Debian Bug report logs -
#918734
thrift: CVE-2018-11798
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#918734; Package src:thrift.
(Tue, 08 Jan 2019 20:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 08 Jan 2019 20:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: thrift
Version: 0.11.0-3
Severity: normal
Tags: patch security upstream
Forwarded: https://issues.apache.org/jira/browse/THRIFT-4647
Hi,
The following vulnerability was published for thrift.
Note this is only unimportant, and actually just to track the
source-code fix at some point. The binary package are not affected in
Debian as we do not build with nodejs support enabled.
CVE-2018-11798[0]:
| The Apache Thrift Node.js static web server in versions 0.9.2 through
| 0.11.0 have been determined to contain a security vulnerability in
| which a remote user has the ability to access files outside the set
| webservers docroot path.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11798
[1] https://issues.apache.org/jira/browse/THRIFT-4647
[2] https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 08 Jan 2019 23:24:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 08 Jan 2019 23:24:11 GMT) (full text, mbox, link).
Message #10 received at 918734-close@bugs.debian.org (full text, mbox, reply):
Source: thrift
Source-Version: 0.11.0-4
We believe that the bug you reported is fixed in the latest version of
thrift, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918734@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated thrift package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 08 Jan 2019 21:31:07 +0000
Source: thrift
Binary: libthrift-0.11.0 libthrift-dev libthrift-c-glib0 libthrift-c-glib-dev thrift-compiler python-thrift python-thrift-dbg php-thrift libthrift-perl golang-thrift-dev
Architecture: source amd64 all
Version: 0.11.0-4
Distribution: unstable
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
golang-thrift-dev - Go language support for Thrift
libthrift-0.11.0 - Thrift C++ library
libthrift-c-glib-dev - Thrift glib library (development headers)
libthrift-c-glib0 - Thrift glib library
libthrift-dev - Thrift C++ library (development headers)
libthrift-perl - Perl language support for Thrift
php-thrift - PHP language support for Thrift
python-thrift - Python library for Thrift
python-thrift-dbg - Python library for Thrift (debug symbols)
thrift-compiler - code generator/compiler for Thrift definitions
Closes: 918734
Changes:
thrift (0.11.0-4) unstable; urgency=medium
.
* Backport upstream security fix for CVE-2018-11798: Node.js Filesever
webroot fixed path (closes: #918734).
* Update Standards-Version to 4.3.0 .
Checksums-Sha1:
5d988f1f82fdd725716aa3a053cf6d456e101dc5 2968 thrift_0.11.0-4.dsc
0d5aaf9c26c4d40a0c4aaa6c0d5bd718d3f6af30 76740 thrift_0.11.0-4.debian.tar.xz
d43ea7cce5973b8fd339dfc2af2b1125500e5531 105348 golang-thrift-dev_0.11.0-4_amd64.deb
b62770c735b83da7963d9139c890261562171995 6784508 libthrift-0.11.0-dbgsym_0.11.0-4_amd64.deb
2edd44a8e7980975fecdc80ed85cef98449cf7fc 434944 libthrift-0.11.0_0.11.0-4_amd64.deb
c62a7018b1f1df0834d9e43545aa672ce9c4647f 118664 libthrift-c-glib-dev_0.11.0-4_amd64.deb
0e9b7d308f4f58fa36ef4376a50b30356fc8fd5e 193420 libthrift-c-glib0-dbgsym_0.11.0-4_amd64.deb
b63852b4ef9b778b4f1fecf878293779aa3a91e5 102584 libthrift-c-glib0_0.11.0-4_amd64.deb
993e2d3b08490bacc3a9a80773e6f22936adcfde 1031748 libthrift-dev_0.11.0-4_amd64.deb
407bd541caef44e8c06b32ddde0ccfd30825d062 77696 libthrift-perl_0.11.0-4_all.deb
c933227e99049fa7d65a636c7e0807c6fbb5d66e 93560 php-thrift_0.11.0-4_amd64.deb
6996ed61eb132c86861a5db9f14d84622ab52310 228184 python-thrift-dbg_0.11.0-4_amd64.deb
aad07e17ea0239165c414441ad23778db8786829 116036 python-thrift_0.11.0-4_amd64.deb
88b2b71d187f9166176674e21f28984036ce80b0 26096280 thrift-compiler-dbgsym_0.11.0-4_amd64.deb
235a91102387709cde957a24f23a2d0e427def15 1321348 thrift-compiler_0.11.0-4_amd64.deb
1dc56997b680c563c5aadce725d59b913cbb391d 27750 thrift_0.11.0-4_amd64.buildinfo
Checksums-Sha256:
fc434580e7945e3ab5a41b85b4746900598d42dbcab1bcb486f974b96d10e2d7 2968 thrift_0.11.0-4.dsc
4a46c62a5703a68b8cf07bd7db757936e52a9cbaf68ee05b49b8e25574f9cc8c 76740 thrift_0.11.0-4.debian.tar.xz
814df936f3540a1131409b0a62378fb1a22e0bffc26acd96bf85df0bcd84a65f 105348 golang-thrift-dev_0.11.0-4_amd64.deb
29cc378142bc7ba7fefd2f6b42dad32437506baadce807b5d5c16b7563de6e42 6784508 libthrift-0.11.0-dbgsym_0.11.0-4_amd64.deb
3f5f5876b5fa9c878cb38743c9d8367bcc818b548e9715a63704e476b0f0210e 434944 libthrift-0.11.0_0.11.0-4_amd64.deb
44ed05c0dded9f02ce8653efba859c0a993f00db72765ef7ddc70076a659f4e6 118664 libthrift-c-glib-dev_0.11.0-4_amd64.deb
c776ebeca1c47ea349f9629f57ae788c30c2cc145876bf4509857582bfdab3dc 193420 libthrift-c-glib0-dbgsym_0.11.0-4_amd64.deb
c2b5f902824790b45b2d0a89b9001f5b5f449c4e2ac2f29db02e2696b5226046 102584 libthrift-c-glib0_0.11.0-4_amd64.deb
feff1059b45cb8397252081c89ca812611348ed5e1c2d2ec9d34692f872c574d 1031748 libthrift-dev_0.11.0-4_amd64.deb
0229dd8e58ea6fcb78d10acd27f3820b9d40016d7ecd5b4ae167c279ea30efde 77696 libthrift-perl_0.11.0-4_all.deb
e7e1f8f5abbafc2205006a26bce33c5b5b6ad037d9a0dcc14c673866d8b88e2e 93560 php-thrift_0.11.0-4_amd64.deb
847fb25974ffab1b0bc713f4f75ce15290226717efaaa8345020a29d51c5cc3c 228184 python-thrift-dbg_0.11.0-4_amd64.deb
5fa6a625080230edf03cb37b9034621ad9bcfe2fa7e253ca82fb10a485e59a94 116036 python-thrift_0.11.0-4_amd64.deb
c3d6fba6ed58dbd2f623ea903b4241ec2835cf199dbf430f57613cfe17dde666 26096280 thrift-compiler-dbgsym_0.11.0-4_amd64.deb
c13db674fb2884f80e28414217e41688c438a0637a7d460d413b97b329d39fa7 1321348 thrift-compiler_0.11.0-4_amd64.deb
8ec4cf65db4421ffcc1037ac22fab947d5d685c281352ce9ff367537ba3c4022 27750 thrift_0.11.0-4_amd64.buildinfo
Files:
6917fe7b3ada9313be94713dd50fee7b 2968 devel optional thrift_0.11.0-4.dsc
52ad383b97ad051f4d1d25b54aaad569 76740 devel optional thrift_0.11.0-4.debian.tar.xz
53480accdf4c18c743006be601dd8028 105348 devel optional golang-thrift-dev_0.11.0-4_amd64.deb
06ab9d82301b215f1f67d6fabb51568d 6784508 debug optional libthrift-0.11.0-dbgsym_0.11.0-4_amd64.deb
394ea3b4dcb742566f3dd9d72343c388 434944 devel optional libthrift-0.11.0_0.11.0-4_amd64.deb
395c8ed0e7e70b2f6895ac1b849e24e7 118664 libdevel optional libthrift-c-glib-dev_0.11.0-4_amd64.deb
a0a2e8d82383e39e63a5e2677a5fe8eb 193420 debug optional libthrift-c-glib0-dbgsym_0.11.0-4_amd64.deb
a216965b44c7a35c76262ce1063579c5 102584 libs optional libthrift-c-glib0_0.11.0-4_amd64.deb
fbc9f3bcbacaa54272697d64e341cb3f 1031748 libdevel optional libthrift-dev_0.11.0-4_amd64.deb
307bce9ecb91fc233002f887bcafe283 77696 perl optional libthrift-perl_0.11.0-4_all.deb
74d74baba121554cfef1d9695f691e0a 93560 php optional php-thrift_0.11.0-4_amd64.deb
d744cadee3bcd1edda2a3d1f3eeb40ab 228184 debug optional python-thrift-dbg_0.11.0-4_amd64.deb
a4aaa7df5c78133f4483575c5452549f 116036 python optional python-thrift_0.11.0-4_amd64.deb
938f168cebf44569990464d118597020 26096280 debug optional thrift-compiler-dbgsym_0.11.0-4_amd64.deb
73511f3a2f990e4c91a3c78045df97b0 1321348 devel optional thrift-compiler_0.11.0-4_amd64.deb
07ccd1b41d7e9b0af02e26f343486ccf 27750 devel optional thrift_0.11.0-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlw1K8YACgkQ3OMQ54ZM
yL/tvg//RAhpLNYx12xGsWAY32DjUwoSBR9LDFhHXwnhOpQ7YPTr37qZaU6mMzi+
DzPG+GpyEDNzqFqFlQ41H9LCA+9wv6g9jsU6Z5GWEklWV1K84bEomLx3IWXcin/U
GP3OIP7K173ovMfnQre7ADanmHwa+Zrn6hN8cZCY+Ulny59MSplxPo8dO0q07Rlm
3JgMnvg0GAVaOmqS2ZHuKCqLMfH+h0jKsjZT1xwMwPWMkxXlpwt/JUSLAQSxwxQ3
zXQR1OlcQUGJDwTLm5kp8vNVQLBZQnWfJl++devjaXkhbxF2ZulKqe4aF61GFsPz
NtBvxIU1fiRTr42Pw3HF7S463XTG1SmeOpnqwG2m8TwnWvHRm1oUx1hDk9SQSPFF
syou0zFrZGsMqYqnURAoV2bV3EECz83wiLD5Ae1L3GBOLBRzehiYmAgM49FOgwnN
HJnOMT+f7zIF/i4fNrLcQqmsjsBFqHpXJH511uE6Faun0fBjoXuzzQdl9rXPFX0S
jJ+OyfILGEPy5BpbqjQXzQTJw4EqDPsSiQv7dbkwXSl8xZzbGi3jj/uoUcF+YNhu
naS2/z2Zk5DdQoiPPbRkutUk3Cg0snSM2XnnQBIz8tqPsGTFrUn70Ho5eXP7aejL
+m0U/3OPEraQaQPtFaXOnLADTGG30MbTslQRhHWU+JG8ErVe8nE=
=Dwja
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 06 Feb 2019 07:31:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:16:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon