[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#935719: marked as done (buster-pu: package slirp4netns/0.2.3-1)

Your message dated Sat, 07 Sep 2019 14:34:49 +0100
with message-id <[🔎] f49e2985d8466065c49c03185c24465a32228fb5.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes including in 10.1 point release
has caused the Debian Bug report #935719,
regarding buster-pu: package slirp4netns/0.2.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
935719: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=935719
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi Reinhard,

On Sun, Aug 25, 2019 at 09:33:58AM -0400, Reinhard Tartler wrote:
> Copying the debian-release mailing list, hope that's OK with everyone.

Ack, no issue with quoting the below to the release mailinglist. The
SRM though prefer for actuall proposed updates to have filled a
corresponding bug. Doing so now and full quoting below the rationale
for the no-dsa:

> On 8/24/19 6:05 AM, Moritz Mühlenhoff wrote:
> > On Sun, Aug 11, 2019 at 09:10:52PM +0200, Salvatore Bonaccorso wrote:
> >> Hi Reinhard,
> >>
> >> Apologies it took that long to come back to you in the first place.
> >>
> >> On Wed, Aug 07, 2019 at 06:13:08PM -0400, Reinhard Tartler wrote:
> >>> Hi Security Team,
> >>>
> >>> I have not received an answer to my question below. Any chance you
> >>> could get back to me on that?
> >>
> >> Unless I severely missunderstand something, slirp4netns is useful for
> >> instance for networking with unprivileged containers and it needs user
> >> namespaces to be enabled.
> >>
> >> By default those are for good reasons disabled in Debian, as well in
> >> buster.
> >>
> >> As such I would have said it would be enough to fix this issue for the
> >> upcoming point release on 7th september (so there is stil enough time
> >> to preare updates).
> >>
> >> Can we route you towards the point release for it? It would though be
> >> good to as well include as well the fix for the new CVE-2019-14378
> >> (#933742) as well. Prerequisites though that it gets accepted for
> >> stable is that the fix is as well first in unstable.
> > 
> > Agreed, enabling unprivileged user namespaces is not fully supported
> > by security support and Debian explicitly disables them by default
> > as it causes a ton of security issues in the Linux kernel (which
> > are often still fixed, but e.g. no DSAs are being released for such
> > issues).
> > 
> > As such, can you fix slirp4netns by the 10.1 buster point release?
> > 
> 
> Done, I've just uploaded 0.2.3 to buster, fixing two CVEs:
> 
> Changes:
>  slirp4netns (0.2.3-1) buster; urgency=medium
>  .
>    * New upstream releases:
>      - 0.2.2: check sscanf result when emulating ident, CVE-2019-9824
>      - 0.2.3: Fixes heap overflow in included libslirp, Closes: #933742,
>        CVE-2019-14378
> Checksums-Sha1:
>  459c12f439d0f2ba629d1ad5791ca49041931709 2087 slirp4netns_0.2.3-1.dsc
>  befcd9e2f1b1fbf8b51ccac4b83536e22af12003 136459 slirp4netns_0.2.3.orig.tar.gz
>  370b1cf92bf21491038fc08f9d4fa3fcba432878 3968 slirp4netns_0.2.3-1.debian.tar.xz

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Version: 10.1

Hi,

The fixes referenced by each of these bugs were included in today's
buster point release.

Regards,

Adam

--- End Message ---
Reply to: