cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 31 Mar 2021 03:50
(address . bug-guix@gnu.org)
ac7acbed2ed51a67ee4b791d692d5d0a3a9eb16f.camel@zaclys.net
I asked the maintainer to fix the issues because they were unfixed
since a while, they have done so recently:


They have not made a recently, also it seems they fixed other issues
that could be security relevant in their commit log, not sure if we
apply/backport patches or wait for release.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1V4ACgkQRaix6GvN
EKbUuQ//ZZtNZoVA0wuXSUiQ3ubWdygOsW3dc/q989pMMer+4y4/G0++ZdLCwpCk
fh0LAL78XAm1uzMQCCk1RRf1Tf0MpDpBCnEgh3AzSmL26tmmgpDAAfn68WAZ74dW
dT4SD9Q9Vvsjm6s2eozU86v+iyEpwA/dDbcKvWkk01krGiSIrRJGCCMdpmLRmUXo
0O2DJ+D/yuON84XitqNhbaTKZc6/zK5humPgJ/WqWRUNzVUXzd4EXzVVqMbHFOq7
L1FGwkpRCXqROhi6Rwtc8WFu0pJhvaQ0yW/XZWkiOwlCwj0PBP3sF3L6AQ/k+P/O
noA1yLDjT/kDOROLea63LGsZAQ23KRO4l6f2I25KVL+k0Pt8uVBQtrcMBJcVjohO
w+CqYiIPP+8AdM97Og73furrlsQiGHIv68S6lzJeEdGej8PU7lJq4EpilZuRQ5An
Gfcu+g8iA/1LKtQ9biRuqcC7gOos3mJAjojYUrfywWgtXAFJQTpSC/sXB/NVsw2C
+Phxi9bbxsmtngHpvfaXyX2xaK9oWOZEfobqWEJzfUDZQZGITdNLnyWVxkh2DlDV
kJ6PvnL+C/EWJ8uOa7QUTFEPaLHbJo9sYjlHmi8TWds1x/jywxaEVypTkUW0zuJ2
0/8nHaJS1l2Ogr74zumP8wrZvly0Eqx5Qy/0xZUnXL4gWtK+YeA=
=tZW1
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 31 Mar 2021 03:51
(address . control@debbugs.gnu.org)
fc92ea59a8bcafbb4626ffa8e5d24387323edb99.camel@zaclys.net
tags 47510 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1ZwACgkQRaix6GvN
EKbFrQ/9HoFGIpLxmpxTRe9FaegQCX8rt95PoXNWxq2AuLelA0JcBS6WS0wP4MQm
Y3hJ84WoRJrd/Yd26hTyQH7oiMX2PGkWpW3AtBquFPZ8pjK8FOpxn8MQD+PAbvEV
qksqgA+jhucYpFoj1Gx8AqFiKBE6IInSK/up4Wer1mOvnDHQR2MvF+dPqGSDDIMH
14ncOhOMDNAg23SdFD1Z4f+0dexDkfOFzcTiDAGwtqBP7KO464ik+L2jq+BxnvL8
6cLQtyZ9ZyAAsiH9QyU4fEI4WYUyzHZ7Szl8t72QrjsozZsCxhobOyFK8KRB0TPm
tInBm7m0Aq6dpQulHYXtr5nOAyBfGggofVgjEOxreEzliESA1zZ3JxYujrLAKJf8
zkl/cdwxnpYBP+wtBY7qlv5tBwl1paTvSSX/1dPlGV/Nk8/ICvrlQYatIGQ8vl3U
T9W6EBLe9gLGZcBsZn9LMOIGh6KqeKt1HRJ/i2oNTscJ3FaJXBnV9+JpyPNP9ZcF
Cfv9PHVIoW53zmJEjjBmi1UR3EKtVYJfhlswnpZXHcsteUOc5adz0SjaJF71h1Tk
MEpDiTQK4nNjS3MUhnk1YHOcEqwVNX+rwFZj3t3vj5LSrxmbn7/SNfiG9ReRQJLA
1xaXU2hagRgQFYgA0sv/MBWFlDuq0CwLjouN/Giu22mE3Oebrwk=
=vqif
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 18 Mar 2022 03:35
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47510-done@debbugs.gnu.org)
87fsng6l9b.fsf@gmail.com
Hello!

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (9 lines)
> I asked the maintainer to fix the issues because they were unfixed
> since a while, they have done so recently:
>
> https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
>
> They have not made a recently, also it seems they fixed other issues
> that could be security relevant in their commit log, not sure if we
> apply/backport patches or wait for release.

Our cflow package is now at 1.7, which includes the above commit and CVE
fixes.

Thank you,

Maxim
Closed
?