Your message dated Fri, 11 Dec 2009 05:02:37 +0000
with message-id <e1nixeh-0007ug...@ries.debian.org>
and subject line Bug#559816: fixed in jags 1.0.4-1
has caused the Debian Bug report #559816,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559816: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559816
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: jags
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: jags
Source-Version: 1.0.4-1
We believe that the bug you reported is fixed in the latest version of
jags, which is due to be installed in the Debian FTP archive:
jags_1.0.4-1.diff.gz
to main/j/jags/jags_1.0.4-1.diff.gz
jags_1.0.4-1.dsc
to main/j/jags/jags_1.0.4-1.dsc
jags_1.0.4-1_i386.deb
to main/j/jags/jags_1.0.4-1_i386.deb
jags_1.0.4.orig.tar.gz
to main/j/jags/jags_1.0.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <e...@debian.org> (supplier of updated jags package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Dec 2009 22:41:47 -0600
Source: jags
Binary: jags
Architecture: source i386
Version: 1.0.4-1
Distribution: unstable
Urgency: low
Maintainer: Dirk Eddelbuettel <e...@debian.org>
Changed-By: Dirk Eddelbuettel <e...@debian.org>
Description:
jags - Just Another Gibbs Sampler for Bayesian MCMC simulation
Closes: 559816
Changes:
jags (1.0.4-1) unstable; urgency=low
.
* New upstream release containing new libltdl/ from libtool 2.2.6b
in regards to CVE-2009-3736[0] (Closes: #559816)
Checksums-Sha1:
ed378af99fa7165a76f3da88c9b9fd5af2f9a90e 999 jags_1.0.4-1.dsc
3648fc05ca9b379c3a002363670bd380ba84f38a 1074964 jags_1.0.4.orig.tar.gz
79a7dbcd17963be3a3e21df916006109132563b4 2271 jags_1.0.4-1.diff.gz
0e116fc673ced665ee995abd9c37c3a45c05b761 513202 jags_1.0.4-1_i386.deb
Checksums-Sha256:
9e1e910485b1d0fa5767141b2570dda6a7eff4f6474bb100f0b3a9502b29a510 999
jags_1.0.4-1.dsc
14665d034a36120ad373bc85702cca443da8e540533509486bdef432db0b5cca 1074964
jags_1.0.4.orig.tar.gz
227ad5672b884239e9e8bfc81d86df652dbd67d729611052b76fffb935762e74 2271
jags_1.0.4-1.diff.gz
faa0cb0af91302257a114c1c2df7fd3184b0177db3d32ec205e14a40e7bc6dcd 513202
jags_1.0.4-1_i386.deb
Files:
bf23cfb7bb261f8da255f34156653dd6 999 math optional jags_1.0.4-1.dsc
a44dc20d548c5fd1a80504eb29f5397d 1074964 math optional jags_1.0.4.orig.tar.gz
f078945c8833b833fe812b5887d14d49 2271 math optional jags_1.0.4-1.diff.gz
08a79ba394382679c3d405f32fb16e6f 513202 math optional jags_1.0.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLIc8YCZSR95Gw07cRAm4qAJ94BdL38HqkXnH9u7shpGHK+/4weQCeM8qC
u4EbY16z646oVF4Q50RIgDg=
=HJ9g
-----END PGP SIGNATURE-----
--- End Message ---
