Bug#720287: marked as done (nas: CVE-2013-4256 CVE-2013-4257 CVE-2013-4258)

Debian Bug Tracking System Mon, 21 Oct 2013 12:51:49 -0700

Your message dated Mon, 21 Oct 2013 19:47:23 +0000
with message-id <[email protected]>
and subject line Bug#720287: fixed in nas 1.9.2-4squeeze1
has caused the Debian Bug report #720287,
regarding nas: CVE-2013-4256 CVE-2013-4257 CVE-2013-4258
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
720287: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720287
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: nas
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerabilities were published for nas (originally
reported by Hamid Zamani):

CVE-2013-4256[0]:
Buffer Overflows

CVE-2013-4257[1]:
Heap Overflow

CVE-2013-4258[2]:
Format string

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

Patches are also available, see [3] and [4].

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4256
    http://security-tracker.debian.org/tracker/CVE-2013-4256
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4257
    http://security-tracker.debian.org/tracker/CVE-2013-4257
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4258
    http://security-tracker.debian.org/tracker/CVE-2013-4258
[3] http://radscan.com/pipermail/nas/2013-August/001270.html
[4] http://marc.info/?l=oss-security&m=137694353908055&w=2

Please adjust the affected versions in the BTS as needed, 1.9.3 was
confirmed by the reporter, but might also be present in 1.9.2.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nas
Source-Version: 1.9.2-4squeeze1

