Your message dated Sat, 19 Apr 2008 12:47:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#476572: fixed in aptlinex 0.91-1
has caused the Debian Bug report #476572,
regarding can be used to remove packages, or install experimental or specific
versions, run arbitrary regexps
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
476572: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476572
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: aptlinex
Version: 0.9-1
Severity: grave
Tags: security
<a href="apt://pdmenu-">
With this it will happily remove pdmenu, while presenting a UI that
doesn't make that plain to the user. For more fun, could try libc6- ,
or some other library that will make apt unhappy. (I haven't tried that.)
<a href="apt://pdmenu/experimental">
With this is will install pdmenu from experimental (assuming sources.list is
set up). I think this syntax should be disallowed, along with the "=version"
syntax.
<a href="apt://p.*">
This installs all package names containing "p". Also, it demonstrates that
aptlinex exposes the posix regexp library to attackers. Any security hole
in that library can now be exploited over the web.
The best solution to all of these is probably to check that the package
name listed for installation is the name of an actual, existing package,
before passing it to apt.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages aptlinex depends on:
ii apt-show-versions 0.12 lists available package versions w
ii gambas2-gb-gui 2.5-1 The graphical toolkit selector com
ii gambas2-runtime 2.5-1 The Gambas runtime
ii gksu 2.0.0-5 graphical frontend to su
Versions of packages aptlinex recommends:
ii epiphany-gecko [www-browser 2.20.3-1.1 Intuitive GNOME web browser - Geck
ii iceweasel [www-browser] 2.0.0.13-1 lightweight web browser based on M
ii lynx [www-browser] 2.8.6-2 Text-mode WWW Browser
ii w3m [www-browser] 0.5.1-5.1+b1 WWW browsable pager with excellent
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: aptlinex
Source-Version: 0.91-1
We believe that the bug you reported is fixed in the latest version of
aptlinex, which is due to be installed in the Debian FTP archive:
aptlinex_0.91-1.diff.gz
to pool/main/a/aptlinex/aptlinex_0.91-1.diff.gz
aptlinex_0.91-1.dsc
to pool/main/a/aptlinex/aptlinex_0.91-1.dsc
aptlinex_0.91-1_all.deb
to pool/main/a/aptlinex/aptlinex_0.91-1_all.deb
aptlinex_0.91.orig.tar.gz
to pool/main/a/aptlinex/aptlinex_0.91.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
José L. Redrejo Rodríguez <[EMAIL PROTECTED]> (supplier of updated aptlinex
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 19 Apr 2008 14:27:58 +0200
Source: aptlinex
Binary: aptlinex
Architecture: source all
Version: 0.91-1
Distribution: unstable
Urgency: high
Maintainer: José L. Redrejo Rodríguez <[EMAIL PROTECTED]>
Changed-By: José L. Redrejo Rodríguez <[EMAIL PROTECTED]>
Description:
aptlinex - Web browser addon to install Debian packages with a click
Closes: 476572 476588 476590
Changes:
aptlinex (0.91-1) unstable; urgency=high
.
* New upstream release to fix several security bugs:
* Check if the package really exists before acting (Closes: #476572)
* Always uses Temp$() when creating temp files (Closes: #476588)
* It does not use lock files anymore
* Now apt:foo uris are also accepted (Closes: #476590)
Checksums-Sha1:
1d194fdbf3f56deddaaaa82f3fb2f1ff3ac92303 1000 aptlinex_0.91-1.dsc
1f18a5e163d471559ad66e2c40f42b429dc11a8b 78048 aptlinex_0.91.orig.tar.gz
cc6ee09ee8f39270080d32042ca40de8f7e39e9b 4126 aptlinex_0.91-1.diff.gz
1525109c15e3a466123039761c44b559c58f2def 17902 aptlinex_0.91-1_all.deb
Checksums-Sha256:
99831c21bdd02431baff6347b1734132ec7fdbee21017834c40404a2e781f215 1000
aptlinex_0.91-1.dsc
eaa0b6f66a97860796737f02a33a05510d61b20a52fba6c466fb684d2348c172 78048
aptlinex_0.91.orig.tar.gz
a73a755806c5d1ee519a403471bd4e3a0cc1734cea0f961d921827324eac71fb 4126
aptlinex_0.91-1.diff.gz
d83678846ce02b22919ecd1ff96415a5c2fc2fd8f9f022219ad3a4d553f8ce2d 17902
aptlinex_0.91-1_all.deb
Files:
66a0643d4ccc7a5298400199566497c3 1000 utils optional aptlinex_0.91-1.dsc
0268d5163b1d29e2840fdd6322958aa5 78048 utils optional aptlinex_0.91.orig.tar.gz
3294ee576f5a8ab3673c2411c3ba9fdb 4126 utils optional aptlinex_0.91-1.diff.gz
9fa3738eb3233e3018c203a97830588b 17902 utils optional aptlinex_0.91-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFICedqmqVR2WapDeIRAqpiAJ4wrq4VVVzgQaj6MpEs3gdi8qWkPgCfXZ8U
rSSgBgLQpVceqiF41bvsCcw=
=hWQx
-----END PGP SIGNATURE-----
--- End Message ---
