Fwd: Cap'n Proto security advisory / Debian

Hi release team,

A number of security bugs in the capnproto 0.4.1-2 package in Jessie have been reported to me by upstream (please see the attached email to the Debian security team for details). I've raised corresponding "critical" bugs against the package and will be preparing an upload to sid that I'd like to eventually flow into testing to address these bugs.

Any problems or concerns in the interim, please let me know.

Cheers,

Tom

---------- Forwarded message ----------
From: Tom Lee <[email protected]>
Date: Sun, Mar 15, 2015 at 10:04 PM
Subject: Fwd: Cap'n Proto security advisory / Debian
To: [email protected]

Hey folks,

I'd just like to draw your attention to several security issues in capnproto 0.4.1-2 package (and likely earlier versions too, but I haven't yet verified). Full details of the issues:

https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-0-c%2B%2B-integer-overflow.md

https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-1-c%2B%2B-integer-underflow.md

https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-02-2-all-cpu-amplification.md

https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2015-03-05-0-c%2B%2B-addl-cpu-amplification.md

I've opened corresponding bugs against the capnproto package here, and will be working toward getting these fixed over the coming days: https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=capnproto;dist=unstable. I'll also be reaching out to the release team so they're aware that this is going on.

Apologies too for the delay -- all were reported to me by upstream quite a while back, and I've been slow to get the ball rolling.

Please let me know if I can provide you with any other information that might be helpful in the interim.

Cheers,

Tom

Tom Lee / http://tomlee.co / @tglee