Version in base suite: 2.33.0-1 Base version: bettercap_2.33.0-1 Target version: bettercap_2.33.0-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bettercap/bettercap_2.33.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bettercap/bettercap_2.33.0-1+deb13u1.dsc changelog | 7 +++++++ patches/CVE-2026-8276.patch | 34 ++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 42 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp45liyhpt/bettercap_2.33.0-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp45liyhpt/bettercap_2.33.0-1+deb13u1.dsc: no acceptable signature found diff -Nru bettercap-2.33.0/debian/changelog bettercap-2.33.0/debian/changelog --- bettercap-2.33.0/debian/changelog 2024-08-18 20:54:15.000000000 +0000 +++ bettercap-2.33.0/debian/changelog 2026-07-13 02:41:40.000000000 +0000 @@ -1,3 +1,10 @@ +bettercap (2.33.0-1+deb13u1) trixie; urgency=medium + + * Add debian/patches/CVE-2026-8276.patch. + (Closes: #1136448, CVE-2026-8276) + + -- Francisco Vilmar Cardoso Ruviaro Mon, 13 Jul 2026 02:41:40 +0000 + bettercap (2.33.0-1) unstable; urgency=medium * New upstream version 2.33.0. diff -Nru bettercap-2.33.0/debian/patches/CVE-2026-8276.patch bettercap-2.33.0/debian/patches/CVE-2026-8276.patch --- bettercap-2.33.0/debian/patches/CVE-2026-8276.patch 1970-01-01 00:00:00.000000000 +0000 +++ bettercap-2.33.0/debian/patches/CVE-2026-8276.patch 2026-07-13 02:34:14.000000000 +0000 @@ -0,0 +1,34 @@ +Description: Fix mysql.server panic on crafted client handshake (remote DoS). +Author: Simone Margaritelli +Origin: upstream, https://github.com/bettercap/bettercap/commit/0eaa375c5e5446bfba94a290eff92967a5deac9e.patch +Bug: https://github.com/bettercap/bettercap/issues/1265 +Bug-Debian: https://bugs.debian.org/1136448 +Forwarded: not-needed +Reviewed-By: Francisco Vilmar Cardoso Ruviaro +Last-Update: 2026-07-10 + +--- a/modules/mysql_server/mysql_server.go ++++ b/modules/mysql_server/mysql_server.go +@@ -121,15 +121,20 @@ func (mod *MySQLServer) Start() error { + if _, err := conn.Write(packets.MySQLGreeting); err != nil { + mod.Warning("error while writing server greeting: %s", err) + continue +- } else if _, err = reader.Read(readBuffer); err != nil { ++ } else if read, err = reader.Read(readBuffer); err != nil { + mod.Warning("error while reading client message: %s", err) + continue + } + ++ if read < 37 { ++ mod.Warning("client handshake too short (%d bytes)", read) ++ continue ++ } ++ + // parse client capabilities and validate connection + // TODO: parse mysql connections properly and + // display additional connection attributes +- capabilities := fmt.Sprintf("%08b", (int(uint32(readBuffer[4]) | uint32(readBuffer[5])<<8))) ++ capabilities := fmt.Sprintf("%016b", (int(uint32(readBuffer[4]) | uint32(readBuffer[5])<<8))) + loadData := string(capabilities[8]) + username := string(bytes.Split(readBuffer[36:], []byte{0})[0]) + diff -Nru bettercap-2.33.0/debian/patches/series bettercap-2.33.0/debian/patches/series --- bettercap-2.33.0/debian/patches/series 2024-08-18 17:41:44.000000000 +0000 +++ bettercap-2.33.0/debian/patches/series 2026-07-13 02:34:56.000000000 +0000 @@ -1,3 +1,4 @@ adapt-service-file.patch disable-install-update-bettercap.patch disable-install-update-caplets.patch +CVE-2026-8276.patch