Your message dated Sun, 08 Jun 2008 11:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#484728: fixed in roundup 1.4.4-1.1
has caused the Debian Bug report #484728,
regarding roundup: security hole: CVE-2008-1475
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
484728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484728
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: roundup
Version: 1.4.4
Severity: grave
Tags: security
Justification: user security hole
I see that there isn't a fix for Debian for this bug:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
Apparently, the Debian version is thus vulnerable.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: LANG=es_CL.utf8, LC_CTYPE=es_CL.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: roundup
Source-Version: 1.4.4-1.1
We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:
roundup_1.4.4-1.1.dsc
to pool/main/r/roundup/roundup_1.4.4-1.1.dsc
roundup_1.4.4-1.1.tar.gz
to pool/main/r/roundup/roundup_1.4.4-1.1.tar.gz
roundup_1.4.4-1.1_all.deb
to pool/main/r/roundup/roundup_1.4.4-1.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated roundup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 07 Jun 2008 10:02:05 +0200
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-1.1
Distribution: unstable
Urgency: high
Maintainer: Toni Mueller <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
roundup - an issue-tracking system
Closes: 484728
Changes:
roundup (1.4.4-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix privilege escalation leading to attackers being able to
edit or view restricted properties via the "list", "display"
and "set methods (10-CVE-2008-1475.dpatch; Closes: #484728).
Checksums-Sha1:
6e8f751998e9b61cc7ced5469296ace056c68310 799 roundup_1.4.4-1.1.dsc
3b87b0c423ac686d5ca121e7e59257462d40c2e1 1410348 roundup_1.4.4-1.1.tar.gz
21c6eb586480094172c5f9189f5fb9b1a711a55a 1277548 roundup_1.4.4-1.1_all.deb
Checksums-Sha256:
39068616c96b9b30559caff4879a31e8b4cbe97be8e244b9aaa1799891bda915 799
roundup_1.4.4-1.1.dsc
1b11f06bb12c0c928ee40c51551f0c92e13c8d0ae906c0ac8de5b220aad96c4e 1410348
roundup_1.4.4-1.1.tar.gz
7f27d4c46684b9c4697fc10bed291c5995eeab345d612016d8af37013c22bfcd 1277548
roundup_1.4.4-1.1_all.deb
Files:
7b7d36b0411ba5da96c9627dbf311301 799 web optional roundup_1.4.4-1.1.dsc
bafab7b7bee74e02751c03ff05d1e567 1410348 web optional roundup_1.4.4-1.1.tar.gz
bd720ec14f74507e7e184a4eb89a2fe9 1277548 web optional roundup_1.4.4-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkhLtu0ACgkQHYflSXNkfP8XtwCeItALHxtCWSm3tstjEEYbU+RN
I38An0oLiIWGIMOuOkghuyYc7kZRCB6f
=cQ2/
-----END PGP SIGNATURE-----
--- End Message ---
