Bug#587713: marked as done (mumble-server: DoS via malformed client queries)
Your message dated Mon, 12 Jul 2010 22:52:46 +0000
with message-id <E1OYRri-00080F-3T@franck.debian.org>
and subject line Bug#587713: fixed in mumble 1.2.2-4
has caused the Debian Bug report #587713,
regarding mumble-server: DoS via malformed client queries
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
587713: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587713
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: mumble-server: DoS via malformed client queries
- From: Raphael Geissert <geissert@debian.org>
- Date: Wed, 30 Jun 2010 21:18:40 -0500
- Message-id: <201006302118.41310.geissert@debian.org>
Package: mumble-server
Version: 1.2.2-2
Severity: grave
Tags: security
Hi,
The following vulnerability has been reported in mumble-server.
From [1]:
> Through a malformed type of data is possible to force the termination
> of the server due to an error in the SQL query (SQLite library).
> The attacker needs to join the server to exploit it.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry, if one is assigned by then.
There's no known patch at the moment and an exploit is linked by the advisory.
[1]http://aluigi.altervista.org/adv/mumbleed-adv.txt
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: mumble
Source-Version: 1.2.2-4
We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive:
mumble-11x_1.2.2-4_i386.deb
to main/m/mumble/mumble-11x_1.2.2-4_i386.deb
mumble-dbg_1.2.2-4_i386.deb
to main/m/mumble/mumble-dbg_1.2.2-4_i386.deb
mumble-server-web_1.2.2-4_all.deb
to main/m/mumble/mumble-server-web_1.2.2-4_all.deb
mumble-server_1.2.2-4_i386.deb
to main/m/mumble/mumble-server_1.2.2-4_i386.deb
mumble_1.2.2-4.debian.tar.gz
to main/m/mumble/mumble_1.2.2-4.debian.tar.gz
mumble_1.2.2-4.dsc
to main/m/mumble/mumble_1.2.2-4.dsc
mumble_1.2.2-4_i386.deb
to main/m/mumble/mumble_1.2.2-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 587713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorvald Natvig <thorvald@debian.org> (supplier of updated mumble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 12 Jul 2010 15:11:24 +0200
Source: mumble
Binary: mumble mumble-11x mumble-server mumble-dbg mumble-server-web
Architecture: source all i386
Version: 1.2.2-4
Distribution: unstable
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Thorvald Natvig <thorvald@debian.org>
Description:
mumble - Low latency VoIP client
mumble-11x - Low latency VoIP client (1.1.x)
mumble-dbg - Low latency VoIP client (debugging symbols)
mumble-server - Low latency VoIP server
mumble-server-web - Web scripts for mumble-server
Closes: 587713
Changes:
mumble (1.2.2-4) unstable; urgency=high
.
* Fix failure with SQLite with very long 'like' matches.
Closes: #587713
Checksums-Sha1:
dccbae23b2b22b681e1e20db5bbae875fe2865bb 1882 mumble_1.2.2-4.dsc
3376da9edf3b13e99a9565683c74a03159c9be2c 30098 mumble_1.2.2-4.debian.tar.gz
93e7799f1d17847758327b240b067ae00ff663bf 94424 mumble-server-web_1.2.2-4_all.deb
598e3da7ed603d471d3a188212916f70b2dc8b14 2192410 mumble_1.2.2-4_i386.deb
3d08d383aadeb43a1365c4e9dd8e2e8eafaf6817 1265636 mumble-11x_1.2.2-4_i386.deb
7244e579687234d7d54345512eec9c42828fc803 795780 mumble-server_1.2.2-4_i386.deb
0ba20d9aa3616f387bbbc9443e451d7c0f27aac8 24110946 mumble-dbg_1.2.2-4_i386.deb
Checksums-Sha256:
4dd58af24d400e98d6bf9c427abd06705118955877a34d87de4890e6b880e4e4 1882 mumble_1.2.2-4.dsc
511bb98897f6578a2c87adbabac9f34ad1ee45f54b54389f47e0830820889027 30098 mumble_1.2.2-4.debian.tar.gz
84c131b42eb5bc0687125d4e86ed64f4e107263f232cfd89e7db81e11dac36ea 94424 mumble-server-web_1.2.2-4_all.deb
3bc748aab6155565654754b9ca7739ba3d8196439b45d4baa2e555ad1c5c4b00 2192410 mumble_1.2.2-4_i386.deb
2a15903a4ef8c9de0aa93614ce0f64b31ce658c3d5d335d062a4d9b924bdc326 1265636 mumble-11x_1.2.2-4_i386.deb
508cb8698d8246903403389f08518c0a87d7fdf6d5948872d76bda4c3b47ffbb 795780 mumble-server_1.2.2-4_i386.deb
d3c4b1e30985caa138c7c61f1312f38472a8b2de18314db77c4357d0d3dcecbe 24110946 mumble-dbg_1.2.2-4_i386.deb
Files:
8edddf781201acc2a09e16a3f8c19525 1882 sound optional mumble_1.2.2-4.dsc
235182d8205b9717bd50f82a9cc6febd 30098 sound optional mumble_1.2.2-4.debian.tar.gz
4472f54f8e09432fa86c76e3896fe44d 94424 sound optional mumble-server-web_1.2.2-4_all.deb
1a099762f3258e6359db041aeb188fe2 2192410 sound optional mumble_1.2.2-4_i386.deb
a9aed66ddfc8b0456522df31ea4717a1 1265636 sound optional mumble-11x_1.2.2-4_i386.deb
c9c1568e0298eeacd0a8a3dadd8c34c6 795780 sound optional mumble-server_1.2.2-4_i386.deb
0b30069f8a3e6793a2a923d4de322bf6 24110946 debug extra mumble-dbg_1.2.2-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkw7HD8ACgkQ8Jse7d66bz7xIwCgqpby14WpMAA/nCHXgLRoB6Fr
83cAoMPfE+lfhGGOn6HzoZbNBSS+xU4Y
=0WXk
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: