Your message dated Sat, 26 Mar 2005 22:10:03 -0700 (MST)
with message-id <[EMAIL PROTECTED]>
and subject line fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Nov 2004 04:20:17 +0000
>From [EMAIL PROTECTED] Tue Nov 16 20:20:17 2004
Return-path: <[EMAIL PROTECTED]>
Received: from 204.57.138.210.xn.2iij.net (mebius) [210.138.57.204]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CUHIn-000131-00; Tue, 16 Nov 2004 20:20:17 -0800
Received: by mebius (Postfix, from userid 1000)
id F15A4449B; Wed, 17 Nov 2004 13:22:46 +0900 (JST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Hideki Yamane <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: [vulnerability] Bash scripts run via Sudo can be subverted and sudo
1.6.8p2
released
X-Mailer: reportbug 3.2
Date: Wed, 17 Nov 2004 13:22:46 +0900
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: sudo
Severity: grave
Tags: security, woody, sarge, sid
Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear sudo maintainer,
Maybe you know about this, but there is no post in BTS, so I'll send
it to you as a notice.
Vulnerability was found in sudo. sudo's environment sanitizing could
allow a malicious user with permission to run a script that utilized
the bash shell to run arbitrary commands.
For more datail, see http://www.courtesan.com/sudo/alerts/bash_functions.html
It says affected version is "All versions prior to 1.6.8p2", so all of
woody/sarge/sid sudo package are affected, and says "The bug is fixed
in sudo 1.6.8p2" but no pointer or patch is available. So you should
check diffs via CVS...
Please check it.
- --
Hideki Yamane henrich @ samba.gr.jp/iijmio-mail.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBmtIWIu0hy8THJksRAuxNAJ9xllhiHY0+EbT/9F3Sjt71Yd+dHgCglNuw
lRVayB0J98w73npW4I0kq/g=
=qD5s
-----END PGP SIGNATURE-----
---------------------------------------
Received: (at 281665-done) by bugs.debian.org; 27 Mar 2005 05:09:59 +0000
>From [EMAIL PROTECTED] Sat Mar 26 21:09:59 2005
Return-path: <[EMAIL PROTECTED]>
Received: from winfree.gag.com [192.133.104.8]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DFQ2A-0005vu-00; Sat, 26 Mar 2005 21:09:58 -0800
Received: from localhost (localhost [127.0.0.1])
by winfree.gag.com (Postfix) with ESMTP id 3D287C121
for <[EMAIL PROTECTED]>; Sat, 26 Mar 2005 22:09:58 -0700 (MST)
Received: from winfree.gag.com ([127.0.0.1])
by localhost (winfree [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 04273-08 for <[EMAIL PROTECTED]>;
Sat, 26 Mar 2005 22:09:56 -0700 (MST)
Received: from rover.gag.com (localhost [127.0.0.1])
by winfree.gag.com (Postfix) with ESMTP id 7F871C02A
for <[EMAIL PROTECTED]>; Sat, 26 Mar 2005 22:09:56 -0700 (MST)
Received: by rover.gag.com (Postfix, from userid 1000)
id DB28282346; Sat, 26 Mar 2005 22:10:03 -0700 (MST)
To: [EMAIL PROTECTED]
Subject: fixed
Message-Id: <[EMAIL PROTECTED]>
Date: Sat, 26 Mar 2005 22:10:03 -0700 (MST)
From: [EMAIL PROTECTED] (Bdale Garbee)
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at gag.com
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00,ONEWORD autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
I believe that with 1.6.6-1.3 now in unstable, that this is no longer an issue.
Bdale
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
