Your message dated Fri, 03 Oct 2008 18:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499841: fixed in libpam-mount 0.44-1+lenny1
has caused the Debian Bug report #499841,
regarding CVE-2008-3970: does not verify mountpoint and source ownership before
mounting a user-defined volume
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499841: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499841
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-mount
Version: 0.18-3
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libpam-mount.
CVE-2008-3970[0]:
| pam_mount 0.10 through 0.45, when luserconf is enabled, does not
| verify mountpoint and source ownership before mounting a
| user-defined volume, which allows local users to bypass intended
| access restrictions via a local mount.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3970
http://security-tracker.debian.net/tracker/CVE-2008-3970
--- End Message ---
--- Begin Message ---
Source: libpam-mount
Source-Version: 0.44-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libpam-mount, which is due to be installed in the Debian FTP archive:
libpam-mount_0.44-1+lenny1.diff.gz
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1.diff.gz
libpam-mount_0.44-1+lenny1.dsc
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1.dsc
libpam-mount_0.44-1+lenny1_amd64.deb
to pool/main/libp/libpam-mount/libpam-mount_0.44-1+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated libpam-mount package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 03 Oct 2008 17:58:26 +0200
Source: libpam-mount
Binary: libpam-mount
Architecture: source amd64
Version: 0.44-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Bastian Kleineidam <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libpam-mount - PAM module that can mount volumes for a user session
Closes: 499841
Changes:
libpam-mount (0.44-1+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add security checks including mountpoint and source ownership
verification before mounting user-defined volumes to prevent
access restriction bypasses (07_CVE-2008-3970.dpatch; Closes: #499841).
Checksums-Sha1:
aef22d9080013679c40225db16c6b4e642f0f98a 1249 libpam-mount_0.44-1+lenny1.dsc
01a86631c1a5885e9a45b88081d70f31a2161408 429353 libpam-mount_0.44.orig.tar.gz
ca2497d292950d43faef9a21b99ab2cb1d115139 25386
libpam-mount_0.44-1+lenny1.diff.gz
974038ae4d97bf8d047dee5c7cfaaaf0952c5e70 104370
libpam-mount_0.44-1+lenny1_amd64.deb
Checksums-Sha256:
2048629ad34b714689624e0f596e225781069c4efd0264f2e5eabebc1fef0264 1249
libpam-mount_0.44-1+lenny1.dsc
f3e09e06ff3ee7eb7b6d000a74403597658ee8c96339be6537a14d2cb502b87b 429353
libpam-mount_0.44.orig.tar.gz
5fd2e5854d606cf107ebfae4d72c571c4287dff17567d7ddda87f7bb469c8c67 25386
libpam-mount_0.44-1+lenny1.diff.gz
ea848594d23c17a3b6a1cbc2f1d5d62f84b3b174e80e93f43a1f966f8fe38658 104370
libpam-mount_0.44-1+lenny1_amd64.deb
Files:
1db662e022028990fb1708e6bd28915a 1249 admin extra
libpam-mount_0.44-1+lenny1.dsc
05ceba2445efa851deecb570f73e8e92 429353 admin extra
libpam-mount_0.44.orig.tar.gz
91eb158c7447a01e838ea96dc27314d6 25386 admin extra
libpam-mount_0.44-1+lenny1.diff.gz
eaf2ab48e7803b09fb6f72c6044ae618 104370 admin extra
libpam-mount_0.44-1+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjmRooACgkQHYflSXNkfP89eACdEcEJaLKRYFP1uxzrQx8o/BzT
czEAn3lJcm7sg2nR/dUR9lIajDeVZH7U
=JVsY
-----END PGP SIGNATURE-----
--- End Message ---
