Your message dated Sat, 02 Apr 2005 03:32:19 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#301729: fixed in dcl 1:0.9.4.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Mar 2005 23:41:18 +0000
>From [EMAIL PROTECTED] Sun Mar 27 15:41:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DFhNe-0000cK-00; Sun, 27 Mar 2005 15:41:18 -0800
Received: from dragon.kitenet.net (dial-190.r06.scabvl.infoave.net
[207.144.140.190])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id BF7F0181AE
for <[EMAIL PROTECTED]>; Sun, 27 Mar 2005 23:41:15 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id DEBDB6E100; Sun, 27 Mar 2005 18:44:18 -0500 (EST)
Date: Sun, 27 Mar 2005 18:44:18 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: code injection security hole
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q"
Content-Disposition: inline
X-Reportbug-Version: 3.8
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: dcl
Version: 1:0.9.2-2
Severity: grave
Tags: security
CAN-2005-0887 describes this security hole:
Code injection vulnerability in Double Choco Latte before 0.9.4.3 allows re=
mote
attackers to execute arbitrary PHP code via the menuAction variable in (1)
functions.inc.php or (2) main.php, which causes code to be injected into an
eval statement.
http://securitytracker.com/alerts/2005/Mar/1013559.html has some details;
note that we have an older version of the program so will not be affected
by the XSS vulnerability that was intorduced in version 0.9.4.3. Both holes
are fixed in 0.9.4.4.
There's little detail about the problem and I've not checked in depth, but
some cursory diffing to see what was changed between 0.9.4.2 and .3 suggests
that dcl was vulnerable to this hole as far back as the version in unstable.
I notice that this package is orphaned. If nobody steps up to take over
maintenance, it will likely e removed from debian.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages dcl depends on:
ii apache2-mpm-prefork [httpd] 2.0.53-5 traditional model for Apache2
ii bash 3.0-14 The GNU Bourne Again SHell
ii debconf 1.4.46 Debian configuration managemen=
t sy
ii grep 2.5.1.ds1-4 GNU grep, egrep and fgrep
pn php4 | php3 Not found.
ii python 2.3.5-1 An interactive high-level obje=
ct-o
ii sed 4.1.4-2 The GNU sed stream editor
pn wwwconfig-common Not found.
--=20
see shy jo
--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCR0VSd8HHehbQuO8RAkviAJ42PdqXJF4Iu/HHY/K4lpxC00BHMACdEham
riYHBgXq0Ki2Fr0HYOKyX8M=
=KsBF
-----END PGP SIGNATURE-----
--Q68bSM7Ycu6FN28Q--
---------------------------------------
Received: (at 301729-close) by bugs.debian.org; 2 Apr 2005 08:39:18 +0000
>From [EMAIL PROTECTED] Sat Apr 02 00:39:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from gluck.debian.org [192.25.206.10]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHeA2-0000gA-00; Sat, 02 Apr 2005 00:39:18 -0800
Received: from newraff.debian.org [208.185.25.31] (mail)
by gluck.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DHeA0-0007BM-00; Sat, 02 Apr 2005 01:39:16 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DHe3H-0004cF-00; Sat, 02 Apr 2005 03:32:19 -0500
From: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#301729: fixed in dcl 1:0.9.4.4-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 02 Apr 2005 03:32:19 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: dcl
Source-Version: 1:0.9.4.4-1
We believe that the bug you reported is fixed in the latest version of
dcl, which is due to be installed in the Debian FTP archive:
dcl_0.9.4.4-1.diff.gz
to pool/main/d/dcl/dcl_0.9.4.4-1.diff.gz
dcl_0.9.4.4-1.dsc
to pool/main/d/dcl/dcl_0.9.4.4-1.dsc
dcl_0.9.4.4-1_all.deb
to pool/main/d/dcl/dcl_0.9.4.4-1_all.deb
dcl_0.9.4.4.orig.tar.gz
to pool/main/d/dcl/dcl_0.9.4.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[EMAIL PROTECTED]> (supplier of updated dcl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 02 Apr 2005 12:16:07 +1000
Source: dcl
Binary: dcl
Architecture: source all
Version: 1:0.9.4.4-1
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <[EMAIL PROTECTED]>
Changed-By: Anibal Monsalve Salazar <[EMAIL PROTECTED]>
Description:
dcl - GNU Enterprise - Double Choco Latte
Closes: 197628 224526 301729
Changes:
dcl (1:0.9.4.4-1) unstable; urgency=high
.
* QA Upload.
* Set Maintainer to Debian QA Group.
* New upstream release.
* Fixed "code injection security hole", closes: #301729.
* Fixed "0.9.4.2 is available", closes: #197628.
* Fixed "missing files: /etc/dcl/apache.conf, INSTALL.txt", closes: #224526.
Patch by Jérôme Warnier <[EMAIL PROTECTED]>.
Files:
4dd1be8cdd16c2483a6f3914079acd49 572 web optional dcl_0.9.4.4-1.dsc
71c1ef6af96411f7640e5042d87ff0aa 998611 web optional dcl_0.9.4.4.orig.tar.gz
309e9793db4d16fe44adfa700704a400 4387 web optional dcl_0.9.4.4-1.diff.gz
ae863843424e6efd88d67c67e801ea4d 922652 web optional dcl_0.9.4.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCTlRHgY5NIXPNpFURAhpjAJ9ftbO0WDqdk6GclLuNPUO2biNhBgCfS+ix
5CRe3HDg4PM7RIGLf0UZ7cM=
=5Z24
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
