Summary: | <net-libs/libesmtp-1.0.6_p20200824: Buffer overflow in NTLM handling (CVE-2019-19977) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | hydrapolic, maintainer-needed, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=782643 https://bugs.gentoo.org/show_bug.cgi?id=782709 |
||
Whiteboard: | B3 [glsa?] | ||
Package list: |
net-libs/libesmtp-1.1.0-r1 amd64 arm arm64 ppc ppc64 sparc x86
mail-mta/esmtp-1.2-r2 amd64 ppc x86
app-admin/syslog-ng-3.30.1-r2
|
Runtime testing required: | --- |
Description
Sam James
2021-04-12 15:09:37 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43ecb1115b82b9d8c57165843da17e8ba3988fda commit 43ecb1115b82b9d8c57165843da17e8ba3988fda Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-12 15:25:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-12 15:48:33 +0000 net-libs/libesmtp: add 1.0.6_p20200824 Includes various security fixes from upstream. Includes Meson port. A lot changed since the last release, so this is preferred to backporting for now. Bug: https://bugs.gentoo.org/782532 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libesmtp/Manifest | 1 + net-libs/libesmtp/libesmtp-1.0.6_p20200824.ebuild | 37 +++++++++++++++++++++++ net-libs/libesmtp/libesmtp-9999.ebuild | 10 ++---- 3 files changed, 41 insertions(+), 7 deletions(-) We need to let this sit for a little while, at least 2 weeks IMO. Adding esmtp, syslog-ng for fixes to find the newer libesmtp. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee0daa88902a745674c5e346f75c7d10e52cf292 commit ee0daa88902a745674c5e346f75c7d10e52cf292 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-07 07:13:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-07 07:13:59 +0000 net-libs/libesmtp: drop 1.0.6_p20200824 Bug: https://bugs.gentoo.org/782532 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libesmtp/Manifest | 1 - net-libs/libesmtp/libesmtp-1.0.6_p20200824.ebuild | 37 ----------------------- 2 files changed, 38 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=090649fefe0e649082041ec7c4a89a040a8fada4 commit 090649fefe0e649082041ec7c4a89a040a8fada4 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-07 07:13:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-07 07:13:57 +0000 net-libs/libesmtp: add 1.1.0 Bug: https://bugs.gentoo.org/782532 Signed-off-by: Sam James <sam@gentoo.org> net-libs/libesmtp/Manifest | 1 + net-libs/libesmtp/libesmtp-1.1.0.ebuild | 36 +++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54b8aef1fbab2e718fe4a352a9b55e95ed26bf54 commit 54b8aef1fbab2e718fe4a352a9b55e95ed26bf54 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-10 19:25:54 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-10 19:25:54 +0000 net-libs/libesmtp: increment subslot (See comment in ebuild.) Bug: https://bugs.gentoo.org/782532 Signed-off-by: Sam James <sam@gentoo.org> .../libesmtp/files/libesmtp-1.1.0-fix-soname.patch | 19 +++++++++++++++++++ ...libesmtp-1.1.0.ebuild => libesmtp-1.1.0-r1.ebuild} | 11 ++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) sparc stable amd64 done ppc stable ppc64 stable x86 stable hppa done Unable to check for sanity:
> no match for package: app-admin/syslog-ng-3.30.1-r1
arm64 done arm done all arches done Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=00a184a68ba0372f2257b78735e7ec063cb8ff47 commit 00a184a68ba0372f2257b78735e7ec063cb8ff47 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-07-25 20:57:34 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-26 03:12:54 +0000 net-libs/libesmtp: drop 1.0.6-r3 Bug: https://bugs.gentoo.org/782532 Signed-off-by: John Helmert III <ajak@gentoo.org> net-libs/libesmtp/Manifest | 1 - ...esmtp-1.0.6-openssl-1.1-api-compatibility.patch | 72 ---------------------- net-libs/libesmtp/libesmtp-1.0.6-r3.ebuild | 49 --------------- net-libs/libesmtp/metadata.xml | 3 - 4 files changed, 125 deletions(-) Unable to check for sanity:
> no match for package: app-admin/syslog-ng-3.30.1-r2
|