Your message dated Sat, 29 Nov 2008 16:17:17 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#506550: fixed in quassel 0.2~rc1-1.1
has caused the Debian Bug report #506550,
regarding quassel: IRC client command injection vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
506550: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506550
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: quassel
Severity: grave
Tags: security
Justification: user security hole
Quassel version in Debian is vulnerable to IRC command injection as described
in http://www.frsirt.com/english/advisories/2008/3164
Updated packages are already available at http://quassel.irc.org/ , according
to quassel developers a backport for the fix is also available.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (400, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages quassel depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libfontconfig1 2.6.0-3 generic font configuration library
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libgcc1 1:4.3.2-1 GCC support library
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libqt4-network 4.4.3-1 Qt 4 network module
ii libqtcore4 4.4.3-1 Qt 4 core module
ii libqtgui4 4.4.3-1 Qt 4 GUI module
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxi6 2:1.1.4-1 X11 Input extension library
ii libxrandr2 2:1.2.3-1 X11 RandR extension library
ii libxrender1 1:0.9.4-2 X Rendering Extension client libra
pn quassel-core <none> (no description available)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
quassel recommends no packages.
quassel suggests no packages.
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 0.2~rc1-1.1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive:
quassel-core_0.2~rc1-1.1_amd64.deb
to pool/main/q/quassel/quassel-core_0.2~rc1-1.1_amd64.deb
quassel_0.2~rc1-1.1.diff.gz
to pool/main/q/quassel/quassel_0.2~rc1-1.1.diff.gz
quassel_0.2~rc1-1.1.dsc
to pool/main/q/quassel/quassel_0.2~rc1-1.1.dsc
quassel_0.2~rc1-1.1_amd64.deb
to pool/main/q/quassel/quassel_0.2~rc1-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 29 Nov 2008 13:50:08 +0100
Source: quassel
Binary: quassel quassel-core
Architecture: source amd64
Version: 0.2~rc1-1.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
quassel - distributed IRC client using a central core component
quassel-core - distributed IRC client using a central core component
Closes: 506550
Changes:
quassel (0.2~rc1-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix wrong dequoting for ctcp messages that enables attackers to craft
a ctcp message and send arbitrary messages or irc commands to
others (05_security.patch; Closes: #506550).
Checksums-Sha1:
b39ed473437fbf3228713bf0d8a741f0ae4d8ef5 1207 quassel_0.2~rc1-1.1.dsc
1a12db18bcaf7ae00928d08d07b2e6627f65844b 18000702 quassel_0.2~rc1-1.1.diff.gz
5b4ca366c8e7c1918e786365b1c66ca8034c09ab 1958474 quassel_0.2~rc1-1.1_amd64.deb
01b28c63a586c0bcfba826cc8355ae918821ac42 473130
quassel-core_0.2~rc1-1.1_amd64.deb
Checksums-Sha256:
74d53b2f22fd178135456740391b22aa7aec1ed69ab1b42045b0ae8190b639d5 1207
quassel_0.2~rc1-1.1.dsc
9f4af482f726ed95aa12d7e2cefc1ff1c6c8e503d6de2a8271c15dff58cf3cc2 18000702
quassel_0.2~rc1-1.1.diff.gz
afdc1f20e1cbd61a4797bc69bb68becd8b02d22cb76a573d9801d51b834b620f 1958474
quassel_0.2~rc1-1.1_amd64.deb
b2428ef62b019ae843d1ecee34b2eef2f3120f19904769ee1a44f7cd788cc6a0 473130
quassel-core_0.2~rc1-1.1_amd64.deb
Files:
34143dbdf50308a1d5539c06f5520d43 1207 net optional quassel_0.2~rc1-1.1.dsc
8d57d730d136632e93ef82f9ffef47b6 18000702 net optional
quassel_0.2~rc1-1.1.diff.gz
c548a364333d66f8618e4fb9d4076c33 1958474 net optional
quassel_0.2~rc1-1.1_amd64.deb
103237258fccebb16457117c0c4b832c 473130 net optional
quassel-core_0.2~rc1-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxaPoACgkQHYflSXNkfP+9BACcDYBBmPc5tcNLHZQgnDfbww5K
HrYAn3+bHsStDMG6qCrmvwBFZWUdev5j
=GaGG
-----END PGP SIGNATURE-----
--- End Message ---
