Your message dated Mon, 25 Jan 2010 16:45:01 +1100
with message-id <20100125054501.ga27...@verge.net.au>
and subject line CVE-2009-3736 local privilege escalation
has caused the Debian Bug report #559845,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559845: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559845
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: heartbeat
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I see that heartbeat in unstable no longer
embeds libtool, but it appears that etch and lenny still have it. I am
not sure if it is actually used in the binary packages though. Please
check. If those packages are not affected, please close the bug.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
My analysis indicates that heartbeat is not vulnerable to this problem.
--- End Message ---
