Your message dated Thu, 25 Oct 2007 19:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#447341: fixed in hplip 1.6.10-4.2+lenny1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: hplip
Version: 1.6.10-3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for hplip.
CVE-2007-5208[0]:
| hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip)
| 1.x and 2.x before 2.7.10 allows context-dependent attackers to
| execute arbitrary commands via shell metacharacters in a from address,
| which is not properly handled when invoking sendmail.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
You can find a patch on:
http://launchpadlibrarian.net/9737865/90_subprocess_replacement.dpatch
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5208
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpprIHsTVMhk.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: hplip
Source-Version: 1.6.10-4.2+lenny1
We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive:
hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb
to pool/main/h/hplip/hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb
hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb
to pool/main/h/hplip/hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb
hplip-data_1.6.10-4.2+lenny1_all.deb
to pool/main/h/hplip/hplip-data_1.6.10-4.2+lenny1_all.deb
hplip-dbg_1.6.10-4.2+lenny1_i386.deb
to pool/main/h/hplip/hplip-dbg_1.6.10-4.2+lenny1_i386.deb
hplip-doc_1.6.10-4.2+lenny1_all.deb
to pool/main/h/hplip/hplip-doc_1.6.10-4.2+lenny1_all.deb
hplip_1.6.10-4.2+lenny1.diff.gz
to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1.diff.gz
hplip_1.6.10-4.2+lenny1.dsc
to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1.dsc
hplip_1.6.10-4.2+lenny1_i386.deb
to pool/main/h/hplip/hplip_1.6.10-4.2+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated hplip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 22 Oct 2007 10:31:55 +0200
Source: hplip
Binary: hpijs hplip-data hpijs-ppds hplip hplip-doc hplip-dbg
Architecture: source all i386
Version: 1.6.10-4.2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs)
hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
hplip - HP Linux Printing and Imaging System (HPLIP)
hplip-data - HP Linux Printing and Imaging - data files
hplip-dbg - HP Linux Printing and Imaging - debugging information
hplip-doc - HP Linux Printing and Imaging - documentation
Closes: 447341
Changes:
hplip (1.6.10-4.2+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by testing security team.
* Included CVE-2007-5208.dpatch to fix
arbitrary command execution in hpssd via crafted from address
because of missing sanitization (CVE-2007-5208) (Closes: #447341).
Files:
96b66cfec0be1cd061bc03f47da0862f 901 utils optional hplip_1.6.10-4.2+lenny1.dsc
01519018343978776fe4acfbdb7cb6df 10561620 utils optional
hplip_1.6.10.orig.tar.gz
4a5ebc1dcba8eb3db1439af713b17571 251716 utils optional
hplip_1.6.10-4.2+lenny1.diff.gz
aeac225ba4b17f030dd5d03cf1e2a892 1759584 utils optional
hpijs-ppds_2.6.10+1.6.10-4.2+lenny1_all.deb
0d068c678b8735d51ecdcb89a6198ccf 6294014 utils optional
hplip-data_1.6.10-4.2+lenny1_all.deb
0bf977ecd2e7d7205060c1a7dcee629d 1617880 doc optional
hplip-doc_1.6.10-4.2+lenny1_all.deb
774656e689b1ae916bf8a95effbc1ff6 345310 text optional
hpijs_2.6.10+1.6.10-4.2+lenny1_i386.deb
8a7bac4f58cc2517d84c26faab97c29b 568794 utils optional
hplip_1.6.10-4.2+lenny1_i386.deb
37d107e3515900d52ce981bc6e5e6200 821722 utils extra
hplip-dbg_1.6.10-4.2+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHIHyNHYflSXNkfP8RAr9fAJ9sjeonLJI4TvZnWUrHbNzEEwnYpgCgpQGE
XrIDdX3JiboV8Hf7iNPO1nI=
=/z43
-----END PGP SIGNATURE-----
--- End Message ---
