cflow is vulnerable to CVE-2019-16165 and CVE-2019-16166

  • Done
  • quality assurance status badge
Details
2 participants
  • Léo Le Bouter
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 31 Mar 2021 03:50
(address . bug-guix@gnu.org)
ac7acbed2ed51a67ee4b791d692d5d0a3a9eb16f.camel@zaclys.net
I asked the maintainer to fix the issues because they were unfixed
since a while, they have done so recently:


They have not made a recently, also it seems they fixed other issues
that could be security relevant in their commit log, not sure if we
apply/backport patches or wait for release.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1V4ACgkQRaix6GvN
EKbUuQ//ZZtNZoVA0wuXSUiQ3ubWdygOsW3dc/q989pMMer+4y4/G0++ZdLCwpCk
fh0LAL78XAm1uzMQCCk1RRf1Tf0MpDpBCnEgh3AzSmL26tmmgpDAAfn68WAZ74dW
dT4SD9Q9Vvsjm6s2eozU86v+iyEpwA/dDbcKvWkk01krGiSIrRJGCCMdpmLRmUXo
0O2DJ+D/yuON84XitqNhbaTKZc6/zK5humPgJ/WqWRUNzVUXzd4EXzVVqMbHFOq7
L1FGwkpRCXqROhi6Rwtc8WFu0pJhvaQ0yW/XZWkiOwlCwj0PBP3sF3L6AQ/k+P/O
noA1yLDjT/kDOROLea63LGsZAQ23KRO4l6f2I25KVL+k0Pt8uVBQtrcMBJcVjohO
w+CqYiIPP+8AdM97Og73furrlsQiGHIv68S6lzJeEdGej8PU7lJq4EpilZuRQ5An
Gfcu+g8iA/1LKtQ9biRuqcC7gOos3mJAjojYUrfywWgtXAFJQTpSC/sXB/NVsw2C
+Phxi9bbxsmtngHpvfaXyX2xaK9oWOZEfobqWEJzfUDZQZGITdNLnyWVxkh2DlDV
kJ6PvnL+C/EWJ8uOa7QUTFEPaLHbJo9sYjlHmi8TWds1x/jywxaEVypTkUW0zuJ2
0/8nHaJS1l2Ogr74zumP8wrZvly0Eqx5Qy/0xZUnXL4gWtK+YeA=
=tZW1
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 31 Mar 2021 03:51
(address . control@debbugs.gnu.org)
fc92ea59a8bcafbb4626ffa8e5d24387323edb99.camel@zaclys.net
tags 47510 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBj1ZwACgkQRaix6GvN
EKbFrQ/9HoFGIpLxmpxTRe9FaegQCX8rt95PoXNWxq2AuLelA0JcBS6WS0wP4MQm
Y3hJ84WoRJrd/Yd26hTyQH7oiMX2PGkWpW3AtBquFPZ8pjK8FOpxn8MQD+PAbvEV
qksqgA+jhucYpFoj1Gx8AqFiKBE6IInSK/up4Wer1mOvnDHQR2MvF+dPqGSDDIMH
14ncOhOMDNAg23SdFD1Z4f+0dexDkfOFzcTiDAGwtqBP7KO464ik+L2jq+BxnvL8
6cLQtyZ9ZyAAsiH9QyU4fEI4WYUyzHZ7Szl8t72QrjsozZsCxhobOyFK8KRB0TPm
tInBm7m0Aq6dpQulHYXtr5nOAyBfGggofVgjEOxreEzliESA1zZ3JxYujrLAKJf8
zkl/cdwxnpYBP+wtBY7qlv5tBwl1paTvSSX/1dPlGV/Nk8/ICvrlQYatIGQ8vl3U
T9W6EBLe9gLGZcBsZn9LMOIGh6KqeKt1HRJ/i2oNTscJ3FaJXBnV9+JpyPNP9ZcF
Cfv9PHVIoW53zmJEjjBmi1UR3EKtVYJfhlswnpZXHcsteUOc5adz0SjaJF71h1Tk
MEpDiTQK4nNjS3MUhnk1YHOcEqwVNX+rwFZj3t3vj5LSrxmbn7/SNfiG9ReRQJLA
1xaXU2hagRgQFYgA0sv/MBWFlDuq0CwLjouN/Giu22mE3Oebrwk=
=vqif
-----END PGP SIGNATURE-----


M
M
Maxim Cournoyer wrote on 18 Mar 2022 03:35
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47510-done@debbugs.gnu.org)
87fsng6l9b.fsf@gmail.com
Hello!

Léo Le Bouter <lle-bout@zaclys.net> writes:

Toggle quote (9 lines)
> I asked the maintainer to fix the issues because they were unfixed
> since a while, they have done so recently:
>
> https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
>
> They have not made a recently, also it seems they fixed other issues
> that could be security relevant in their commit log, not sure if we
> apply/backport patches or wait for release.

Our cflow package is now at 1.7, which includes the above commit and CVE
fixes.

Thank you,

Maxim
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47510@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47510
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch