Your message dated Fri, 05 Apr 2019 22:18:36 +0000 with message-id <e1hcxas-000dlb...@fasolo.debian.org> and subject line Bug#925327: fixed in gpsd 3.17-6 has caused the Debian Bug report #925327, regarding gpsd: CVE-2018-17937 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 925327: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925327 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gpsd Version: 3.17-5 Severity: grave Tags: security upstream Control: found -1 3.16-4 Control: fixed -1 3.18.1-1 Hi, The following vulnerability was published for gpsd, not competely sure on severity and on if the referenced upstream commit is enough. Ideally though the fix seems ideal to go to buster. CVE-2018-17937[0]: | gpsd versions 2.90 to 3.17 and microjson versions 1.0 to 1.3, an open | source project, allow a stack-based buffer overflow, which may allow | remote attackers to execute arbitrary code on embedded platforms via | traffic on Port 2947/TCP or crafted JSON inputs. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-17937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17937 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gpsd Source-Version: 3.17-6 We believe that the bug you reported is fixed in the latest version of gpsd, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 925...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernd Zeimetz <b...@debian.org> (supplier of updated gpsd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 05 Apr 2019 23:31:30 +0200 Source: gpsd Architecture: source Version: 3.17-6 Distribution: unstable Urgency: medium Maintainer: Bernd Zeimetz <b...@debian.org> Changed-By: Bernd Zeimetz <b...@debian.org> Closes: 925327 Changes: gpsd (3.17-6) unstable; urgency=medium . * [0a8e4e18] Pull json fixes from upstream to fix a stack-based buffer overflow, which may allow remote attackers to execute arbitrary code on embedded platforms via traffic on Port 2947/TCP or crafted JSON inputs. CVE-2018-17937 / Closes: #925327 The update also fixes several other json parser bugs. - ECMA-404 says JSON \u must have 4 hex digits - Allow for \u escapes with fewer than 4 digits. - Fail on bad escape string. * [71020f4f] Update git-buildpackage config to build from the buster branch. Checksums-Sha1: 466356a004345d6f7c6dfa59c2dd05012c294143 2573 gpsd_3.17-6.dsc c4979dfe9588b0651396e464e5c3ed90224de188 36996 gpsd_3.17-6.debian.tar.xz 6165a5ab0e41b0f16e087a5fc549300c1bf1acad 13237 gpsd_3.17-6_source.buildinfo Checksums-Sha256: 393946eefc2ac406d508200ed721a480214db67bdbe09ab47e5edc22e539f7fd 2573 gpsd_3.17-6.dsc 0d852cee49266122d925493c0633b5ed1bf84e1ee8b646d4c0a1c94aed29c141 36996 gpsd_3.17-6.debian.tar.xz e3327243dba07dfe524bcd800bf06113fec894fe9802d87cd775e3940f7966b4 13237 gpsd_3.17-6_source.buildinfo Files: 0e3d936a38543f89fe0f5d196db9b221 2573 misc optional gpsd_3.17-6.dsc 4775f36adea7284bd76407c17fed2963 36996 misc optional gpsd_3.17-6.debian.tar.xz db7a1fd123ac7fb4f2af5fe190fbea1f 13237 misc optional gpsd_3.17-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7KHj8o4RJDLUhd2V6zYXGm/5Q18FAlynzscACgkQ6zYXGm/5 Q18wdw//WqK0sXoGAHSACDOV+ELMsfpG99k7O95M2Ux0rx9Bm/mJYIr21sO1V5pR xktyojSHW7v1Jd/4CGxFtMEVq1BfTsLc0+mlmP4bEIbNqiUHuE1g3xRNZ6TYTdbx gu9YGtWnFPzijjj6Fj1UAo21XTTEfkj6jJfT3mj8Spb1uHH0uAKXtocg2wRAREXQ cxfTSjwlRZj3v2vxTKcDNI6N1aClfBEom570XFOt77ujsEjNCJiRoTgz3n0QHmwr bmaHD09f0mLD5ton69GCC2AjDnA3+ukXhEPom2HMg8hJcf919LlByTOh043xoGwi yxnhOY5UK8zHC70R2uYvQSk6VaMUxcz29r3C6kAxM9LVAWxuiRbqblVIuEAKpLi4 cIbuBPCxd/WAMqUg0kcbJVHi/BgOjssfcSuSPYtdCHtzCjyZx88Tp4rh4wRupZaN ksOKN1L4Fq1xDqv/9nVVsiCh6IwNHPUkWR2N9Ou+Yr6HHOqarWKkvUALCLFDiHU9 3uFOz8BESUF4+eCEVFz4PCe2jyh98xOH4MVRmABOweIvr+ziRcu3KnBE8zyBa2QS dQt89C8Ws1s0OMzeB1hFGWESK9M83zFa26xqWIki/5F/5hb1oR71MmhUxkKsNKJU B9HkP87Fc0MU3g1TMP3jip/hdCUJryml/g2DqcXHwut9r/Up7n8= =BdJV -----END PGP SIGNATURE-----
--- End Message ---
