fastdds - Debian Package Tracker

general

source: fastdds (main)
version: 3.1.2+ds-1
maintainer: Debian Robotics Team (DMD)
uploaders: Timo Röhling [DMD]
arch: all any
std-ver: 4.7.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 2.1.0+ds-9+deb11u1
old-sec: 2.1.0+ds-9+deb11u1
old-bpo: 2.7.1+ds-1~bpo11+1
stable: 2.9.1+ds-1+deb12u2
stable-sec: 2.9.1+ds-1+deb12u2
testing: 3.1.2+ds-1
unstable: 3.1.2+ds-1

versioned links

2.1.0+ds-9+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.7.1+ds-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.9.1+ds-1+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.2+ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

fastdds-tools
libfastdds-dev
libfastdds-doc
libfastdds3.1
libfastrtps-dev

action needed

A new upstream version is available: 3.2.2 high

A new upstream version 3.2.2 is available, you should consider packaging it.

Created: 2024-12-20 Last update: 2025-05-06 20:01

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2025-02-26 Last update: 2025-04-29 16:32

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2023-24010: An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Created: 2025-04-27 Last update: 2025-04-27 18:05

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2023-24010: An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.

Created: 2025-04-27 Last update: 2025-04-27 18:05

10 security issues in bullseye high

There are 10 open security issues in bullseye.

2 important issues:

CVE-2023-24010: An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
CVE-2025-24807: eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.

8 issues postponed or untriaged:

CVE-2023-50257: (needs triaging) eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7.
CVE-2023-50716: (needs triaging) eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely terminated. If an invalid Data_Frag packet is sent, the `Inline_qos, SerializedPayload` member of object `ch` will attempt to release memory without initialization, resulting in a 'bad-free' error. Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue.
CVE-2024-26369: (needs triaging) An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon receiving DataWriter's data.
CVE-2024-28231: (needs triaging) eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue.
CVE-2024-30258: (needs triaging) FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
CVE-2024-30259: (needs triaging) FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed `RTPS` packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
CVE-2024-30916: (needs triaging) An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted max_samples parameter in DurabilityService QoS component.
CVE-2024-30917: (needs triaging) An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component.

Created: 2025-02-12 Last update: 2025-04-27 18:05

10 security issues in bookworm high

There are 10 open security issues in bookworm.

2 important issues:

CVE-2023-24010: An attacker can arbitrarily craft malicious DDS Participants (or ROS 2 Nodes) with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS#7 certificate’s validation. This is caused by a non-compliant implementation of permission document verification used by some DDS vendors. Specifically, an improper use of the OpenSSL PKCS7_verify function used to validate S/MIME signatures.
CVE-2025-24807: eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0, per design, PermissionsCA is not full chain validated, nor is the expiration date validated. Access control plugin validates only the S/MIME signature which causes an expired PermissionsCA to be taken as valid. Even though this issue is responsible for allowing `governance/permissions` from an expired PermissionsCA and having the system crash when PermissionsCA is not self-signed and contains the full-chain, the impact is low. Versions 2.6.10, 2.10.7, 2.14.5, 3.0.2, 3.1.2, and 3.2.0 contain a fix for the issue.

8 issues left for the package maintainer to handle:

CVE-2023-50257: (needs triaging) eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Even with the application of SROS2, due to the issue where the data (`p[UD]`) and `guid` values used to disconnect between nodes are not encrypted, a vulnerability has been discovered where a malicious attacker can forcibly disconnect a Subscriber and can deny a Subscriber attempting to connect. Afterwards, if the attacker sends the packet for disconnecting, which is data (`p[UD]`), to the Global Data Space (`239.255.0.1:7400`) using the said Publisher ID, all the Subscribers (Listeners) connected to the Publisher (Talker) will not receive any data and their connection will be disconnected. Moreover, if this disconnection packet is sent continuously, the Subscribers (Listeners) trying to connect will not be able to do so. Since the initial commit of the `SecurityManager.cpp` code (`init`, `on_process_handshake`) on Nov 8, 2016, the Disconnect Vulnerability in RTPS Packets Used by SROS2 has been present prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7.
CVE-2023-50716: (needs triaging) eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.13.0, 2.12.2, 2.11.3, 2.10.3, and 2.6.7, an invalid DATA_FRAG Submessage causes a bad-free error, and the Fast-DDS process can be remotely terminated. If an invalid Data_Frag packet is sent, the `Inline_qos, SerializedPayload` member of object `ch` will attempt to release memory without initialization, resulting in a 'bad-free' error. Versions 2.13.0, 2.12.2, 2.11.3, 2.10.2, and 2.6.7 fix this issue.
CVE-2024-26369: (needs triaging) An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort) upon receiving DataWriter's data.
CVE-2024-28231: (needs triaging) eprosima Fast DDS is a C++ implementation of the Data Distribution Service standard of the Object Management Group. Prior to versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8, manipulated DATA Submessage can cause a heap overflow error in the Fast-DDS process, causing the process to be terminated remotely. Additionally, the payload_size in the DATA Submessage packet is declared as uint32_t. When a negative number, such as -1, is input into this variable, it results in an Integer Overflow (for example, -1 gets converted to 0xFFFFFFFF). This eventually leads to a heap-buffer-overflow, causing the program to terminate. Versions 2.14.0, 2.13.4, 2.12.3, 2.10.4, and 2.6.8 contain a fix for this issue.
CVE-2024-30258: (needs triaging) FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
CVE-2024-30259: (needs triaging) FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves malformed `RTPS` packet, heap buffer overflow occurs on the subscriber. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.
CVE-2024-30916: (needs triaging) An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted max_samples parameter in DurabilityService QoS component.
CVE-2024-30917: (needs triaging) An issue was discovered in eProsima FastDDS v.2.14.0 and before, allows a local attacker to cause a denial of service (DoS) and obtain sensitive information via a crafted history_depth parameter in DurabilityService QoS component.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-23 Last update: 2025-04-27 18:05

