GNU bug report logs - #47510
cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Wed, 31 Mar 2021 01:51:01 UTC

Severity: normal

Tags: security

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47510 in the body.
You can then email your comments to 47510 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47510; Package guix. (Wed, 31 Mar 2021 01:51:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 31 Mar 2021 01:51:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166
Date: Wed, 31 Mar 2021 03:50:22 +0200

[Message part 1 (text/plain, inline)]
I asked the maintainer to fix the issues because they were unfixed
since a while, they have done so recently:

https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6

They have not made a recently, also it seems they fixed other issues
that could be security relevant in their commit log, not sure if we
apply/backport patches or wait for release.

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Wed, 31 Mar 2021 01:52:01 GMT) Full text and rfc822 format available.
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Fri, 18 Mar 2022 02:36:02 GMT) Full text and rfc822 format available.
Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Fri, 18 Mar 2022 02:36:02 GMT) Full text and rfc822 format available.

Message #12 received at 47510-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47510-done <at> debbugs.gnu.org
Subject: Re: bug#47510: cflow is vulnerable to CVE-2019-16165 and
 CVE-2019-16166
Date: Thu, 17 Mar 2022 22:35:12 -0400

Hello!

Léo Le Bouter <lle-bout <at> zaclys.net> writes:

> I asked the maintainer to fix the issues because they were unfixed
> since a while, they have done so recently:
>
> https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
>
> They have not made a recently, also it seems they fixed other issues
> that could be security relevant in their commit log, not sure if we
> apply/backport patches or wait for release.

Our cflow package is now at 1.7, which includes the above commit and CVE
fixes.

Thank you,

Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 15 Apr 2022 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 3 years and 80 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.