GNU bug report logs - #47510
cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Wed, 31 Mar 2021 01:51:01 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 31 Mar 2021 01:50:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 30 21:50:30 2021
Received: from localhost ([127.0.0.1]:53121 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lRQ06-0003zW-3f
	for submit <at> debbugs.gnu.org; Tue, 30 Mar 2021 21:50:30 -0400
Received: from lists.gnu.org ([209.51.188.17]:41018)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lRQ04-0003zL-8N
 for submit <at> debbugs.gnu.org; Tue, 30 Mar 2021 21:50:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49246)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRQ04-0003r7-0K
 for bug-guix@HIDDEN; Tue, 30 Mar 2021 21:50:28 -0400
Received: from mail.zaclys.net ([178.33.93.72]:58587)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lRQ00-0000Ib-2Q
 for bug-guix@HIDDEN; Tue, 30 Mar 2021 21:50:27 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12V1oMuY010881
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Wed, 31 Mar 2021 03:50:22 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12V1oMuY010881
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617155422;
 bh=wqPLddwghBoYI5T1uVLK5NWj0jvmdMQVBpPhBSxJNIE=;
 h=Subject:From:To:Date:From;
 b=b6HKm4Qu+Di73GYmOO4V6qEmQwXMQL0ShSKG6xZClOeAts3AH4cCdmLUFfhrmC5nY
 bHxo6/0gp+ACyVL/m0nIb9gqLn8WqLnFALZlnlKNiGxadzujSKeHOg0Cl2YVl5bKUm
 LqM9ZEg7zaBE6f9eNZWSwUN1nn1keOx+ZZ6iPAyA=
Message-ID: <ac7acbed2ed51a67ee4b791d692d5d0a3a9eb16f.camel@HIDDEN>
Subject: cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Wed, 31 Mar 2021 03:50:22 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-ci6asSPGS6DHUlecUrwk"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  I asked the maintainer to fix the issues because they were
 unfixed since a while, they have done so recently:
 https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-ci6asSPGS6DHUlecUrwk
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I asked the maintainer to fix the issues because they were unfixed
since a while, they have done so recently:

https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=3Db9a7cd5e9d4efb5414=
1dd0d11c319bb97a4600c6

They have not made a recently, also it seems they fixed other issues
that could be security relevant in their commit log, not sure if we
apply/backport patches or wait for release.

--=-ci6asSPGS6DHUlecUrwk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1V4ACgkQRaix6GvN
EKbUuQ//ZZtNZoVA0wuXSUiQ3ubWdygOsW3dc/q989pMMer+4y4/G0++ZdLCwpCk
fh0LAL78XAm1uzMQCCk1RRf1Tf0MpDpBCnEgh3AzSmL26tmmgpDAAfn68WAZ74dW
dT4SD9Q9Vvsjm6s2eozU86v+iyEpwA/dDbcKvWkk01krGiSIrRJGCCMdpmLRmUXo
0O2DJ+D/yuON84XitqNhbaTKZc6/zK5humPgJ/WqWRUNzVUXzd4EXzVVqMbHFOq7
L1FGwkpRCXqROhi6Rwtc8WFu0pJhvaQ0yW/XZWkiOwlCwj0PBP3sF3L6AQ/k+P/O
noA1yLDjT/kDOROLea63LGsZAQ23KRO4l6f2I25KVL+k0Pt8uVBQtrcMBJcVjohO
w+CqYiIPP+8AdM97Og73furrlsQiGHIv68S6lzJeEdGej8PU7lJq4EpilZuRQ5An
Gfcu+g8iA/1LKtQ9biRuqcC7gOos3mJAjojYUrfywWgtXAFJQTpSC/sXB/NVsw2C
+Phxi9bbxsmtngHpvfaXyX2xaK9oWOZEfobqWEJzfUDZQZGITdNLnyWVxkh2DlDV
kJ6PvnL+C/EWJ8uOa7QUTFEPaLHbJo9sYjlHmi8TWds1x/jywxaEVypTkUW0zuJ2
0/8nHaJS1l2Ogr74zumP8wrZvly0Eqx5Qy/0xZUnXL4gWtK+YeA=
=tZW1
-----END PGP SIGNATURE-----

--=-ci6asSPGS6DHUlecUrwk--
Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47510; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 31 Mar 2021 02:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.