Your message dated Tue, 07 May 2019 15:48:35 +0000 with message-id <[email protected]> and subject line Bug#928056: fixed in dhcpcd5 7.1.0-2 has caused the Debian Bug report #928056, regarding dhcpcd5: CVE-2019-11578: auth: Use consttime_memequal to avoid latency attack to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 928056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928056 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dhcpcd5 Version: any Severity: serious Dear Maintainer, upstream released a new version of dhcpcd5 fixing three security issues. All versions currently found in Debian (jessie, stretch, buster, sid) are vulnerable to at least two of these issues, according to the announcement on upstreams's mailinglist [1]. The fixed issues are (copied from upstream's announcement): * auth: Use consttime_memequal to avoid latency attack consttime_memequal is supplied if libc does not support it dhcpcd >=6.2 <7.2.1 are vulnerable * DHCP: Fix a potential 1 byte read overflow with DHO_OPTSOVERLOADED dhcpcd >=4 <7.2.1 are vulnerable * DHCPv6: Fix a potential buffer overflow reading NA/TA addresses dhcpcd >=7 <7.2.1 are vulnerable Upstream provides a patch series for version 7 which would be relevant for buster and sid [2]. In addition, version 6.10.6 was released with backported fixes for the first two issues [3][4]. These might be useful for backporting to stretch and wheezy as they ship versions 6.10.1 and 6.0.5. Please consider applying/backporting those patches to the dhcpcd versions found in Debian. I have not checked the exploitability of these issues, so the severity might not be as serious. But I marked it serious anyway to make sure this issue doesn't fly under the radar. Thanks and regards, Timo [1] https://roy.marples.name/archives/dhcpcd-discuss/0002415.html [2] https://roy.marples.name/git/dhcpcd.git/patch/?id=23525884a346ed81c808c1ed90e3c56a8bf0cc68 [3] https://roy.marples.name/git/dhcpcd.git/patch/?id=3ad25d3b306c890df8a15250f5ded70764075aa8 [4] https://roy.marples.name/git/dhcpcd.git/patch/?id=b6605465e1ab8f9cb82bf6707c517505991f18a4
--- End Message ---
--- Begin Message ---Source: dhcpcd5 Source-Version: 7.1.0-2 We believe that the bug you reported is fixed in the latest version of dhcpcd5, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Scott Leggett <[email protected]> (supplier of updated dhcpcd5 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 05 May 2019 21:55:14 +0800 Source: dhcpcd5 Binary: dhcpcd5 dhcpcd5-dbgsym Architecture: source amd64 Version: 7.1.0-2 Distribution: unstable Urgency: high Maintainer: Scott Leggett <[email protected]> Changed-By: Scott Leggett <[email protected]> Description: dhcpcd5 - DHCPv4, IPv6RA and DHCPv6 client with IPv4LL support Closes: 928056 928104 928105 928440 Changes: dhcpcd5 (7.1.0-2) unstable; urgency=high . * Apply upstream patches to fix potential security vulnerabilities: CVE-2019-11578, CVE-2019-11579, CVE-2019-11577, and CVE-2019-11766. (Closes: #928056, #928104, #928105, #928440) * Add lintian override for upstream patch spelling Checksums-Sha1: 6d7058d48b9456da69d0fb7370ff27567aa4b83a 1932 dhcpcd5_7.1.0-2.dsc 3a3fd4013fb0a21097319713b3af168190f26ae4 13524 dhcpcd5_7.1.0-2.debian.tar.xz 75f83a28ce2e103a274ae7c8157adaaee1bb362a 425436 dhcpcd5-dbgsym_7.1.0-2_amd64.deb d64151559e91dc2b36ba530f869d1abbd988b2cf 5500 dhcpcd5_7.1.0-2_amd64.buildinfo eaeb6d6ac60b03b5578397bfa9978d5570f88993 163448 dhcpcd5_7.1.0-2_amd64.deb Checksums-Sha256: 6defc54426e666561d850792d903ed3136a435021ed35219883823317f91fbfd 1932 dhcpcd5_7.1.0-2.dsc 5cd77586c7fe16207828ce23df70638f4a0d46040eefe0237299394802d11890 13524 dhcpcd5_7.1.0-2.debian.tar.xz 1387dd61520f487be36a08b540861d97897739842a24933616d83e69279b3089 425436 dhcpcd5-dbgsym_7.1.0-2_amd64.deb 5e69c2fcfb29319364654de3dba1e267d43d0e42fffb3aa1d2a2b05adcf23a01 5500 dhcpcd5_7.1.0-2_amd64.buildinfo 7b7d4dd0416616232df3add2cc4d462adae9206e0e56ac2ee29134fb76d86f24 163448 dhcpcd5_7.1.0-2_amd64.deb Files: 8f5f652f1a080f00a97909b30f99614a 1932 net optional dhcpcd5_7.1.0-2.dsc 9fd8b0b0731d3b6acd9130559673ce50 13524 net optional dhcpcd5_7.1.0-2.debian.tar.xz 1364ae4b938da32dfbc3aab67eeed050 425436 debug optional dhcpcd5-dbgsym_7.1.0-2_amd64.deb 8de3c768961cda5d1c2cc1f37f872888 5500 net optional dhcpcd5_7.1.0-2_amd64.buildinfo 4914574c4a470c0e4823b440a311e6de 163448 net optional dhcpcd5_7.1.0-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEEQ0m4g1ajFzrQYHfBYJV0Vg0xPN0FAlzRluwPHHNjb3R0QHNs LmlkLmF1AAoJEGCVdFYNMTzdb0UP/39O9jCsuCcP/lC9QoKmU57u60SvOkyCW+Nf q2spmiiXX113r9CaFiTFnFJLfMH1mHNvw11sx6SUJOUIzGShf7+6jap6VU2bMjlb gmUMAknRctfD6jQ0vvncgUwHuIzmLrXcatz6+M0A/G71bT8Eq3P6HHIxqQOUozRH nQVE+S7dnew1KTfvWAcX8LXiGS4o/h2ark/Efb1uArT7tXkqcZ/6tyinT573A6Zf Tr/nnBHmyHpgEoTFoOK0g/YrlWrorhMu3bCYoWCO9Dht22dCOHzBaB2oESNCB5KG sZNrgslD+NE+5IT61lGi0T8rX1XQe6NwABtBR2FORI+GVpnf8W+F6qypZvn4RJLn kp0RbUoqEmzWsfEI5UjoJ0tWAnhMoBtscYro9cCRu3+ZWi4ZHiAwVCtyg56105v8 Cbta8Gg+SZPiGK0A+Hg40i4yYqzeOE0glN35PnxxXz3n1Rl/HQzRsyraDWOL1oQp LvXYc5yR9yZPcxd4qsP0fjyc0bsE/Bl01M3/55TRlN8ysgAx8bAgcDKZX20bjKJJ 5EWyFWwRJLhlFm2NEnDaeuGWCF3pPLr3QtaOq+VRAVRMkQ5CEFp5U1NGeDJMd0M+ AweaJGRoq0TijZGEM247ldUMG0uW7TpexQhjxtGcVtwVtsnjkYpK41I+ABbrUCeM KPukZKaX =TF9O -----END PGP SIGNATURE-----
--- End Message ---
