Your message dated Wed, 24 Mar 2010 19:48:31 +0000
with message-id <e1nuwz5-00026p...@ries.debian.org>
and subject line Bug#559815: fixed in hercules 3.07-1
has caused the Debian Bug report #559815,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559815: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559815
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hercules
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: hercules
Source-Version: 3.07-1
We believe that the bug you reported is fixed in the latest version of
hercules, which is due to be installed in the Debian FTP archive:
hercules_3.07-1.diff.gz
to main/h/hercules/hercules_3.07-1.diff.gz
hercules_3.07-1.dsc
to main/h/hercules/hercules_3.07-1.dsc
hercules_3.07-1_i386.deb
to main/h/hercules/hercules_3.07-1_i386.deb
hercules_3.07.orig.tar.gz
to main/h/hercules/hercules_3.07.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter 'p2' De Schrijver <p...@debian.org> (supplier of updated hercules package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 23 Mar 2010 20:24:26 +0200
Source: hercules
Binary: hercules
Architecture: source i386
Version: 3.07-1
Distribution: unstable
Urgency: low
Maintainer: Peter De Schrijver (p2) <p...@debian.org>
Changed-By: Peter 'p2' De Schrijver <p...@debian.org>
Description:
hercules - System/370, ESA/390 and z/Architecture Emulator
Closes: 542143 557162 559815 569913 573355 573355
Changes:
hercules (3.07-1) unstable; urgency=low
.
* New upstream release (Closes: #573355)
* Integrated multiple fixes from Simon McVittie (Closes: #557162)
* Added dasdinit manpage (Closes: #542143)
* Updated package description (Closes: #569913)
* Updated README.Debian. Thanks to Frans Pop. (Closes: #573355)
* Integrated fix for CVE-2009-3736. Thanks to Thorsten Glaser. (Closes:
#559815)
Checksums-Sha1:
83274ec803abcc256dbf2f5fff892e84948345e1 1161 hercules_3.07-1.dsc
d0b2e543dd66ee43576e5a5faff8f4cc061cffb4 2701835 hercules_3.07.orig.tar.gz
07779ef5efa9cc52a0d7e87efa29cb4568efc951 29764 hercules_3.07-1.diff.gz
ab6a8ff028d10ce0551e27033cc866fe1a97d8b9 2364100 hercules_3.07-1_i386.deb
Checksums-Sha256:
bbb073800140cd9270c9dc7d3bf674a57b4e454166abf801631a9cf870fcb9ea 1161
hercules_3.07-1.dsc
02d5f6c66d699d413a4db9ef5a799249a6645ac10f2af1edb37992e7fa1f7724 2701835
hercules_3.07.orig.tar.gz
1cfe5c5cfe2ac839f3b145a721d16166cc2cf7594e7f503b6a0005159030898c 29764
hercules_3.07-1.diff.gz
78b8b96315850205271f3da74553f0b8a7ba97d68488a2d6c6b6aa00cd56425d 2364100
hercules_3.07-1_i386.deb
Files:
cfb110ede92120678ae0e7f8dab15db8 1161 otherosfs extra hercules_3.07-1.dsc
a12aa1645b0695b25b7fc0c9a3ccab3a 2701835 otherosfs extra
hercules_3.07.orig.tar.gz
c7dca14f38aa4e871f9991eb9a23243c 29764 otherosfs extra hercules_3.07-1.diff.gz
790b540bd99f982eb5fd1ee4aed8f4aa 2364100 otherosfs extra
hercules_3.07-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFLqmlLKLKVw/RurbsRAqdJAJwNrvfvqESagpii1q1HfDuRSpx6QACcCanz
0V5Q4jEja31B7Gh248Jy52U=
=oVyB
-----END PGP SIGNATURE-----
--- End Message ---
