Acknowledgement sent
to Jeremy Galindo <jgalindo@datto.com>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 16:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>: Bug#988386; Package ntfs-3g.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
To: Jeremy Galindo <jgalindo@datto.com>, 988386@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#988386: Reporting CVE's from upstream
Date: Tue, 11 May 2021 21:47:36 +0200
Control: tags -1 + moreinfo
Hi
[disclaimer, not the maintainer here]
On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> Package: ntfs-3g
> Version: 2017.3.23AR.3
>
> For CVE's pending from upstream, is everything already mirrored so upstream
> fixes are applied in the next release? I'm asking because the upstream
> maintainers are trying to identify how soon their fixes will be applied to
> your packages.
Can you be more specific, which CVEs are you referring to?
Regards,
Salvatore
Added tag(s) moreinfo.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 988386-submit@bugs.debian.org.
(Tue, 11 May 2021 19:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>: Bug#988386; Package ntfs-3g.
(Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeremy Galindo <jgalindo@datto.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Tue, 11 May 2021 21:09:02 GMT) (full text, mbox, link).
They're awaiting confirmation from MITRE, but the upstream maintainers
wanted to be able to answer the question:
And what, in your opinion, will be the distributions wanting to do ?
> Either fix their current release version or upgrade to the latest one ?
> Will they want the individual patches or switch to the new tarball ?
> Rebasing the patches to an old version should be easy enough, but this
> could lead to some complexity in managing the update reports (Fedora
> and Ubuntu are not currently releasing the same version).
>
On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org>
wrote:
> Control: tags -1 + moreinfo
>
> Hi
>
> [disclaimer, not the maintainer here]
>
> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
> > Package: ntfs-3g
> > Version: 2017.3.23AR.3
> >
> > For CVE's pending from upstream, is everything already mirrored so
> upstream
> > fixes are applied in the next release? I'm asking because the upstream
> > maintainers are trying to identify how soon their fixes will be applied
> to
> > your packages.
>
> Can you be more specific, which CVEs are you referring to?
>
> Regards,
> Salvatore
>
>
--
*Jeremy Galindo* Associate Mgr., Offensive Security
Datto, Inc. Direct Line www.datto.com
<http://www.datto.com/datto-signature/>
Join the conversation! [image: Facebook] <http://www.facebook.com/dattoinc>
[image: Twitter] <https://twitter.com/Datto> [image: LinkedIn]
<https://www.linkedin.com/company/5213385> [image: Blog RSS]
<http://blog.datto.com/blog> [image: Slideshare]
<http://www.slideshare.net/backupify> [image: Spiceworks]
<https://community.spiceworks.com/pages/datto>
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>: Bug#988386; Package ntfs-3g.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
To: Jeremy Galindo <jgalindo@datto.com>, 988386@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#988386: Reporting CVE's from upstream
Date: Wed, 12 May 2021 08:13:42 +0200
Control: tags -1 -moreinfo
Hi Jeremy,
On Tue, May 11, 2021 at 11:09 PM Jeremy Galindo <jgalindo@datto.com> wrote:
> They're awaiting confirmation from MITRE, but the upstream maintainers wanted to be able to answer the question:
>
>> And what, in your opinion, will be the distributions wanting to do ?
>> Either fix their current release version or upgrade to the latest one ?
>> Will they want the individual patches or switch to the new tarball ?
>> Rebasing the patches to an old version should be easy enough, but this
>> could lead to some complexity in managing the update reports (Fedora
>> and Ubuntu are not currently releasing the same version).
Current Debian release is in a deep freeze state. Important and
serious bug fixes are still accepted, but not other changes and
especially not new upstream releases.
Next stable Debian will be released with the ntfs-3g 2017.3.23AR.3
version. Can you provide patch(es) for this or should I do those? If
there's sensitive information, we can continue in private until a
coordinated security update. Please include the Security Team in the
communication then.
> On Tue, May 11, 2021 at 3:47 PM Salvatore Bonaccorso <carnil@debian.org> wrote:
>> On Tue, May 11, 2021 at 12:00:40PM -0400, Jeremy Galindo wrote:
>> > For CVE's pending from upstream, is everything already mirrored so upstream
>> > fixes are applied in the next release? I'm asking because the upstream
>> > maintainers are trying to identify how soon their fixes will be applied to
>> > your packages.