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-03-06 Last update: 2025-05-06 18:31

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-02-28 Last update: 2025-04-11 03:30

debian/patches: 9 patches to forward upstream low

Among the 15 debian patches available in version 3.1.2+ds-1 of the package, we noticed the following issues:

9 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-02-28 23:03

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2024-03-09 Last update: 2024-08-29 04:39

news

[rss feed]

[2025-03-06] fastdds 3.1.2+ds-1 MIGRATED to testing (Debian testing watch)
[2025-02-28] Accepted fastdds 3.1.2+ds-1 (source) into unstable (Timo Röhling)
[2024-11-28] fastdds 3.1.0+ds-2 MIGRATED to testing (Debian testing watch)
[2024-11-22] Accepted fastdds 3.1.0+ds-2 (source) into unstable (Timo Röhling)
[2024-10-15] Accepted fastdds 3.1.0+ds-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Timo Röhling)
[2024-09-19] fastdds 3.0.1+ds-1 MIGRATED to testing (Debian testing watch)
[2024-09-13] Accepted fastdds 3.0.1+ds-1 (source) into unstable (Timo Röhling)
[2024-08-31] fastdds 3.0.0+ds-3 MIGRATED to testing (Debian testing watch)
[2024-08-28] Accepted fastdds 3.0.0+ds-3 (source) into unstable (Timo Röhling)
[2024-08-28] Accepted fastdds 3.0.0+ds-2 (source) into unstable (Timo Röhling)
[2024-08-28] Accepted fastdds 3.0.0+ds-1 (all amd64 source) into experimental (Debian FTP Masters) (signed by: Timo Röhling)
[2024-07-25] fastdds 2.14.3+ds-1 MIGRATED to testing (Debian testing watch)
[2024-07-22] Accepted fastdds 2.14.3+ds-1 (source) into unstable (Timo Röhling)
[2024-07-01] fastdds 2.14.2+ds-1 MIGRATED to testing (Debian testing watch)
[2024-06-28] Accepted fastdds 2.14.2+ds-1 (source) into unstable (Timo Röhling)
[2024-05-17] fastdds 2.14.1+ds-1 MIGRATED to testing (Debian testing watch)
[2024-05-17] fastdds 2.14.1+ds-1 MIGRATED to testing (Debian testing watch)
[2024-05-15] Accepted fastdds 2.14.1+ds-1 (source) into unstable (Timo Röhling)
[2024-05-03] fastdds 2.14.0+ds-4 MIGRATED to testing (Debian testing watch)
[2024-04-20] Accepted fastdds 2.14.0+ds-4 (source) into unstable (Timo Röhling)
[2024-04-18] Accepted fastdds 2.14.0+ds-3 (source) into unstable (Timo Röhling)
[2024-04-17] Accepted fastdds 2.14.0+ds-2 (source) into unstable (Timo Röhling)
[2024-04-17] Accepted fastdds 2.14.0+ds-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Timo Röhling)
[2024-04-12] fastdds REMOVED from testing (Debian testing watch)
[2024-02-28] Accepted fastdds 2.11.2+ds-6.1 (source) into unstable (Michael Hudson-Doyle)
[2024-02-01] Accepted fastdds 2.11.2+ds-6.1~exp1 (source) into experimental (Michael Hudson-Doyle)
[2023-12-02] Accepted fastdds 2.9.1+ds-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Timo Röhling)
[2023-11-27] Accepted fastdds 2.9.1+ds-1+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Timo Röhling)
[2023-10-26] fastdds 2.11.2+ds-6 MIGRATED to testing (Debian testing watch)
[2023-10-24] Accepted fastdds 2.11.2+ds-6 (source) into unstable (Timo Röhling)

bugs [bug history graph]

all: 2
RC: 0
I&N: 2
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.1.2+ds-1build1