[Pkg-auth-maintainers] Bug#906128: libykpiv1 impacted by CVE-2018-14779 and CVE-2018-14780

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Tue Aug 14 19:36:10 BST 2018 

Hi,

Gunnar Wolf sponsored the upload to sid (thanks!) and I just prepared an
upload for stretch-security.  It is available in the branch debian/stretch on:

  https://salsa.debian.org/auth-team/yubico-piv-tool.git

If the security team finds it suitable, please upload directly.


Best,

  nicoo

PS: In case I need to be reached swiftly, IRC might be the most effective medium
    (nicoo on irc.oftc.net/#debian-security)

On Tue, Aug 14, 2018 at 06:39:43PM +0200, Nicolas Braud-Santoni wrote:
> Package: libykpiv1
> Severity: serious
> Tags: security pending stretch buster sid
> Justification: security
> 
> libykpiv1 versions below 1.6.0 are affected by a buffer overflow, exploitable by
> malicious USB devices, that can lead to arbitrary code execution.
> 
> I will upload the fixed upstream version later today, and coordinate with
> the security team to get fixed in stretch and jessie-backports
> 
> 
> Best,
> 
>   nicoo
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.17.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages libykpiv1 depends on:
> ii  libc6         2.27-5
> ii  libpcsclite1  1.8.23-3
> ii  libssl1.1     1.1.0h-4
> 
> Versions of packages libykpiv1 recommends:
> ii  pcscd  1.8.23-3
> 
> libykpiv1 suggests no packages.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-auth-maintainers/attachments/20180814/88858793/attachment.sig>

More information about the Pkg-auth-maintainers mailing list