We believe that the bug you reported is fixed in the latest version of
nas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated nas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Sep 2013 23:45:44 +0100
Source: nas
Binary: libaudio2 nas libaudio-dev nas-bin nas-doc
Architecture: source all amd64
Version: 1.9.2-4squeeze1
Distribution: oldstable-security
Urgency: high
Maintainer: Steve McIntyre <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Description: 
 libaudio-dev - Network Audio System - development files
 libaudio2  - Network Audio System - shared libraries
 nas        - Network Audio System - local server
 nas-bin    - Network Audio System - client binaries
 nas-doc    - Network Audio System - extra documentation
Closes: 720287
Changes: 
 nas (1.9.2-4squeeze1) oldstable-security; urgency=high
 .
   * Fixes for various long-standing security issues found by Hamid
     Zamani <[email protected]>. Closes: #720287
     + Validate the port offset of nasd to fix a potential buffer overflow
       (CVE-2013-4256)
     + Use better string functions to guard against heap overflows
       (CVE-2013-4257)
     + Sanity-check the TCP_DEVICE environment variable for safety.
   * Fix string handling in aulog.c:osLogMsg() to fix missing format string
     in call to syslog() (CVE-2013-4258).
Checksums-Sha1: 
 0734b1bbb48014097233eb81cb3c1807d35b28d4 1755 nas_1.9.2-4squeeze1.dsc
 b1d439c87eef89838ad463c140d0b9ca0f823f5e 1484369 nas_1.9.2.orig.tar.gz
 9e7a8358e76fb0db056bab57c864ac548f29b134 43710 nas_1.9.2-4squeeze1.diff.gz
 678e1bc070685ec52a121872cf231143e9c7c9f8 158344 nas-doc_1.9.2-4squeeze1_all.deb
 201130b7b5ddcd551549cfb9cd454b0fd6e2a3f2 120326 nas_1.9.2-4squeeze1_amd64.deb
 55481a179e3bebe5ab87521df67c6c2d5b8468b7 548620 
nas-bin_1.9.2-4squeeze1_amd64.deb
 f964bed0dcef1251acf09e1614e7348c411b7271 84686 
libaudio2_1.9.2-4squeeze1_amd64.deb
 883db3f5e6fe5ed09544bc62f458b8e98efd80d8 537650 
libaudio-dev_1.9.2-4squeeze1_amd64.deb
Checksums-Sha256: 
 9f1264bab8538f2f5f3fc0309030c8d3a8418c4def06d8ee11422318d67a2c36 1755 
nas_1.9.2-4squeeze1.dsc
 722d4f567f61e89e735277a0c1d3cfed98842160e3349bf956b1db525eacd2d3 1484369 
nas_1.9.2.orig.tar.gz
 780d4ae15b496035f7d3bd99e1fac22bdd5a5944bbf938a1e23a5733b3ae29fe 43710 
nas_1.9.2-4squeeze1.diff.gz
 363990b70adfa508aa8ec9d8e62a320ffdd9de9248600b35de47428a8a17e11b 158344 
nas-doc_1.9.2-4squeeze1_all.deb
 778b360bf4c3189dfa220a856997ab73751ada8c40a8bcddc22b74f6e70c91e4 120326 
nas_1.9.2-4squeeze1_amd64.deb
 fef5082fe448da8a961b6657f531946d050dd4c92be8e5a75faae4c0ec29f350 548620 
nas-bin_1.9.2-4squeeze1_amd64.deb
 023858e855d171860827d39a966d96c56e64f960aab6dc64ab2152bbcb22a213 84686 
libaudio2_1.9.2-4squeeze1_amd64.deb
 937a66c24547d9b122de3936cb7ca39f9c8906bcbfc5c5a5b30dfc77d20e99bb 537650 
libaudio-dev_1.9.2-4squeeze1_amd64.deb
Files: 
 a6fbe3ca975447e36e1b6e014e18a25c 1755 sound optional nas_1.9.2-4squeeze1.dsc
 ed7864f55b384452167959022cfb403b 1484369 sound optional nas_1.9.2.orig.tar.gz
 cf9841f2419d4b853757ca8d6af75686 43710 sound optional 
nas_1.9.2-4squeeze1.diff.gz
 5b1572ec20dc8246d4151330ae5f57c7 158344 doc extra 
nas-doc_1.9.2-4squeeze1_all.deb
 87e6ce802c880f9353e4ae18d0926304 120326 sound optional 
nas_1.9.2-4squeeze1_amd64.deb
 66fb8d8061e8845b7e1cc1850e691046 548620 sound extra 
nas-bin_1.9.2-4squeeze1_amd64.deb
 71ed172a6986380bec965bd4a104642a 84686 libs optional 
libaudio2_1.9.2-4squeeze1_amd64.deb
 990ccae9e8345362858222c99104520c 537650 libdevel optional 
libaudio-dev_1.9.2-4squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJSRZvtAAoJEFh5eVc0QmhOYTQP/RRNf/MbrGE5ZAWuvreXZpHH
82uqqiSYtKNU1TPqUeYBKz5PcQx/Nm1qcE4jJZgXqtTsC9Wbnem7rfrGm8d8/N7m
KVfzi1Fu1S4OapaxSEemJYrR9pzgnL5rgz7gKhZEOz06UwrBlvgFzrHOmDcpZ4/A
n6mnm2XHLSKo7TTB7MvlJklwaoMpUni79q1ge4emLmba9BQb2JdRUoARIi5JUMQ2
Vlbpx+bqLQItHOtcMxBzrxLxotga+3ggbvEEGwG+5mXwf7AzggbkLTvZRuRqvmqP
op6ewna/lcpRa/4vM8Z86GIf+lvXDGyrhV1d7advtXOiZPS/ryQohqxvDwf01WNC
0neq7sCBBGyDPigDlKniHKvB1foKYnYCvEIDMiaPjeAYNfmhutLZ9cxuY9E1QkZU
zitXDD3Bc5VXwA11mw8PZiFnuNI+hGXHzAmA8eWQs+rhaNNezggylKjjoXBNLx3B
aqcDhJt4DBroThjby7nN1DY+V+XoSRzq7xyoKXH3iptdLRJPDAiNS3TSOdYk9KEV
QvCFsyUlsAqDmn1a5wUxSHD/CaXsSYeEXbXVhjFROkJ8VMLtqkH1mXaT+ivij/RL
EMcWWnipPbhGa3y2ECiYQB643+FMK2QF+Alw5iHT4tu8OdMMWX+FUTyqyutdVDjh
sBerg1kQEBFfqFyZhSkP
=SlJg
-----END PGP SIGNATURE-----

--- End Message ---

Bug#720287: marked as done (nas: CVE-2013-4256 CVE-2013-4257 CVE-2013-4258)

Reply via email to