Your message dated Sat, 12 Oct 2019 13:02:09 +0000 with message-id <e1ijh29-0004vo...@fasolo.debian.org> and subject line Bug#933002: fixed in docker.io 18.09.1+dfsg1-7.1+deb10u1 has caused the Debian Bug report #933002, regarding docker.io: CVE-2019-13139 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933002: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933002 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: docker.io Version: 18.09.1+dfsg1-7.1 Severity: grave Tags: security upstream Forwarded: https://github.com/moby/moby/pull/38944 Control: fixed -1 18.09.5+dfsg1-1 Hi, The following vulnerability was published for docker.io. CVE-2019-13139[0]: command injection due to a missing validation of the git ref command If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13139 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13139 [1] https://github.com/moby/moby/pull/38944 [2] https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: docker.io Source-Version: 18.09.1+dfsg1-7.1+deb10u1 We believe that the bug you reported is fixed in the latest version of docker.io, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Felix Geyer <fge...@debian.org> (supplier of updated docker.io package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 03 Sep 2019 19:59:35 +0200 Source: docker.io Architecture: source Version: 18.09.1+dfsg1-7.1+deb10u1 Distribution: buster-security Urgency: medium Maintainer: Dmitry Smirnov <only...@debian.org> Changed-By: Felix Geyer <fge...@debian.org> Closes: 932673 933002 Changes: docker.io (18.09.1+dfsg1-7.1+deb10u1) buster-security; urgency=medium . [ Arnaud Rebillout ] * Add upstream patch for CVE-2019-13139 (Closes: #933002). * Add upstream patches for CVE-2019-13509 (Closes: #932673). . [ Felix Geyer ] * Add upstream patch for CVE-2019-14271 * Cherry-pick upstream commits to fix test failures with golang >= 1.11.6-1+deb10u1 Checksums-Sha1: 0a67945ac1d5e9c88d959cd7a44afda3d6f8bc7b 8971 docker.io_18.09.1+dfsg1-7.1+deb10u1.dsc b1ac3ab25cc574dcb5591da41523f58b7bf83ad2 1166180 docker.io_18.09.1+dfsg1.orig-containerd.tar.xz c5a4729ab46d9eab0f4946297be4204725c11a2c 339476 docker.io_18.09.1+dfsg1.orig-distribution.tar.xz 63cda92992cef6b6a348608a2e5389fcc9a6bbce 14356 docker.io_18.09.1+dfsg1.orig-go-events.tar.xz 92ab39b8d119516d6cb9433585b504addc82fff3 13800 docker.io_18.09.1+dfsg1.orig-go-metrics.tar.xz 1e57c0a3cf6b091f25b9240d2422dc27dc0d4f50 481536 docker.io_18.09.1+dfsg1.orig-libnetwork.tar.xz 1bca0b523077489693557a3169a8ea7a09b1568b 699492 docker.io_18.09.1+dfsg1.orig-swarmkit.tar.xz c2950f8af2ea09767abe12af5931bdca8d8f99e4 3971296 docker.io_18.09.1+dfsg1.orig.tar.xz 158a07d0c65e2e74cea73acdf3d5f66ca6ec5bf3 50908 docker.io_18.09.1+dfsg1-7.1+deb10u1.debian.tar.xz Checksums-Sha256: 22480f1863702e52c5dffce6f6c583ccea8a2c6c455e233581e8867ad55b7d67 8971 docker.io_18.09.1+dfsg1-7.1+deb10u1.dsc 7aff7ab4de77930c6aec27261ac321851ed46f46f887ecf9f22ed1edae936b4c 1166180 docker.io_18.09.1+dfsg1.orig-containerd.tar.xz 0cdd3a84b42130518281c09dfe266b4746ba599225df1f0e5755ed3048b876cf 339476 docker.io_18.09.1+dfsg1.orig-distribution.tar.xz 4a8b2b65dd67fcfa3e2e51ba7acb6aeca2f814a25b99c1650b1f7f2886b10dd3 14356 docker.io_18.09.1+dfsg1.orig-go-events.tar.xz 014b93866430d4fe96dd7fffb1f806e091567aca52ba2c090b1619fda21a7a60 13800 docker.io_18.09.1+dfsg1.orig-go-metrics.tar.xz 6d633e558a2a7011e4a0d390914b8d5e13b559313ed6ca6d3b6aad83eb67bda0 481536 docker.io_18.09.1+dfsg1.orig-libnetwork.tar.xz 62eaddd228af6fa5c84e44c8cc1b5be6b03dad57aeeedc32285bafe162cd2a69 699492 docker.io_18.09.1+dfsg1.orig-swarmkit.tar.xz 269e1d602600d4bfa40b4307294d2f93c49c604e5a6ed0fb7e82645c20a3e38f 3971296 docker.io_18.09.1+dfsg1.orig.tar.xz 2fcf0b0ee61554d5754bcc58464c7d04fe0f3e4c4b44c04c2d21e5d82242984c 50908 docker.io_18.09.1+dfsg1-7.1+deb10u1.debian.tar.xz Files: 79d8ed2ee3b098a3029885cedde00aac 8971 admin optional docker.io_18.09.1+dfsg1-7.1+deb10u1.dsc 08d09933a2ad1a584b28bf6e84c0f094 1166180 admin optional docker.io_18.09.1+dfsg1.orig-containerd.tar.xz 9f447ef7fe6c0d24a259d47b0cae4548 339476 admin optional docker.io_18.09.1+dfsg1.orig-distribution.tar.xz 6b86d559756ac9e75747abce8fec3308 14356 admin optional docker.io_18.09.1+dfsg1.orig-go-events.tar.xz 7c17b7a5d73ddaa096a70cd5f0125f3b 13800 admin optional docker.io_18.09.1+dfsg1.orig-go-metrics.tar.xz d2ce2b3e9e68db052981eb44a8d4251b 481536 admin optional docker.io_18.09.1+dfsg1.orig-libnetwork.tar.xz a73ee3f49a794d24f4e61733e17348ec 699492 admin optional docker.io_18.09.1+dfsg1.orig-swarmkit.tar.xz 281586d8c8fd55a39cc16111e00e38f3 3971296 admin optional docker.io_18.09.1+dfsg1.orig.tar.xz a577f3fdbfb794879936cb97dc63961d 50908 admin optional docker.io_18.09.1+dfsg1-7.1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAl1u1N8ACgkQ/iLG/YMT XUXfzw//WK8BCSovXp8suLCgO7sYEYub1NOoVd20EcsfbRP5/Fjoj3aIsXSCTT1u /20x4cNQ3lKZMWr7+Fr8+AfkCavPJMKKayuuIWLCLSDeJ7PYe92PaaeMJIuOJJDt lQVGYtREgHF3ySxLe27WfXyRzBbWgXZTHKXgXuAJRb22fJmlojI0AbCfYAgznCQ9 k086Yb10KfR0HfA4be7HcgqoZ112sLG3NwoKruaAF2MZ21xbATVco7pBmpy1DFJy g5pBuOwfFmgXZYvjsii8folAij3VidgFnktXyNmi8rw/pHWwc/Q2Z2lelVFH3EOY 0ZqXu3zfOv7ZGI4t6TPh6H+6Xeht89tCwGn9yYGfzaJD3taD1E3845EcMrIMIGBK eKp2+YODNooXDRMEEjFlBtt6KZcFR/+5FG9lM2ywNblzK9yc5utNpYsZHr4M/ptD UH1/pb1afqjifMxKhcXC7l9P7bLsxg6m5MRurF7WCLmZEhPkdUWdySEbx1GSp2CC bdBrXTZghcknWlyciXHj2EAfc4fWBmNU+KcsUM19HLM9igB0g3pmt/piTOSEUJjH iJiJ4YB2uf6MgCVKQGL1mj79CYnacbCwi2JtF5S81MD9JRqv0tiENkv51UHDKQRk iisFejIWFZgjQbXcMvbQy3MOmSXMp9bltoRW5AXalZm8pXOmjZs= =5U/W -----END PGP SIGNATURE-----
--- End Message ---
