- Package:
- src:fis-gtm
- Source:
- src:fis-gtm
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2025-04-22 14:00:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for fis-gtm. CVE-2021-44496[0]: | An issue was discovered in FIS GT.M through V7.0-000 (related to the | YottaDB code base). Using crafted input, an attacker can control the | size variable and buffer that is passed to a call to memcpy. An | attacker can use this to overwrite key data structures and gain | control of the flow of execution. http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44504[1]: | An issue was discovered in FIS GT.M through V7.0-000 (related to the | YottaDB code base). Using crafted input, an attacker can cause a size | variable, stored as an signed int, to equal an extremely large value, | which is interpreted as a negative value during a check. This value is | then used in a memcpy call on the stack, causing a memory segmentation | fault. http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html https://gitlab.com/YottaDB/DB/YDB/-/issues/828 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44496 https://www.cve.org/CVERecord?id=CVE-2021-44496 [1] https://security-tracker.debian.org/tracker/CVE-2021-44504 https://www.cve.org/CVERecord?id=CVE-2021-44504 Please adjust the affected versions in the BTS as needed.
Hi Amul,
I realised that fis-gtm is lagging behind upstream some versions and the
Debian packaged fis-gtm is featuring CVE-2021-44496 and CVE-2021-44504.
It would be great if you could upgrade the Debian package to the latest
upstream version.
Kind regards,
Andreas.
The CVEs listed in this bug report do NOT affect GT.M V7.0-005, the current Debian version listed on https://tracker.debian.org/pkg/fis-gtm. There is no reason for this bug report. Please close it. I will upload a newer version of GT.M, V7.1-002, later this month. Thanks, Amul The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. Message Encrypted via TLS connection
Ping? Am Sat, Dec 09, 2023 at 06:13:24PM +0100 schrieb Andreas Tille:
Hi Bhaskar, it seems Amul is not actively working on fis-gtm package any more. Could you name any new contact person for the Debian package? Kind regards Andreas. Am Mon, Apr 01, 2024 at 02:51:26PM +0200 schrieb Andreas Tille: