Your message dated Tue, 28 Feb 2017 17:18:46 +0000 with message-id <[email protected]> and subject line Bug#855588: fixed in atheme-services 7.2.9-1 has caused the Debian Bug report #855588, regarding memory leak could lead to Denial Of Service to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 855588: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855588 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: atheme-services Version: 7.2.7 Severity: grave Tags: security Upstream changelog says: This is a security release closing a memory leak that could be exploited by attackers to potentially cause a denial of service. Release 7.2.7 is affected; older releases are unaffected. See #539 for technical information. The upstream issue is https://github.com/atheme/atheme/pull/539 and doesn't have much more details. The patch is: https://github.com/atheme/atheme/pull/539/commits/a80355d2971f6453ef9c6c9507e8f0d16e55dd0f But then the fun part is that the fix introduced yet another DOS, which led to the release of 7.2.9: This is a security release fixing use after free that could potentially be abused by an attacker already having the privilege to use SASL impersonation to cause a denial of service. Users of 7.2.8 should update to version 7.2.9; older releases are not affected. Not sure if those issues should be treated separately, but since 7.2.8 wasn't packaged yet, maybe it's fine to have a single issue about this. A CVE was requested, but it is unclear where or if there was a response: https://github.com/atheme/atheme/pull/539#issuecomment-278204870 A. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: atheme-services Source-Version: 7.2.9-1 We believe that the bug you reported is fixed in the latest version of atheme-services, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Antoine Beaupré <[email protected]> (supplier of updated atheme-services package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 07 Feb 2017 21:01:27 -0500 Source: atheme-services Binary: atheme-services Architecture: source amd64 Version: 7.2.9-1 Distribution: unstable Urgency: medium Maintainer: Antoine Beaupré <[email protected]> Changed-By: Antoine Beaupré <[email protected]> Description: atheme-services - modular IRC services daemon Closes: 855588 Changes: atheme-services (7.2.9-1) unstable; urgency=medium . * new upstream release (7.2.8) fixing security issue "saslserv/main: free sasl_sourceinfo_t after use" see: https://github.com/atheme/atheme/pull/539 * new upstream release (7.2.9) fixing security issue introduced in 7.2.8: "Fix use after free during impersonation" (Closes: #855588) * remove two OpenSSL 1.1 patches merged upstream . [ Jos Ahrens ] * email templates: Fix leading whitespace . [ Aaron Jones ] * atheme.conf.example: better highlight the pbkdf2v2 crypto module * pbkdf2v2: make digest and rounds configurable at runtime * memoserv: let user know (on identify and /away) when their inbox is full * memoserv: unregister hooks when unloading Checksums-Sha1: 527ad5b523044770a2144e0adabd10ff6d754260 2085 atheme-services_7.2.9-1.dsc 629ee6241324722792124a1abddc2e03f28eee30 1179582 atheme-services_7.2.9.orig.tar.bz2 0e8b6bdbccdcb3228c42ba5884afd8dd43c4494a 10592 atheme-services_7.2.9-1.debian.tar.xz 9d77bfd2b077873ccd37ad7288f6bbd31bfe8c6f 6189692 atheme-services-dbgsym_7.2.9-1_amd64.deb e5efb94e97f2beb85b64ded3fdd1bf6a94df428b 4885 atheme-services_7.2.9-1_amd64.buildinfo a8bfe5d6a1498584fc1cbf4b699d77f3e9a3e70d 984812 atheme-services_7.2.9-1_amd64.deb Checksums-Sha256: 0989bee6f43ee5719e6b99d6b4206a36c240a335c96ce6fc4aa9aebd0b9c7c0c 2085 atheme-services_7.2.9-1.dsc a87a046aa73fc4a97a11d41cc08c60b835135ba20bb173ca888b40e0d6b54b27 1179582 atheme-services_7.2.9.orig.tar.bz2 76a6c51e62997f41ea3898b4ffd422bbbb92d65db178e815643d849efbc276de 10592 atheme-services_7.2.9-1.debian.tar.xz ca5e133fda6b43f75ec541c373a55807fedf112220cc56a369e7ce3cf51b06e3 6189692 atheme-services-dbgsym_7.2.9-1_amd64.deb cc04eb8e37c6c8ead77afccb3d06dbaf0ac80fc7638d311afa7c47b9a4dae393 4885 atheme-services_7.2.9-1_amd64.buildinfo 52112d9b65b11b85208b15786d935535bdc329f470a82aaed1f44ccfc36f8c30 984812 atheme-services_7.2.9-1_amd64.deb Files: 69fa609be5e32c044754aab449272fd0 2085 net optional atheme-services_7.2.9-1.dsc 7fa80e046e90bf9376cfc5c5207f2b27 1179582 net optional atheme-services_7.2.9.orig.tar.bz2 cbf01f2575d09a60f55c7f25260abc21 10592 net optional atheme-services_7.2.9-1.debian.tar.xz e5d7b52d25ad9e12ad99a97bdeb428d6 6189692 debug extra atheme-services-dbgsym_7.2.9-1_amd64.deb eed7b99c62b8ea84ac45a40dc5b513ea 4885 net optional atheme-services_7.2.9-1_amd64.buildinfo 42f6141c48155f8ba2441f3d1a2b80fb 984812 net optional atheme-services_7.2.9-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAli1q5QACgkQeSFSUnt1 kh720g/+O4MsM51H+BtlghewCJebQ7fxQOiCPjcwQ72jUS7wBry8SSyz3FjMYPnR Yirwzg+wV4Qn9Dk/4bK0RhXDGBZxOi/RDtVrhVGiU4vf82FMHopVyQKN8hlT28rs cOhx+XiWJ/XNhyL6u+uxJiP14mzwH5iusQyzLIJXAwmbwscRqaM3k6jfBmIWST1+ QJ5FOU4XUhsnJjmu4ND4nF8OWAhfvPSBKIFrRiMZwO5JAPbg9ceidwSHaRpMQKPA 0vE8B+GnF6bNI0CZSNhvtIvW4Ouj5eYjb7iTP+sp0DzP9dnTzpiBX2+dkTrGZF+h 447Cw8z09mHldtyHLX5JgxukwmroRKHSz8Ox98ceI++FfkF12YKPw7rVaFARopxL hnWfYknMG8gsof4TBu5sO5ySgxhILHn4TDNwJfUmfW78Q0bRP3CKZRxnY6Vyerln rUxQMVp5UsE//3sLMUE/0XVmdv7to/s/m4ORVGFeVConkDJgJLjLScflGtaFTogb BvhC00oxBGIl2UaIcJfoJvUEyx2nVziTiuX6ippUXYyw+Q0SFgnsK3GJRbfO1peq zT7xZ+GxurIo7hbtRjg9IYEpG5EDoSSyVjf4FK3zVeHk7R80BnG1eeoPL3yMmJTA 4d4u4R3aey0BxM+iShFNnLBaytZhRGqZNlDcnS3vqsi9CxwbwCU= =j8As -----END PGP SIGNATURE-----
--- End Message ---