>>
>> Can you be more specific, which CVEs are you referring to?
Thanks Salvatore for the followup, the original mail landed in my
spam folder and wouldn't see that for a day or two otherwise.
Regards,
Laszlo/GCS
Removed tag(s) moreinfo.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 988386-submit@bugs.debian.org.
(Wed, 12 May 2021 06:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Amr Ibrahim <amribrahim1987@hotmail.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 02 Sep 2021 07:15:02 GMT) (full text, mbox, link).
Changed Bug title to 'ntfs-3g: CVE-2021-33285 CVE-2021-35269 CVE-2021-35268 CVE-2021-33289 CVE-2021-33286 CVE-2021-35266 CVE-2021-33287 CVE-2021-35267 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263' from 'Reporting CVE's from upstream'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:02 GMT) (full text, mbox, link).
Marked as found in versions ntfs-3g/1:2017.3.23AR.3-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 02 Sep 2021 20:48:03 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Fri, 03 Sep 2021 23:03:08 GMT) (full text, mbox, link).
Notification sent
to Jeremy Galindo <jgalindo@datto.com>:
Bug acknowledged by developer.
(Fri, 03 Sep 2021 23:03:09 GMT) (full text, mbox, link).
Subject: Bug#988386: fixed in ntfs-3g 1:2017.3.23AR.3-4+deb11u1
Date: Fri, 10 Sep 2021 10:47:45 +0000
Source: ntfs-3g
Source-Version: 1:2017.3.23AR.3-4+deb11u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Sep 2021 14:50:38 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 988386
Changes:
ntfs-3g (1:2017.3.23AR.3-4+deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed an endianness error in ntfscp
* Checked the locations of MFT and MFTMirr at startup
* Fix multiple buffer overflows.
CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267,
CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254,
CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258,
CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262,
CVE-2021-39263. (Closes: #988386)
Checksums-Sha1:
78fea16aae37f144a4cc06c4e3af5e4c386fcb05 2369 ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
18a483bb91cb5cb532454ae5c4f18d71e5cd9b80 1277609 ntfs-3g_2017.3.23AR.3.orig.tar.gz
8b1c7734a2fbe740d3e9de4d77e421498acece81 34860 ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz
Checksums-Sha256:
715b6fd6aaf2ecb26bc0d734bce34e3f66ede437431b217b0d5164f2d7797f72 2369 ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
a83fbd533259abd5b73dc37635cc003a697248375702ddcc39af129957a7564b 1277609 ntfs-3g_2017.3.23AR.3.orig.tar.gz
482ae83729b3b0df0ad8d678cd6c72ee93d5033bd06bae81b98abd5cdd97650e 34860 ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz
Files:
22917eed6b5ceaf761d8fa81a022669c 2369 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u1.dsc
5202fb9d41b0db673b73da4ca9bb88b5 1277609 otherosfs optional ntfs-3g_2017.3.23AR.3.orig.tar.gz
3fe14d3806a99104faa2286d431a58fb 34860 otherosfs optional ntfs-3g_2017.3.23AR.3-4+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmE0wctfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EUZ0P/AhE3ULpPg3WeJN7dAreQtWPIKUZssVI
9beZQ4/kRPlws52Q+8NEdKXylxry2Tf8ZV7SW8z8kM55BDBChk8h3CcKQmvTL0M4
RIZ4FTsXUHxaoKtoVG04vF9FOCafHV2WUq/dQvCV0SGMBFqAg54eE+kmd8Z4Mnci
qpDKsm7zm5dVii+3oVddj1e06WBz+FRvvs0Et+49vjrcVGoNTgdqPAuCBxrA6sNW
CLbajp6bBMROhwIZHKFOwKhFA1QgyyjKXIyYMA+UDF/aDRoYHyeK/6XjNuMppwZt
dUm8kwCQuEAjkMAFKVltQZQOY/SSw9WP/wxUNOayjbtc3pSflsLBZhI3cgi3NFRF
x26vK40KeTX6P5QIHgr+GdlAwHM1hWEK3u7UarlRRpMxKvzmVVVDY1O+haGU8P64
SRnvkdfm7K+ukZ+/AdpbAe7wCxri01paE+Bpq5EmSdDTCWsHKPlrma+WH6uF30c7
K3wnOWbRLx0xzNJsT/W96iewg1Wq275DFZZDEPDuO/mneomBLiv78gHsS62QQx3t
YJrDD+ZJOfs8x2Pt0dT4+S9a+y7L8Sdhb95R0B8vBhtOrm36aXbR0dXbPT2NuCNR
jO03lY9y0DS3PGpCRNNlY+uifpRagE84A/BE1nP3KL7DIgKN9nEhKC2dxADTEel+
1nOsLJIelefC
=g/I3
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 10 Sep 2021 10:51:09 GMT) (full text, mbox, link).
Notification sent
to Jeremy Galindo <jgalindo@datto.com>:
Bug acknowledged by developer.
(Fri, 10 Sep 2021 10:51:09 GMT) (full text, mbox, link).
Subject: Bug#988386: fixed in ntfs-3g 1:2017.3.23AR.3-3+deb10u1
Date: Fri, 10 Sep 2021 10:48:50 +0000
Source: ntfs-3g
Source-Version: 1:2017.3.23AR.3-3+deb10u1
Done: Salvatore Bonaccorso <carnil@debian.org>
We believe that the bug you reported is fixed in the latest version of
ntfs-3g, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 988386@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntfs-3g package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Sep 2021 14:53:02 +0200
Source: ntfs-3g
Architecture: source
Version: 1:2017.3.23AR.3-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 988386
Changes:
ntfs-3g (1:2017.3.23AR.3-3+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed an endianness error in ntfscp
* Checked the locations of MFT and MFTMirr at startup
* Fix multiple buffer overflows.
CVE-2021-33285, CVE-2021-35269, CVE-2021-35268, CVE-2021-33289,
CVE-2021-33286, CVE-2021-35266, CVE-2021-33287, CVE-2021-35267,
CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254,
CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258,
CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262,
CVE-2021-39263. (Closes: #988386)
Checksums-Sha1:
4c9b98ac5aba5635d06fdfd59e070c11b06145b2 2363 ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
7da89778338c57bc3326107c3413d36883496f39 34876 ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz
Checksums-Sha256:
a36b939deba2bf22a98ee6d340162b2bfb103d65c13daeffb10fd3a49dcd6b5e 2363 ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
35def7823d7690c9d54496a145fb11107ccb0f6073e35f06e4cad5d1e73a0fae 34876 ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz
Files:
321f8a585f4202d4c699eb6dc92011d3 2363 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u1.dsc
08b36230b5ab1d9a4ea53417fcfdbd38 34876 otherosfs optional ntfs-3g_2017.3.23AR.3-3+deb10u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmE0ygRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ems4P/jyNLRN6ZY6m4d83JPIMTZOY8x9yLB0E
cXPMs1DPhYz+l32WkWgsqB7ZYJmhQNiDcSoSJ7Srh9EVV9xeBpmKkgXg4K0G6nqs
pUxKJj0iySEqI15EbmzzYPgrEzHudFVRNruFi74aaiIkb2Gov315K0e+MUH2qvBG
ZRv0nrXuGVtwCRSPVeB0J6dUGJl+GCWMv7c6dH9SrrhbUhf1QGqGgJFQzFZ8L/L/
5269eEmStLvWy2ZuaNizfRmA3cpYKiiSIsniyrHNox0AZhn6+vZcCKFYjWsAYi5L
tgDhOinHeAp2Y3k7k2ef1cJ1qokcNKxa6Fk2/IYyEwAy7hW/OuF+EorhguCD9LF2
i8NemPr1dUhhrszfyqs5jOBSb/orvXjzrzYlizDnse4XYkOW/gPucWpbSGYMEkIm
lSr+cejqftje/8Y3k2jF3mHlOUpznsXEsJPViEKU0lW3xADeDRe1mLD6FNa33Clr
8FRBJtnzspTkxcqMZNXAKYG+Usop5oPhBuaNBD3DYH+XShGpR8NYOuy7jFxVLALp
QgBJunvDE3Geu+FwP2o5qAkeWFQS0vfYNKQLaSqE3tYkpC52MbaWPvxbM4nxx0h5
JoFeBaM+f14XaV1aXdsBkOcd2p7AQoMO64fREX/P+DOKfjfz0UCewYkRYhMqgWBl
t3Svmxdb46QE
=8ttz
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 10 Oct 2021 07:28:43 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.