Your message dated Sat, 10 Jan 2009 23:02:06 +0000
with message-id <e1llmqe-0004ow...@ries.debian.org>
and subject line Bug#503532: fixed in dbus 1.2.1-5
has caused the Debian Bug report #503532,
regarding CVE-2008-4311 vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
503532: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dbus
Severity: grave
Justification: user security hole
Version: 1.0.2-1+etch2
Version: 1.2.1-4
Version: 1.2.4-1
fedora has just released fixes for a vulnerability in dbus. they did
not describe what the problem actually is, and the issue is still
reserved in the cve database [1]. see the fedora security
announcement for more details [2].
thanks for working to keep debian secure.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4311
[2]
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00209.html
--- End Message ---
--- Begin Message ---
Source: dbus
Source-Version: 1.2.1-5
We believe that the bug you reported is fixed in the latest version of
dbus, which is due to be installed in the Debian FTP archive:
dbus-1-doc_1.2.1-5_all.deb
to pool/main/d/dbus/dbus-1-doc_1.2.1-5_all.deb
dbus-x11_1.2.1-5_i386.deb
to pool/main/d/dbus/dbus-x11_1.2.1-5_i386.deb
dbus_1.2.1-5.diff.gz
to pool/main/d/dbus/dbus_1.2.1-5.diff.gz
dbus_1.2.1-5.dsc
to pool/main/d/dbus/dbus_1.2.1-5.dsc
dbus_1.2.1-5_i386.deb
to pool/main/d/dbus/dbus_1.2.1-5_i386.deb
libdbus-1-3_1.2.1-5_i386.deb
to pool/main/d/dbus/libdbus-1-3_1.2.1-5_i386.deb
libdbus-1-dev_1.2.1-5_i386.deb
to pool/main/d/dbus/libdbus-1-dev_1.2.1-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 503...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated dbus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 10 Jan 2009 21:43:16 +0000
Source: dbus
Binary: dbus dbus-x11 libdbus-1-3 dbus-1-doc libdbus-1-dev
Architecture: source all i386
Version: 1.2.1-5
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
dbus - simple interprocess messaging system
dbus-1-doc - simple interprocess messaging system (documentation)
dbus-x11 - simple interprocess messaging system (X11 deps)
libdbus-1-3 - simple interprocess messaging system
libdbus-1-dev - simple interprocess messaging system (development headers)
Closes: 503532 508032
Changes:
dbus (1.2.1-5) unstable; urgency=high
.
[ Sjoerd Simons ]
* debian/patches/CVE-2008-4311.patch:
+ Added, Fixes CVE-2008-4311. A mistake in the default configuration for
the system bus (system.conf) which made the default policy for both sent
and received messages effectively *allow*, and not deny as intended. This
patch fixes the send side permissions (Closes: #503532, #508032)
* Urgency high for the security fix
.
[ Simon McVittie ]
* Rename CVE-*.patch to prefix them with a sequence number so it's clear
what order they should apply in
* Add 51-CVE-2008-4311-but-allow-signals.patch, cherry-picked from upstream
git commit d899734475: after fixing CVE-2008-4311, re-allow emitting
signals
* debian/patches/3[0-4]*.patch, cherry-picked from upstream git (see patches
for commit IDs): add logging when permission to send a message is denied
* debian/patches/35-syslog-h.patch: #include <syslog.h> to fix compilation
with the logging patches applied
* Add myself to Uploaders
Checksums-Sha1:
c6bbeaf6adaf8bfaab2c29a3673ae06f13bdc27b 1538 dbus_1.2.1-5.dsc
d6487cdd1e7642d4e8c85b70c22194f65485dc09 38407 dbus_1.2.1-5.diff.gz
5322db4f0b383668cb103c7bd8bb0f3f2adbb388 1822318 dbus-1-doc_1.2.1-5_all.deb
33ca15975f3c69d5cfb633b5ab17b335c836ef07 229016 dbus_1.2.1-5_i386.deb
bfde3c36e2e14b97af81953b710f51c40d1e4d7b 63448 dbus-x11_1.2.1-5_i386.deb
0f96acf34bd4fe478d3b7edeb12a2200c6e18b5c 147732 libdbus-1-3_1.2.1-5_i386.deb
006669638cb49e7c067d0fb7bfecde44ed1fcc3f 235596 libdbus-1-dev_1.2.1-5_i386.deb
Checksums-Sha256:
4e93374fe27ff43852fa38ddad38238192f9f0a3bedecb62d15d988368320cfb 1538
dbus_1.2.1-5.dsc
a7e86a2034de58e1d5b41f963b27c791386b59269a9204ff988045eb889d9905 38407
dbus_1.2.1-5.diff.gz
0d6ffcb9ac4855d220f8bf4038c9ba8f03e247bba7943ada83cbdc1c12385070 1822318
dbus-1-doc_1.2.1-5_all.deb
00820f2ee73ce296adb5980a6a1862b0ea6e28c9a524cb70b951a2f1c0bacd2c 229016
dbus_1.2.1-5_i386.deb
645a4e5841ee3e3fbe9907233ddc8ea3f8a302e98633e11051edb85bcb6c2aa3 63448
dbus-x11_1.2.1-5_i386.deb
c96b6e2b0b32a40f12075eb34d5d820f0d01414cc3d5942e440aac26e66fbb8d 147732
libdbus-1-3_1.2.1-5_i386.deb
08167b75a3de06f592e778593393244ed280d26e391f4373f21c7ad5148e28bc 235596
libdbus-1-dev_1.2.1-5_i386.deb
Files:
52f7ccdff41e06473f6156268b37e3fa 1538 devel optional dbus_1.2.1-5.dsc
5c3158b6e63b83d717f5dd8081b44e5c 38407 devel optional dbus_1.2.1-5.diff.gz
65d3cb630ada231a1b09b991da64bf0c 1822318 doc optional
dbus-1-doc_1.2.1-5_all.deb
f3b65b62ff6d67379d0aef23bba5d5d6 229016 devel optional dbus_1.2.1-5_i386.deb
868e7115ced3c6196c0e8bc249afa37e 63448 x11 optional dbus-x11_1.2.1-5_i386.deb
e20b7d548c4d4ef9407d83726ab62ffa 147732 libs optional
libdbus-1-3_1.2.1-5_i386.deb
37a6786eb691800198fb81941e016a8b 235596 libdevel optional
libdbus-1-dev_1.2.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
iD8DBQFJaSXuWSc8zVUw7HYRApELAJ9xeiYY+SKB2YSEkGS1wMNkoKnMUACg5wvH
QlPFufHhxIR4RrQCTVVcljU=
=X1ZZ
-----END PGP SIGNATURE-----
--- End Message ---
