On Tue, Jul 17, 2012 at 02:47:49PM -0400, Michael Gilbert wrote: > Data entered into the tracker needs to be reliable. If you have not > personally checked CVE references for each individual issue against > the patches present in the tracker, then you cannot claim that the > problem has been fixed. > > Leave those issues <unfixed> until someone who is willing to do the > appropriate research has time to review the issue. > > Otherwise we're leaving issues unfixed and fooling ourselves into > thinking they are fixed, which is just so incredibly wrong. > > Best wishes, > Mike
I got this information from package maintainer (Stig Sandbeck Mathisen s...@d.org): """ That issue is fixed in the 2.7.18-1 upload to unstable and in 2.6.2-5+squeeze6 upload to stable-security, along with CVE-2012-3864, CVE-2012-3865, CVE-2012-3866 and CVE-2012-3867 which those uploads mention. """ Which he later corrected in our email discussion: """ It was fixed by Puppet Labs in revision ab9150b by deprecating it in 2.7.18 (by logging a warning message), and removing it in 3.x. I was of the impression that this made it into the squeeze security release, but I was mistaken. Sorry. :/ Puppet labs sees it as a "low-risk" security vulnerability. (http://puppetlabs.com/security/cve/cve-2012-3408/). In order to be vulnerable, you have to: * Explicitly configure "certname=<ipaddress>" in puppet.conf. The default is the fully qualified domain name. * Allow others access to the network your agent runs on, as well as taking its IP address, or using man-in-the-middle techniques to impersonate this IP address. """ I could verify every issue by myself, but is that really needed in cases where package maintainer gives this information as some issues are very time consuming to verify? This was a human mistake and I am sorry. I hope trying to update security tracker and report bugs is not incredibly wrong. I asked from #debian-security how to go forward with this case as DSA did not contain CVE-2012-3408 and were following those instructions. - Henri Salo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
