Your message dated Tue, 30 Sep 2008 09:18:24 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499841: fixed in libpam-mount 0.48-1
has caused the Debian Bug report #499841,
regarding CVE-2008-3970: does not verify mountpoint and source ownership before
mounting a user-defined volume
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499841
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-mount
Version: 0.18-3
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpam-mount.
CVE-2008-3970[0]:
| pam_mount 0.10 through 0.45, when luserconf is enabled, does not
| verify mountpoint and source ownership before mounting a
| user-defined volume, which allows local users to bypass intended
| access restrictions via a local mount.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3970
http://security-tracker.debian.net/tracker/CVE-2008-3970
--- End Message ---
--- Begin Message ---
Source: libpam-mount
Source-Version: 0.48-1
We believe that the bug you reported is fixed in the latest version of
libpam-mount, which is due to be installed in the Debian FTP archive:
libpam-mount_0.48-1.diff.gz
to pool/main/libp/libpam-mount/libpam-mount_0.48-1.diff.gz
libpam-mount_0.48-1.dsc
to pool/main/libp/libpam-mount/libpam-mount_0.48-1.dsc
libpam-mount_0.48-1_amd64.deb
to pool/main/libp/libpam-mount/libpam-mount_0.48-1_amd64.deb
libpam-mount_0.48.orig.tar.gz
to pool/main/libp/libpam-mount/libpam-mount_0.48.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Kleineidam <[EMAIL PROTECTED]> (supplier of updated libpam-mount
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 28 Sep 2008 19:50:41 +0200
Source: libpam-mount
Binary: libpam-mount
Architecture: source amd64
Version: 0.48-1
Distribution: unstable
Urgency: high
Maintainer: Bastian Kleineidam <[EMAIL PROTECTED]>
Changed-By: Bastian Kleineidam <[EMAIL PROTECTED]>
Description:
libpam-mount - PAM module that can mount volumes for a user session
Closes: 493234 494107 497813 499841
Changes:
libpam-mount (0.48-1) unstable; urgency=high
.
* New upstream release, using libhx >= 0.25.
- Prevents security flaw CVE-2008-3970 (thus urgency high) (Closes:
#499841)
- Prevents double free in "su" usage (Closes: #493234)
- Does "~" expanding in paths again (Closes: #497813)
- Print names of blocking processes on umount (Closes: #494107)
Checksums-Sha1:
334e887e63561878f518502c012390913604003a 1221 libpam-mount_0.48-1.dsc
e30d755db6e1c0c3786c466a29f5a5e86098454d 433641 libpam-mount_0.48.orig.tar.gz
702e1cba128c380706cdf89cca0f10a20efd3cfe 24840 libpam-mount_0.48-1.diff.gz
23f28f7de5716e5ea480c475c63a2b1e3f93eaaa 111860 libpam-mount_0.48-1_amd64.deb
Checksums-Sha256:
c83b3bc9927235cb84907e4d3d534daac43378d8502b8bf8d450e205b6470d3d 1221
libpam-mount_0.48-1.dsc
ed9ddbbc2fa5ab1e554dcc780d1a3e4a528a8ed44e30b690c00f4b25c98e7719 433641
libpam-mount_0.48.orig.tar.gz
61312bf18722c133f4da35b4c6dd0a6c4f8752e4168bb73830ddcd5c6b4d748e 24840
libpam-mount_0.48-1.diff.gz
bbdb19c383d3acf8cb83f1075b67069401194d6a901dc82822e38589b7dcdcd3 111860
libpam-mount_0.48-1_amd64.deb
Files:
f9178ac979dcfc0866827e4d96ba1503 1221 admin extra libpam-mount_0.48-1.dsc
8b891db48c030fef8e098aab38261cbd 433641 admin extra
libpam-mount_0.48.orig.tar.gz
3d77e2819126d703d51b1be5ae394a05 24840 admin extra libpam-mount_0.48-1.diff.gz
233a3d1a061e3173b1d54bb4bb08311e 111860 admin extra
libpam-mount_0.48-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjhMmMACgkQeBwlBDLsbz567wCgppLPTRJvkkdsLoKjBOvRpvHJ
keoAoMHUX6mF3dkDy0MPrCQ5GRAnO+Ve
=88Mc
-----END PGP SIGNATURE-----
--- End Message ---
