Bug#271933: marked as done (CAN-2004-0786: apr_uri_parse() buffer overflow)
Your message dated Thu, 16 Sep 2004 12:02:29 +0100
with message-id <20040916110229.GA18394@fandango.home.clearairturbulence.org>
and subject line Fixed in incoming
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Sep 2004 08:02:59 +0000
>From fw@deneb.enyo.de Thu Sep 16 01:02:59 2004
Return-path: <fw@deneb.enyo.de>
Received: from mail.enyo.de [212.9.189.167]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C7rEJ-0006ao-00; Thu, 16 Sep 2004 01:02:59 -0700
Received: (debugging) helo=deneb.enyo.de ip=212.9.189.171 name=deneb.enyo.de
Received: from deneb.enyo.de ([212.9.189.171])
by mail.enyo.de with esmtp id 1C7rEH-0004yt-7O
for submit@bugs.debian.org; Thu, 16 Sep 2004 10:02:57 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.34)
id 1C7rEG-0001Ob-Pf; Thu, 16 Sep 2004 10:02:56 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Florian Weimer <fw@deneb.enyo.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2004-0786: apr_uri_parse() buffer overflow
X-Mailer: reportbug 2.64
Date: Thu, 16 Sep 2004 10:02:56 +0200
Message-Id: <[🔎] E1C7rEG-0001Ob-Pf@deneb.enyo.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: libapr0
Version: 2.0.50-12
Severity: grave
Tags: security
Justification: user security hole
Uniras has reported a vulnerability in apr-util:
<http://www.uniras.gov.uk/vuls/2004/403518/index.htm>
"The identified vulnerability is in the apr-util library; the
apr_uri_parse function in the apr-util library lacks input validation on
IPv6 literal addresses, which can result in a negative length parameter
being passed to memcpy."
It's likely that this bug affects Subversion.
---------------------------------------
Received: (at 271933-done) by bugs.debian.org; 16 Sep 2004 11:02:36 +0000
>From thom@debian.org Thu Sep 16 04:02:36 2004
Return-path: <thom@debian.org>
Received: from dev.bitch-whore.com (localhost.localdomain) [213.208.111.147]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C7u28-000744-00; Thu, 16 Sep 2004 04:02:36 -0700
Received: by localhost.localdomain (Postfix, from userid 1000)
id AE8D51BAB0; Thu, 16 Sep 2004 12:02:29 +0100 (BST)
Date: Thu, 16 Sep 2004 12:02:29 +0100
From: Thom May <thom@debian.org>
To: 271933-done@bugs.debian.org
Subject: Fixed in incoming
Message-ID: <20040916110229.GA18394@fandango.home.clearairturbulence.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040818i
Delivered-To: 271933-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_01 autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
apache2 2.0.51-1 is in incoming currently which fixes this and the other two
recent CAN announcements.
-Thom
--
That sounds like a lot of work... Can we out source?
The Revolution will not be outsourced!
(Slick/Monique - Sinfest)
Reply to: