Bug#984940: marked as done (CVE-2021-28041)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#984940: marked as done (CVE-2021-28041)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 13 Mar 2021 10:21:06 +0000
Message-id: <[🔎] handler.984940.D984940.161563071032220.ackdone@bugs.debian.org>
Reply-to: 984940@bugs.debian.org
References: <E1lL1Lo-000GTu-3z@fasolo.debian.org> <[🔎] 161539547234.237906.666230999315751909.reportbug@hullmann.westfalen.local>

Your message dated Sat, 13 Mar 2021 10:18:28 +0000
with message-id <E1lL1Lo-000GTu-3z@fasolo.debian.org>
and subject line Bug#984940: fixed in openssh 1:8.4p1-5
has caused the Debian Bug report #984940,
regarding CVE-2021-28041
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
984940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984940
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2021-28041

From: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 10 Mar 2021 17:57:52 +0100

Message-id: <[🔎] 161539547234.237906.666230999315751909.reportbug@hullmann.westfalen.local>
Source: openssh
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

Hi,
The following vulnerability was published for openssh.

CVE-2021-28041[0]:
| ssh-agent in OpenSSH before 8.5 has a double free that may be relevant
| in a few less-common scenarios, such as unconstrained agent-socket
| access on a legacy operating system, or the forwarding of an agent to
| an attacker-controlled host.

Buster is not affected. Isolated patch at:
https://github.com/openssh/openssh-portable/commit/e04fd6dde16de1cdc5a4d9946397ff60d96568db

Cheers,
        Moritz
--- End Message ---

--- Begin Message ---

To: 984940-close@bugs.debian.org
Subject: Bug#984940: fixed in openssh 1:8.4p1-5
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 13 Mar 2021 10:18:28 +0000
Message-id: <E1lL1Lo-000GTu-3z@fasolo.debian.org>
Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:8.4p1-5
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 984940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 13 Mar 2021 09:59:40 +0000
Source: openssh
Architecture: source
Version: 1:8.4p1-5
Distribution: unstable
Urgency: high
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 984940
Changes:
 openssh (1:8.4p1-5) unstable; urgency=high
 .
   * CVE-2021-28041: Fix double free in ssh-agent(1) (closes: #984940).
Checksums-Sha1:
 1bbcf852400b5c78dbb42216906749fdc257dac6 3353 openssh_8.4p1-5.dsc
 8422023273c7bb8bca46d5f14c7a18effc9cbe2d 179108 openssh_8.4p1-5.debian.tar.xz
Checksums-Sha256:
 77f230be1493a1037ab9b1555709f597563759115f40b189605da9f1817c0138 3353 openssh_8.4p1-5.dsc
 9f38375592c9903fd64a1e69f42452ddad7e7c35c561ea7b8befbf45870b1a53 179108 openssh_8.4p1-5.debian.tar.xz
Files:
 01355d3d331293cb3739fb10ab7cc6b9 3353 net standard openssh_8.4p1-5.dsc
 584914153d290009cf68f3258cc8dec3 179108 net standard openssh_8.4p1-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmBMjTgACgkQOTWH2X2G
UAs8ow/+K4Yql3/txS7i+KEbgK2N2CCL1S+lgvc3TeD+jOiEFHoFEXTRkAywoGtr
YpPLDZheIDhWtJ6AY5QSK8YzMFRqy0K+WGQwbuBq1pD+a/zhLhzUM4cp9HMzYHVQ
vqLO3yIdxpUj7idP9i2u5V2Yztn0qmSUOZLDSwgDO4UXvnyBNswpu+vVzKhJtFhx
fCupF484PBqA0Hi1Kw/+dQ8N3ocdvbul458A9hSEqlEl5gRJjeUybY2t+EvTRwg1
9PXsZ2nwnviIASI74J4zm5YuZGrNX23wrc0M6F+2x26VnA/ClD4oH/AEdIxh1faz
yKzhDyj7u1qjKo8kHbDK06hoIc44bti92n1jr/e8NOKkBpajS3BrbazXI3uRAEej
kHEfdLdKwNezj258rVPMQEyVRo2e82B+dGij3l60RPeeTS0D0TJ94A2kCsTXtRdG
vpRFtcHphP01cJFV3PzmvlXfOZ19jVw/6KcdC1vYNS3Fo0v6ajIxmjU9w7W3BRrG
iwiZGtJkGtHg0Oia8YgWo3h4U3+3toikKAWUEZI36AHGAZSFCe8eHPBZrP+w2h1L
HGhCYNvVCj0lyYUmPvN0tlN5LAWvUtOdxq/ZureOVOe5oVODObh0Sf5Z5Xhn7SBm
M33eVWXR9V8/kz82jxI6SOqym72gWEuU7dfcRCjijbNB1+2kdWY=
=hwEK
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#984940: CVE-2021-28041
  - From: Moritz Muehlenhoff <jmm@debian.org>

Prev by Date: Processed: Bug#984940 marked as pending in openssh
Next by Date: Processing of openssh_8.4p1-5_source.changes
Previous by thread: Processed: Bug#984940 marked as pending in openssh
Next by thread: Processed: found 984940 in 1:8.4p1-4
Index(es):
- Date
- Thread