Your message dated Sat, 21 May 2005 15:47:15 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#309648: fixed in cheetah 0.9.16-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 May 2005 14:28:39 +0000
>From [EMAIL PROTECTED] Wed May 18 07:28:39 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DYPXL-0002YB-00; Wed, 18 May 2005 07:28:39 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1DYPVm-000324-SL
for [EMAIL PROTECTED]; Wed, 18 May 2005 16:27:02 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: Cheetah loads arbitrary code from /tmp
X-Mailer: reportbug 3.8
Date: Wed, 18 May 2005 16:27:02 +0200
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: cheetah
Severity: grave
Tags: security
Cheetah loads arbitrary module code from /tmp, see
http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542
for a detailed discussion. It's fixed in CVS and 0.9.17rc1,
but since Sarge is in freeze an upload with only the security
fix would surely be appreciated by the release managers.
Cheers,
Moritz
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
---------------------------------------
Received: (at 309648-close) by bugs.debian.org; 21 May 2005 19:51:06 +0000
>From [EMAIL PROTECTED] Sat May 21 12:51:06 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DZa02-0008HS-00; Sat, 21 May 2005 12:51:06 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DZZwJ-0000ca-00; Sat, 21 May 2005 15:47:15 -0400
From: Chad Walstrom <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#309648: fixed in cheetah 0.9.16-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 21 May 2005 15:47:15 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: cheetah
Source-Version: 0.9.16-1
We believe that the bug you reported is fixed in the latest version of
cheetah, which is due to be installed in the Debian FTP archive:
cheetah-common_0.9.16-1_all.deb
to pool/main/c/cheetah/cheetah-common_0.9.16-1_all.deb
cheetah_0.9.16-1.diff.gz
to pool/main/c/cheetah/cheetah_0.9.16-1.diff.gz
cheetah_0.9.16-1.dsc
to pool/main/c/cheetah/cheetah_0.9.16-1.dsc
python-cheetah_0.9.16-1_all.deb
to pool/main/c/cheetah/python-cheetah_0.9.16-1_all.deb
python2.2-cheetah_0.9.16-1_i386.deb
to pool/main/c/cheetah/python2.2-cheetah_0.9.16-1_i386.deb
python2.3-cheetah_0.9.16-1_i386.deb
to pool/main/c/cheetah/python2.3-cheetah_0.9.16-1_i386.deb
python2.4-cheetah_0.9.16-1_i386.deb
to pool/main/c/cheetah/python2.4-cheetah_0.9.16-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Chad Walstrom <[EMAIL PROTECTED]> (supplier of updated cheetah package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 21 May 2005 12:40:10 -0500
Source: cheetah
Binary: python2.3-cheetah cheetah-common python2.2-cheetah python-cheetah
python2.4-cheetah
Architecture: source i386 all
Version: 0.9.16-1
Distribution: unstable
Urgency: high
Maintainer: Chad Walstrom <[EMAIL PROTECTED]>
Changed-By: Chad Walstrom <[EMAIL PROTECTED]>
Description:
cheetah-common - text-based template engine and Python code generator
python-cheetah - text-based template engine and Python code generator
python2.2-cheetah - text-based template engine and Python code generator
python2.3-cheetah - text-based template engine and Python code generator
python2.4-cheetah - text-based template engine and Python code generator
Closes: 309648
Changes:
cheetah (0.9.16-1) unstable; urgency=high
.
* debian/rules, debian/patches: Added simple-patchsys so we can
apply security patches.
* debian/patches/309648-tmpfix.patch: Kenshi Muto grabbed this one
from the cheetahtemplate CVS. Upstream rewrote how imports were
handled, removing the need to use temp files and eliminating this
security breech. Closes: #309648
* debian/control: Added version dependency for cdbs, required to support
Python 2.4.
Files:
89b3f3a298f00614529fccfc7c5fe96d 722 text optional cheetah_0.9.16-1.dsc
26427c4087e052c627ce226591d6e030 143466 text optional
cheetah_0.9.16.orig.tar.gz
4d482a1c228724564e06ae7747544232 9715 text optional cheetah_0.9.16-1.diff.gz
b86d48c8b05d70a262c28d3f2983d64d 28690 text optional
cheetah-common_0.9.16-1_all.deb
fa1cc35d62c30b462ff1c41b70a32132 25356 text optional
python-cheetah_0.9.16-1_all.deb
5bbcd5f68d5c242433c5adb83e5aeca4 148280 text optional
python2.2-cheetah_0.9.16-1_i386.deb
6f01951dae27911411a58c731548b65a 148282 text optional
python2.3-cheetah_0.9.16-1_i386.deb
ac40b445899c88105478a39bd50b4ba8 148290 text optional
python2.4-cheetah_0.9.16-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCj4MYDMcLGCBsWv0RAvgYAJ9Ab162yfmglsAklJ6CVs3oA5+gJACgy3Kc
rOzDuZHwVIC3FPdliumOh70=
=OIB9
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
