Bug#226356: marked as done (Buffer overflow vulnerability (CAN-2003-0850))
Your message dated Wed, 07 Jan 2004 16:39:47 -0500
with message-id <E1AeLP1-0000Qz-00@auric.debian.org>
and subject line Bug#226356: fixed in libnids 1.18-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Jan 2004 07:20:13 +0000
>From mdz@alcor.net Tue Jan 06 01:20:12 2004
Return-path: <mdz@alcor.net>
Received: from mta13.mail.adelphia.net (mta13.adelphia.net) [68.168.78.44]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AdgmK-0005Th-00; Mon, 05 Jan 2004 20:17:08 -0600
Received: from mizar.alcor.net ([68.64.159.24]) by mta13.adelphia.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id <20040106021708.WWOR18777.mta13.adelphia.net@mizar.alcor.net>
for <submit@bugs.debian.org>; Mon, 5 Jan 2004 21:17:08 -0500
Received: from mdz by mizar.alcor.net with local (Exim 4.30)
id 1AdgmJ-00076v-7I
for submit@bugs.debian.org; Mon, 05 Jan 2004 18:17:07 -0800
Date: Mon, 5 Jan 2004 18:17:07 -0800
From: Matt Zimmerman <mdz@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Buffer overflow vulnerability (CAN-2003-0850)
Message-ID: <[🔎] 20040106021707.GA27296@alcor.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 2.37
X-Debbugs-CC: dsniff@packages.debian.org
User-Agent: Mutt/1.5.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin
2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_5
(1.212-2003-09-23-exp) on master.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=HAS_PACKAGE,X_DEBBUGS_CC
autolearn=no
version=2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_5
X-Spam-Level:
Package: libnids
Severity: grave
"The TCP reassembly functionality in libnids before 1.18 allows remote
attackers to cause "memory corruption" and possibly execute arbitrary code
via "overlarge TCP packets."
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0850
An update to version 1.18 should be sufficient to correct the problem.
I am copying dsniff@packages.debian.org, since that is the only reverse
dependency. This package is orphaned and could be removed if this bug is
not fixed.
-- System Information:
Debian Release: unstable
Architecture: i386
Kernel: Linux mizar 2.4.22-deb5-evms2.1.1-skas3-1 #1 Mon Dec 22 14:08:31 PST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
--
- mdz
---------------------------------------
Received: (at 226356-close) by bugs.debian.org; 8 Jan 2004 01:53:30 +0000
>From katie@auric.debian.org Wed Jan 07 19:53:30 2004
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [206.246.226.45]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AeLdZ-0005th-00; Wed, 07 Jan 2004 15:54:49 -0600
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
id 1AeLP1-0000Qz-00; Wed, 07 Jan 2004 16:39:47 -0500
From: Steve Kemp <skx@debian.org>
To: 226356-close@bugs.debian.org
X-Katie: $Revision: 1.43 $
Subject: Bug#226356: fixed in libnids 1.18-1
Message-Id: <E1AeLP1-0000Qz-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Wed, 07 Jan 2004 16:39:47 -0500
Delivered-To: 226356-close@bugs.debian.org
Source: libnids
Source-Version: 1.18-1
We believe that the bug you reported is fixed in the latest version of
libnids, which is due to be installed in the Debian FTP archive:
libnids-dev_1.18-1_i386.deb
to pool/main/libn/libnids/libnids-dev_1.18-1_i386.deb
libnids1_1.18-1_i386.deb
to pool/main/libn/libnids/libnids1_1.18-1_i386.deb
libnids_1.18-1.dsc
to pool/main/libn/libnids/libnids_1.18-1.dsc
libnids_1.18-1.tar.gz
to pool/main/libn/libnids/libnids_1.18-1.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 226356@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Kemp <skx@debian.org> (supplier of updated libnids package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 8 Jan 2004 19:35:28 +0000
Source: libnids
Binary: libnids-dev libnids1
Architecture: source i386
Version: 1.18-1
Distribution: unstable
Urgency: high
Maintainer: Steve Kemp <skx@debian.org>
Changed-By: Steve Kemp <skx@debian.org>
Description:
libnids-dev - IP defragmentation TCP segment reassembly library (development)
libnids1 - IP defragmentation TCP segment reassembly library
Closes: 188171 192621 226356
Changes:
libnids (1.18-1) unstable; urgency=high
.
* Fixes security hole allowing arbitary code (CAN-2003-0850)
Urgency set to high because of this.
(Closes: #226356)
* New upstream release.
(Closes: #192621)
* New maintainer.
(Closes: #188171)
Files:
0f7ec492f5163ce58f7bf5f743132394 523 devel optional libnids_1.18-1.dsc
c326b55d36307fdafcac5bfc05110723 118152 devel optional libnids_1.18-1.tar.gz
6ad4f33808f0abe8a015b5dfde66b301 50076 devel optional libnids-dev_1.18-1_i386.deb
e141778addc2f97c5a4155a55e9cd30a 21978 libs optional libnids1_1.18-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQE//GIjwM/Gs81MDZ0RAn50AKDJwVb7uGJjRwNSjAOVXACvEGPkpACfTPlE
7ckqXZyGiTsfQ64PBipSKfs=
=bGCh
-----END PGP SIGNATURE-----
Reply to: