[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#931086: marked as done (bro/2.5.5-1+deb10u1 buster upload?)

Your message dated Thu, 27 Jun 2019 17:47:48 +0200
with message-id <20190627154746.vcjavvfubub3lraw@debian.org>
and subject line Re: bro/2.5.5-1+deb10u1 buster upload?
has caused the Debian Bug report #931086,
regarding bro/2.5.5-1+deb10u1 buster upload?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
931086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931086
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal

bro/2.5.5-1 (unstable, testing) is affected by CVE-2018-16807,
CVE-2018-17019 (#908614, #908779) and bro/2.6.1+ds1-1 is still sitting
in NEW.

May I upload bro/2.5.5-1+deb10u1 to buster?

I have attached a debdiff.

Cheers,
-Hilko


diff -Nru bro-2.5.5/debian/changelog bro-2.5.5/debian/changelog
--- bro-2.5.5/debian/changelog	2019-06-25 21:26:53.000000000 +0200
+++ bro-2.5.5/debian/changelog	2018-09-05 16:05:40.000000000 +0200
@@ -1,10 +1,3 @@
-bro (2.5.5-1+deb10u1) buster; urgency=medium
-
-  * Add patches for CVE-2018-16807, CVE-2018-17019 (Closes: #908614,
-    #908779)
-
- -- Hilko Bengen <bengen@debian.org>  Tue, 25 Jun 2019 21:26:53 +0200
-
 bro (2.5.5-1) unstable; urgency=medium
 
   * New upstream version 2.5.5
diff -Nru bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch
--- bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch	2019-06-25 21:26:53.000000000 +0200
+++ bro-2.5.5/debian/patches/0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,38 +0,0 @@
-From: Jon Siwek <jsiwek@corelight.com>
-Date: Mon, 10 Sep 2018 18:06:07 -0500
-Subject: Fix potential memory leak in Kerberos scripts
-
-Reported by Maksim Shudrak.
-
----
-
-Stripped files:
- testing/btest/Traces/krb/optional-service-name.pcap
- testing/btest/core/leaks/krb-service-name.test
-
----
-
-diff --git a/scripts/base/protocols/krb/main.bro b/scripts/base/protocols/krb/main.bro
-index 02abced..9621378 100644
---- a/scripts/base/protocols/krb/main.bro
-+++ b/scripts/base/protocols/krb/main.bro
-@@ -140,7 +140,8 @@ event krb_as_request(c: connection, msg: KDC_Request) &priority=5
- 
- 	c$krb$request_type = "AS";
- 	c$krb$client       = fmt("%s/%s", msg?$client_name ? msg$client_name : "", msg$service_realm);
--	c$krb$service      = msg$service_name;
-+	if ( msg?$service_name )
-+		c$krb$service      = msg$service_name;
- 
- 	if ( msg?$from )
- 		c$krb$from = msg$from;
-@@ -183,7 +184,8 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
- 		return;
- 
- 	c$krb$request_type = "TGS";
--	c$krb$service = msg$service_name;
-+	if ( msg?$service_name )
-+		c$krb$service = msg$service_name;
- 	if ( msg?$from ) 
- 		c$krb$from = msg$from;
- 	c$krb$till = msg$till;
diff -Nru bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch
--- bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch	2019-06-25 21:24:57.000000000 +0200
+++ bro-2.5.5/debian/patches/0007-Fix-IRC-names-command-parsing.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,35 +0,0 @@
-From: Jon Siwek <jsiwek@corelight.com>
-Date: Wed, 12 Sep 2018 19:47:57 -0500
-Subject: Fix IRC names command parsing
-
----
-
-Stripped files:
- testing/btest/Traces/irc-353.pcap
- testing/btest/scripts/base/protocols/irc/names-weird.bro
- testing/btest/Baseline/scripts.base.protocols.irc.names-weird/weird.log
-
----
-
-diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
-index a26045f..de8846c 100644
---- a/src/analyzer/protocol/irc/IRC.cc
-+++ b/src/analyzer/protocol/irc/IRC.cc
-@@ -252,14 +252,15 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
- 			{
- 			vector<string> parts = SplitWords(params, ' ');
- 
--			// Remove nick name.
--			parts.erase(parts.begin());
--			if ( parts.size() < 2 )
-+			if ( parts.size() < 3 )
- 				{
- 				Weird("irc_invalid_names_line");
- 				return;
- 				}
- 
-+			// Remove nick name.
-+			parts.erase(parts.begin());
-+
- 			string type = parts[0];
- 			string channel = parts[1];
diff -Nru bro-2.5.5/debian/patches/series bro-2.5.5/debian/patches/series
--- bro-2.5.5/debian/patches/series	2019-05-11 00:56:50.000000000 +0200
+++ bro-2.5.5/debian/patches/series	2018-06-17 12:44:48.000000000 +0200
@@ -3,5 +3,3 @@
 0003-Fix-btest-paths.patch
 0004-Port-most-of-bro-to-OpenSSL-1.1.patch
 0005-Disable-OCSP-features-that-can-t-yet-be-ported-to-Op.patch
-0006-Fix-potential-memory-leak-in-Kerberos-scripts.patch
-0007-Fix-IRC-names-command-parsing.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Tue, Jun 25, 2019 at 09:40:13PM +0200, Hilko Bengen wrote:
> bro/2.5.5-1 (unstable, testing) is affected by CVE-2018-16807,
> CVE-2018-17019 (#908614, #908779) and bro/2.6.1+ds1-1 is still sitting
> in NEW.
> 
> May I upload bro/2.5.5-1+deb10u1 to buster?

It's too late for that.

Even if it wasn't, the way to fix this would have been to just upload to
unstable. I don't think the version in NEW would prevent that, but if it did,
the way forward would be to ask for a reject, and re-upload the new upstream
after the freeze.  The new upstream shouldn't have been uploaded to unstable
in the first place.

Thanks,

Ivo

--- End Message ---
Reply to: