.tar.xz
78bfc8e3fea691ab0aa89e7642c9c98a7eeb1413 89202 python-pykmip_0.5.0-4+deb9u1_all.deb
c7c72d714994a45aec972b0cc6e229d3784aae91 9156 python-pykmip_0.5.0-4+deb9u1_amd64.buildinfo
b1e302ae578b20108ea196e9579b533fd7258211 85054 python3-pykmip_0.5.0-4+deb9u1_all.deb
Checksums-Sha256:
f33fc40f3df05745f175ce664030abb4ef78c23c365e68a861aab1c58937bb3f 2676 python-pykmip_0.5.0-4+deb9u1.dsc
9ee426f4f47e529e5265ee1e179b697d93ef0432e3bbcf2a7078ed6c7133818a 4704 python-pykmip_0.5.0-4+deb9u1.debian.tar.xz
50df9de86e54be7d160ddd4adfc3f1ecb92921507807d6a0c98eeb93d264fbd0 89202 python-pykmip_0.5.0-4+deb9u1_all.deb
a9f68c3c87f1b8ab20b561b9de9775fefd329edc8f678a5ae2be8058f8ab79ce 9156 python-pykmip_0.5.0-4+deb9u1_amd64.buildinfo
45131285c6e3b50c4e0f398f7ae4d0121026f39913308fdc0b6e8851e7aaa953 85054 python3-pykmip_0.5.0-4+deb9u1_all.deb
Files:
adbe8a9c8a73924555c309d3b5c12fe9 2676 python optional python-pykmip_0.5.0-4+deb9u1.dsc
9ff1ec9813e4918f74a17598723d1a68 4704 python optional python-pykmip_0.5.0-4+deb9u1.debian.tar.xz
5621187dda6fbc086ca5eb7dffb2d676 89202 python optional python-pykmip_0.5.0-4+deb9u1_all.deb
74ef4a0a682a2d6c78eaa8364cc1aa8d 9156 python optional python-pykmip_0.5.0-4+deb9u1_amd64.buildinfo
05881ef0c2e47e2bca5676ea9c4d951d 85054 python optional python3-pykmip_0.5.0-4+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtKCq/KhshgVdBnYUq1PlA1hod6YFAlx1OlkACgkQq1PlA1ho
d6Y0YA//arXbTjzK0XpB8R4WHW+sA4nf/yzegZNC+wMHzKNurRRabewVEFaMug5t
XfPzLUNK8KAuv/AQ6GqMoCeVr1o2P4BuLmacxWbGMMgtBwMQsGSTV/8LOK28J0+X
1Z83TLfenhkItO+NP+Hnz5xkZr/jlHwuCjfR8QCWMB1DhpjybUHdcDTzg8Dz7ff5
V7Zrb9bulcChYz7oUwUu+L8avayJzzU3+KPZdTP7SwfM3BtC18P87SUJGvpicl7x
WCTr4A5OxJcR2PSr+E72UFIDPGh4FBtu0FpSrbRD5oN4TRWEsRm/duswYaSAVZX9
2XtthnQ5R2IAT3AYCZ0t53R29OlQHOmFB/8C2quumvi1PHNJ70MJIwGdn8wHda3D
5Iji3X+V4QR1ljrhpNU/EouiiPMEdfY/2F48wEF1fkns3x/I4/3Z+EAfYtfSUfeb
w7joDJc+gAQXjJzwkAsdXDcG+cNrKI/vlJdfLUf/baDT9TNm57fqCERx40hQzTBi
Ro7dLsOlXCV63v1a0akzKRNjl9Ogn18jxCwFkOaHcp1AH4YGMUnX6t9LQltDlBT7
0IkW1ucnESLT7clDUsH+KnPNMJ0nhfO4jV/+8azjwJIJSK3LzPTkr5bnASFj+67k
T1Hvc6+banoK4Xl7u7SYK3CwgWoE25/EmSXtGKnezgtJM2xcegw=
=Yq7P
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 08 Apr 2019 07:28:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:49:38 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon