[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#939915: marked as done (cflow: CVE-2019-16165)

Your message dated Tue, 28 Dec 2021 20:48:28 +0000
with message-id <E1n2JOW-00061Z-UH@fasolo.debian.org>
and subject line Bug#939915: fixed in cflow 1:1.6-6
has caused the Debian Bug report #939915,
regarding cflow: CVE-2019-16165
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
939915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939915
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: cflow
Version: 1:1.6-4
Severity: important
Tags: security upstream
Forwarded: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
Control: found -1 1:1.6-1

Hi,

The following vulnerability was published for cflow.

CVE-2019-16165[0]:
| GNU cflow through 1.6 has a use-after-free in the reference function
| in parser.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-16165
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16165
[1] https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

--- End Message ---
--- Begin Message --- 
Source: cflow
Source-Version: 1:1.6-6
Done: Marcos Talau <marcos@talau.info>

We believe that the bug you reported is fixed in the latest version of
cflow, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939915@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcos Talau <marcos@talau.info> (supplier of updated cflow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Dec 2021 16:51:37 -0300
Source: cflow
Architecture: source
Version: 1:1.6-6
Distribution: unstable
Urgency: medium
Maintainer: Marcos Talau <marcos@talau.info>
Changed-By: Marcos Talau <marcos@talau.info>
Closes: 749339 931113 939915 939916 988985
Changes:
 cflow (1:1.6-6) unstable; urgency=medium
 .
   * New maintainer (Closes: #749339).
   * Thanks to Jakub Wilk for cflow Debian manpage. Now use upstream manpage.
     Consequently:
     - debian/control: Remove xsltproc from Build-Depends.
     - debian/manpage.xml: Remove.
     - debian/manpages: Update manpage filename.
     - debian/rules: Remove entries related to build the old manpage.
   * debian/.gitlab-ci.yml: Remove. Replace to salsa-ci.yml
   * debian/cflow.install: Update. Not use installation directory to
     usr/bin/cflow. Remove some slashes.
   * debian/cflow-doc.install: Update. Not use installation directory to
     usr/share/info. Remove some slashes.
   * debian/cflow-l10n.install: Update. Not use installation directory.
     Remove some slash.
   * debian/clean: Remove unnecessary files.
   * debian/control:
     - Add `Multi-Arch: foreign' to the packages cflow-doc and cflow-l10n.
     - Add Rules-Requires-Root field.
     - Bump debhelper version to 13.
     - Bump Standards-Version to 4.6.0.
     - Description completely rewritten.
     - Remove docbook-xml and docbook-xsl from Build-Depends.
     - Remove the use of the X-Short-Desc and X-Long-Desc variables.
   * debian/copyright:
     - Add Jerry St.Clair to copyright of hiding.at and multi.at files.
     - Add Sergey Poznyakoff to copyright of po/* files.
     - Add to debian/*: Jakub Wilk and Serafeim Zanikolas.
     - Change license of gnu/* from GPL-2+ to GPL-3+.
     - Change Upstream-Contact to bug-cflow@gnu.org.
     - Complete the text of GFDL-1.2+ license.
     - Register file doc/gendocs.sh with GPL-3+.
     - Register tests/* with GPL-3+.
     - Update and reformat copyright years.
     - Update packaging copyright information.
     - Update upstream mail.
   * debian/docs: Remove AUTHORS file.
   * debian/install: Remove. No longer need.
   * debian/patches/:
     - 01_fix_CVEs_2019-16165_2019-16166_2020-23856.patch: New. Fix the CVEs:
       CVE-2019-16165, CVE-2019-16166, and CVE-2020-23856
       (Closes: #939915, #939916, #988985).
     - 02_fix_info_direntry_cflow-mode.patch: New. Fix the info direntry
       for cflow mode (Closes: #931113).
   * debian/README.source: Remove. No longer need.
   * debian/rules:
     - Add EMACS variable to avoid compilation failure when emacs is installed.
     - Replace override_dh_auto_build to execute_after_dh_auto_build.
     - Some clean ups.
   * debian/salsa-ci.yml: Add to provide CI tests for Salsa.
   * debian/source/lintian-overrides: New. Lintian override on m4/po.m4.
   * debian/tests/control:
     - Add a superficial test.
     - Add test to compile cflow-mode.el
     - Add validation tests using clitest. Consequently: Create the files
       cflow.clitest and data/program.c
     - Remove the use of upstream tests.
   * debian/upstream/metadata: Add multiple fields.
   * debian/watch: Update the search rule and the version to 4.
Checksums-Sha1:
 fb2bf86cd60f2a25386972e56e93e10891f45824 1961 cflow_1.6-6.dsc
 ddf771d47792139e6141154d34a3c16b08871b2a 10804 cflow_1.6-6.debian.tar.xz
 b118104ce5dfce82def2ef4c498fd1a3ba139f06 5685 cflow_1.6-6_source.buildinfo
Checksums-Sha256:
 3232ff28f116daf828e174de9e00976af2d67d3aac1c724c0f6e4ad72173d319 1961 cflow_1.6-6.dsc
 53ead2537a7efe27498c6547e5bf330b4a0e11c48b8e7282b5dc9c4c7dd853ec 10804 cflow_1.6-6.debian.tar.xz
 2fc95d84a72240dfd76020a6debb9c615759b097062559ab9d41773ab5025d89 5685 cflow_1.6-6_source.buildinfo
Files:
 6ea498116c65050bbd566befbb50fc01 1961 devel optional cflow_1.6-6.dsc
 9b83f3ae8f316d027f116d12d1655d18 10804 devel optional cflow_1.6-6.debian.tar.xz
 228eb0c7857f60c2ec74e290428c9da1 5685 devel optional cflow_1.6-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEENX3LDuyVoBrrofDS3mO5xwTr6e8FAmHLdPUACgkQ3mO5xwTr
6e8cmRAAnfT4sNo6mpon0Zv7Rgps2q8QvXu0UbSOrcI+Aus/y4RdKDNUTsZ477nv
efnWp9BLZFOq0DKpsr8d49uxvacjI4moZeT2mWN/imh47cP6S9aI6a8dVzcaNWlD
7qANZhCRGB5bVtwM55/b7MuGfhbWlrIfoTa3BG0vUdoxIFVpGDe6ln2a7zwv1y0J
ADqlmKyoYWC2RtRV/SfQu8XGz7Yg1Ax2uc1eT/z4bXqDO6WiIXDpkgbCR6vHvm6o
CMUmQts6ShKSsFwg0u23+UiYmjKQrLkTT/pI220fubpnjP9hrppNtRkrKOmkBcdK
Qlc7wgmFolj53Be6TSOP6k3+Pnvy2sz6qUa5AGRz9ASDLgFAiu9vJnB1jDQaO19f
l2RsIE7iljRi2Php83Ie8Pw+49K4GcNQcUVi2mTkhMXJ65V6lvmrtx6XwpkMh3gu
V2izhQif4pF0pznfqIdyJFjSFKjwNDyj3NfNSNmiJfH2izX3jNRoVTZGg3ky+5D3
0Rr5VUhU42WBN35DotdaN1F/SyRBikBMcxwZk1ulOn+v/773+xIQGkfVRIGL9hMP
LNw3IgJzs1jRUaAS1rVX6pg2G7ee0NyNwsg+QL+/JOm44dXCbSGV9hcgtjf7iWLn
uy5321SSefuRfQy3ffGXtU0uufkXNc0Rzw+hQi4TvtaTyahb3iI=
=p+Lw
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: