Your message dated Sat, 07 Sep 2019 14:37:11 +0100 with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 9.10 point release has caused the Debian Bug report #922385, regarding stretch-pu: package gsoap/2.8.35-4+deb9u2 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 922385: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922385 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: <submit@bugs.debian.org>
- Subject: stretch-pu: package gsoap/2.8.35-4+deb9u2
- From: Mattias Ellert <mattias.ellert@physics.uu.se>
- Date: Fri, 15 Feb 2019 11:12:43 +0100
- Message-id: <75ff4e5b2dd759f4d29af515a233d97d48c22776.camel@physics.uu.se>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu This is a proposal to fix CVE-2019-7659 in stretch. The update also addresses one additional advisory published by the upstream developers. debdiff is attached. gsoap (2.8.35-4+deb9u2) stretch; urgency=medium * Fix for CVE-2019-7659 Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag. * Fix issue with DIME protocol receiver and malformed DIME headers This patch addresses a critical issue with the DIME protocol receiver that may cause the receiver to become unresponsive when a malformed DIME protocol message is received. -- https://www.genivia.com/advisory.html Mattias Ellertdiff -Nru gsoap-2.8.35/debian/changelog gsoap-2.8.35/debian/changelog --- gsoap-2.8.35/debian/changelog 2017-08-16 11:58:11.000000000 +0200 +++ gsoap-2.8.35/debian/changelog 2019-02-14 17:12:12.000000000 +0100 @@ -1,3 +1,18 @@ +gsoap (2.8.35-4+deb9u2) stretch; urgency=medium + + * Fix for CVE-2019-7659 + Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a + denial of service (application abort) or possibly have unspecified other + impact if a server application is built with the -DWITH_COOKIES flag. This + affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ + libraries, as these are built with that flag. + * Fix issue with DIME protocol receiver and malformed DIME headers + This patch addresses a critical issue with the DIME protocol receiver that + may cause the receiver to become unresponsive when a malformed DIME + protocol message is received. -- https://www.genivia.com/advisory.html + + -- Mattias Ellert <mattias.ellert@physics.uu.se> Thu, 14 Feb 2019 17:12:12 +0100 + gsoap (2.8.35-4+deb9u1) stretch; urgency=medium * Fix for CVE-2017-9765 diff -Nru gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch --- gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-CVE-2019-7659.patch 2019-02-14 17:12:12.000000000 +0100 @@ -0,0 +1,50 @@ +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.c gsoap-2.8.35/gsoap/stdsoap2.c +--- gsoap-2.8.35.orig/gsoap/stdsoap2.c 2016-09-18 10:56:10.000000000 +0200 ++++ gsoap-2.8.35/gsoap/stdsoap2.c 2019-02-13 17:21:44.188000000 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.cpp gsoap-2.8.35/gsoap/stdsoap2.cpp +--- gsoap-2.8.35.orig/gsoap/stdsoap2.cpp 2016-09-18 10:56:10.000000000 +0200 ++++ gsoap-2.8.35/gsoap/stdsoap2.cpp 2019-02-13 17:21:44.188000000 +0100 +@@ -7037,11 +7037,12 @@ + + #ifndef PALM_1 + SOAP_FMAC1 +-size_t ++int + SOAP_FMAC2 +-soap_encode_url(const char *s, char *t, size_t len) ++soap_encode_url(const char *s, char *t, int len) + { int c; +- size_t n = len; ++ int n = len; ++ if (n <= 0) return 0; + while ((c = *s++) && --n > 0) + { if (c > ' ' && c < 128 && !strchr("()<>@,;:\\\"/[]?={}#!$&'*+", c)) + *t++ = c; +diff -ur gsoap-2.8.35.orig/gsoap/stdsoap2.h gsoap-2.8.35/gsoap/stdsoap2.h +--- gsoap-2.8.35.orig/gsoap/stdsoap2.h 2016-09-18 10:56:10.000000000 +0200 ++++ gsoap-2.8.35/gsoap/stdsoap2.h 2019-02-13 17:19:31.088000000 +0100 +@@ -3380,7 +3380,7 @@ + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url(struct soap *soap, const char*, const char*); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_extend_url_query(struct soap *soap, const char*, const char*); + SOAP_FMAC1 void SOAP_FMAC2 soap_url_query(struct soap *soap, const char*, const char*); +-SOAP_FMAC1 size_t SOAP_FMAC2 soap_encode_url(const char*, char*, size_t); ++SOAP_FMAC1 int SOAP_FMAC2 soap_encode_url(const char*, char*, int); + SOAP_FMAC1 const char* SOAP_FMAC2 soap_encode_url_string(struct soap*, const char*); + #ifdef WITH_COOKIES + SOAP_FMAC1 void SOAP_FMAC2 soap_getcookies(struct soap *soap, const char *val); diff -Nru gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch --- gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 1970-01-01 01:00:00.000000000 +0100 +++ gsoap-2.8.35/debian/patches/gsoap-malformed-DIME.patch 2019-02-13 17:12:41.000000000 +0100 @@ -0,0 +1,22 @@ +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.c gsoap-2.8/gsoap/stdsoap2.c +--- gsoap-2.8.orig/gsoap/stdsoap2.c 2017-07-11 03:51:16.000000000 +0200 ++++ gsoap-2.8/gsoap/stdsoap2.c 2018-04-18 16:09:06.340071192 +0200 +@@ -16965,7 +16965,6 @@ + return soap->error = SOAP_CHK_EOF; + soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */ + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n")); +- return SOAP_OK; + } + s = (char*)tmp; + for (i = 12; i > 0; i--) +diff -ur gsoap-2.8.orig/gsoap/stdsoap2.cpp gsoap-2.8/gsoap/stdsoap2.cpp +--- gsoap-2.8.orig/gsoap/stdsoap2.cpp 2017-07-11 03:51:16.000000000 +0200 ++++ gsoap-2.8/gsoap/stdsoap2.cpp 2018-04-18 16:09:06.340071192 +0200 +@@ -16965,7 +16965,6 @@ + return soap->error = SOAP_CHK_EOF; + soap_unget(soap, soap_getchar(soap)); /* skip padding and get hdr */ + DBGLOG(TEST, SOAP_MESSAGE(fdebug, "... From chunked\n")); +- return SOAP_OK; + } + s = (char*)tmp; + for (i = 12; i > 0; i--) diff -Nru gsoap-2.8.35/debian/patches/series gsoap-2.8.35/debian/patches/series --- gsoap-2.8.35/debian/patches/series 2017-08-16 11:57:36.000000000 +0200 +++ gsoap-2.8.35/debian/patches/series 2019-02-14 17:12:12.000000000 +0100 @@ -13,3 +13,9 @@ # CVE-2017-9765 gsoap-CVE-2017-9765.patch + +# Fix issue with DIME protocol receiver and malformed DIME headers +gsoap-malformed-DIME.patch + +# CVE-2019-7659 +gsoap-CVE-2019-7659.patchAttachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 891581-done@bugs.debian.org, 906258-done@bugs.debian.org, 912367-done@bugs.debian.org, 915935-done@bugs.debian.org, 916650-done@bugs.debian.org, 922385-done@bugs.debian.org, 922930-done@bugs.debian.org, 924278-done@bugs.debian.org, 926481-done@bugs.debian.org, 928213-done@bugs.debian.org, 928271-done@bugs.debian.org, 928276-done@bugs.debian.org, 928292-done@bugs.debian.org, 928553-done@bugs.debian.org, 928556-done@bugs.debian.org, 928718-done@bugs.debian.org, 929246-done@bugs.debian.org, 929255-done@bugs.debian.org, 929257-done@bugs.debian.org, 929611-done@bugs.debian.org, 929613-done@bugs.debian.org, 930112-done@bugs.debian.org, 930123-done@bugs.debian.org, 930420-done@bugs.debian.org, 930438-done@bugs.debian.org, 930630-done@bugs.debian.org, 931350-done@bugs.debian.org, 931386-done@bugs.debian.org, 931610-done@bugs.debian.org, 931723-done@bugs.debian.org, 931968-done@bugs.debian.org, 932175-done@bugs.debian.org, 932665-done@bugs.debian.org, 932944-done@bugs.debian.org, 933176-done@bugs.debian.org, 933218-done@bugs.debian.org, 933651-done@bugs.debian.org, 933653-done@bugs.debian.org, 933793-done@bugs.debian.org, 933828-done@bugs.debian.org, 933970-done@bugs.debian.org, 934342-done@bugs.debian.org, 934356-done@bugs.debian.org, 934508-done@bugs.debian.org, 934518-done@bugs.debian.org, 934688-done@bugs.debian.org, 934741-done@bugs.debian.org, 934775-done@bugs.debian.org, 934952-done@bugs.debian.org, 935158-done@bugs.debian.org, 935254-done@bugs.debian.org, 935366-done@bugs.debian.org, 935367-done@bugs.debian.org, 935368-done@bugs.debian.org, 935369-done@bugs.debian.org, 935445-done@bugs.debian.org, 935460-done@bugs.debian.org, 935473-done@bugs.debian.org, 935481-done@bugs.debian.org, 935581-done@bugs.debian.org, 935599-done@bugs.debian.org, 935708-done@bugs.debian.org, 935947-done@bugs.debian.org, 935976-done@bugs.debian.org, 935999-done@bugs.debian.org, 936051-done@bugs.debian.org, 936062-done@bugs.debian.org, 936067-done@bugs.debian.org, 938926-done@bugs.debian.org, 938997-done@bugs.debian.org, 939063-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 9.10 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 07 Sep 2019 14:37:11 +0100
- Message-id: <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
Version: 9.10 Hi, The fixes referenced by each of these bugs were included in today's stretch point release (9.10). Regards, Adam
--- End Message ---