Bug#990759: marked as done (FW: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 7 Jul 2021 09:09:20 +0200
with message-id <YOVTIK4Dc2abG+fv@eldamar.lan>
and subject line Re: Bug#990759: FW: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571
has caused the Debian Bug report #990759,
regarding FW: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990759: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990759
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: FW: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571
• From: "Geva, Erez" <erez.geva.ext@siemens.com>
• Date: Tue, 6 Jul 2021 11:40:58 +0000
• Message-id: <[🔎] AM6PR10MB2438B1B1E82E71E0FC699BE9AB1B9@AM6PR10MB2438.EURPRD10.PROD.OUTLOOK.COM>
• In-reply-to: <20210705223014.GA18898@hoboy.vegasvil.org>
• References: <20210705223014.GA18898@hoboy.vegasvil.org>

Package: linuxptp
Version: 3.1-2

CVE-2021-3570
CVE-2021-3571

-----Original Message-----
From: Richard Cochran <richardcochran@gmail.com> 
Sent: Tuesday, 6 July 2021 00:30
To: oss-security@lists.openwall.com
Cc: linuxptp-users@lists.sourceforge.net; linuxptp-devel@lists.sourceforge.net
Subject: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571

Dear list,

Now that the embargo period has expired, I published fixes for:

   CVE-2021-3570 linuxptp: missing length check of forwarded messages
   CVE-2021-3571 linuxptp: wrong length of one-step follow-up in transparent clock

The fixes have been published to SourceForge and to GitHub:
https://sourceforge.net/projects/linuxptp/
https://github.com/richardcochran/linuxptp

The tags with the fixes are as follows:

   v1.5.1
   v1.6.1
   v1.7.1
   v1.8.1
   v1.9.3
   v2.0.1
   v3.1.1

In addition, the head of the master branch (soon to be version 3.2) also includes the fixes.

Although it is possible to apply the fix to versions 1.2, 1.3, and 1.4, those versions are obsolete and do not pass our CI tests.  For this reason I decided to withdraw them instead.

Thanks,
Richard


_______________________________________________
Linuxptp-devel mailing list
Linuxptp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linuxptp-devel

--- End Message ---

--- Begin Message ---

• To: "Geva, Erez" <erez.geva.ext@siemens.com>, 990759-done@bugs.debian.org
• Subject: Re: Bug#990759: FW: [Linuxptp-devel] linuxptp: Fixes published for CVE-2021-3570 and CVE-2021-3571
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 7 Jul 2021 09:09:20 +0200
• Message-id: <YOVTIK4Dc2abG+fv@eldamar.lan>
• In-reply-to: <[🔎] AM6PR10MB2438B1B1E82E71E0FC699BE9AB1B9@AM6PR10MB2438.EURPRD10.PROD.OUTLOOK.COM>
• References: <20210705223014.GA18898@hoboy.vegasvil.org> <[🔎] AM6PR10MB2438B1B1E82E71E0FC699BE9AB1B9@AM6PR10MB2438.EURPRD10.PROD.OUTLOOK.COM>

Hi,

On Tue, Jul 06, 2021 at 11:40:58AM +0000, Geva, Erez wrote:
> Package: linuxptp
> Version: 3.1-2
> 
> CVE-2021-3570
> CVE-2021-3571

This is alrady covered by #990748 and #990759.

Regards,
Salvatore

--- End Message ---