1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.RC

  • Bug#1064996: azure-uamqp-python: CVE-2024-27099

    From Salvatore Bonaccorso@21:1/5 to All on Wed Feb 28 21:00:01 2024
    Source: azure-uamqp-python
    Version: 1.6.8-1
    Severity: grave
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for azure-uamqp-python.

    CVE-2024-27099[0]:
    | The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud
    | Services. When processing an incorrect `AMQP_VALUE` failed state,
    | may cause a double free problem. This may cause a RCE. Update
    | submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2024-27099
    https://www.cve.org/CVERecord?id=CVE-2024-27099
    [1] https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael R. Crusoe@21:1/5 to All on Sun Mar 10 17:20:01 2024
    Control: tag -1 pending

    Hello,

    Bug #1064996 in azure-uamqp-python reported by you has been fixed in the
    Git repository and is awaiting an upload. You can see the commit
    message below and you can check the diff of the fix at:

    https://salsa.debian.org/python-team/packages/azure-uamqp-python/-/commit/8bde200226d14a5f4c36f73a270bd957a31d7f96

    ------------------------------------------------------------------------ d/patches: cherry-pick two patches from upstream's upstream to fix CVE-2024-25110 and CVE-2024-27099

    Closes: #1064996, #1064996 ------------------------------------------------------------------------

    (this message was generated automatically)
    --
    Greetings

    https://bugs.debian.org/1064996

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun Mar 10 17:20:01 2024
    Processing control commands:

    tag -1 pending
    Bug #1064996 [src:azure-uamqp-python] azure-uamqp-python: CVE-2024-27099
    Added tag(s) pending.

    --
    1064996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064996
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun Mar 10 17:30:01 2024
    Processing control commands:

    tag -1 pending
    Bug #1064996 [src:azure-uamqp-python] azure-uamqp-python: CVE-2024-27099 Ignoring request to alter tags of bug #1064996 to the same tags previously set

    --
    1064996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064996
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michael R. Crusoe@21:1/5 to All on Sun Mar 10 17:30:02 2024
    Control: tag -1 pending

    Hello,

    Bug #1064996 in azure-uamqp-python reported by you has been fixed in the
    Git repository and is awaiting an upload. You can see the commit
    message below and you can check the diff of the fix at:

    https://salsa.debian.org/python-team/packages/azure-uamqp-python/-/commit/1419d82760712b75b4c32262cda271bf9e2bef5b

    ------------------------------------------------------------------------ d/patches: cherry-pick two patches from upstream's upstream to fix CVE-2024-25110 and CVE-2024-27099

    Closes: #1064996, #1064996 ------------------------------------------------------------------------

    (this message was generated automatically)
    --
    Greetings

    https://bugs.debian.org/1064996

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Debian Bug Tracking System@21:1/5 to All on Sun Mar 10 17:40:01 2024
    This is a multi-part message in MIME format...

    Your message dated Sun, 10 Mar 2024 16:37:49 +0000
    with message-id <E1rjMBJ-00AZAN-83@fasolo.debian.org>
    and subject line Bug#1064996: fixed in azure-uamqp-python 1.6.8-2
    has caused the Debian Bug report #1064996,
    regarding azure-uamqp-python: CVE-2024-27099
    to be marked as done.

    This means that you claim that the problem has been dealt with.
    If this is not the case it is now your responsibility to reopen the
    Bug report if necessary, and/or fix the problem forthwith.

    (NB: If you are a system administrator and have no idea what this
    message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org
    immediately.)


    --
    1064996: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064996
    Debian Bug Tracking System
    Contact owner@bugs.debian.org with problems

    Received: (at submit) by bugs.debian.org; 28 Feb 2024 19:54:15 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.6-bugs.debian.org_2005_01_02
    (2021-04-09) on buxtehude.debian.org
    X-Spam-Level:
    X-Spam-Status: No, score=-7.9 required=4.0 tests=BAYES_00,FOURLA,FROMDEVELOPER,
    HELO_LH_HOME,KHOP_HELO_FCRDNS,MD5_SHA1_SUM,RDNS_DYNAMIC,SPF_HELO_NONE,
    SPF_NONE,T_SCC_BODY_TEXT_LINE,XMAILER_REPORTBUG autolearn=ham
    autolearn_force=no version=3.4.6-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 25; hammy, 138; neutral, 43; spammy,
    1. spammytokens:0.945-+--H*r:bugs.debian.org
    hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
    0.000-+--X-Debbugs-Cc, 0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug Return-path: <carnil@debian.org>
    Received: from c-82-192-242-114.customer.ggaweb.ch ([82.192.242.114]:46540 helo=eldamar.lan)
    by buxtehude.deb