Your message dated Wed, 12 May 2010 17:18:12 +0000
with message-id <e1ocfzu-0006iw...@ries.debian.org>
and subject line Bug#562634: fixed in serendipity 1.5.3-1
has caused the Debian Bug report #562634,
regarding CVE-2009-4412: Unrestricted file upload vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
562634: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562634
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: serendipity
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for serendipity.
CVE-2009-4412[0]:
| Unrestricted file upload vulnerability in Serendipity before 1.5
| allows remote authenticated users to execute arbitrary code by
| uploading a file with an executable extension followed by a safe
| extension, then accessing it via a direct request to the file in an
| unspecified directory. NOTE: some of these details are obtained from
| third party information.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4412
http://security-tracker.debian.org/tracker/CVE-2009-4412
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks2SYUACgkQNxpp46476apbogCgm2nZ1XC8ZWR33+IMvDLzOZkp
YgMAoIrXz9al95UzHpPuRUHsU58rbIFO
=HVHB
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: serendipity
Source-Version: 1.5.3-1
We believe that the bug you reported is fixed in the latest version of
serendipity, which is due to be installed in the Debian FTP archive:
serendipity_1.5.3-1.debian.tar.gz
to main/s/serendipity/serendipity_1.5.3-1.debian.tar.gz
serendipity_1.5.3-1.dsc
to main/s/serendipity/serendipity_1.5.3-1.dsc
serendipity_1.5.3-1_all.deb
to main/s/serendipity/serendipity_1.5.3-1_all.deb
serendipity_1.5.3.orig.tar.gz
to main/s/serendipity/serendipity_1.5.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 562...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jean-Marc Roth <jmr...@iip.lu> (supplier of updated serendipity package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 10 May 2010 15:58:25 +0200
Source: serendipity
Binary: serendipity
Architecture: source all
Version: 1.5.3-1
Distribution: unstable
Urgency: medium
Maintainer: Jean-Marc Roth <jmr...@iip.lu>
Changed-By: Jean-Marc Roth <jmr...@iip.lu>
Description:
serendipity - Weblog manager with extensive theming and plugin support
Closes: 519713 541740 557746 562634 579144
Changes:
serendipity (1.5.3-1) unstable; urgency=medium
.
* New upstream release.
+ Unrestricted file upload vulnerability in s9y before 1.5
(CVE-2009-4412, Closes: #562634)
+ Use debian libjs-yui instead of bundled lib.
(CVE-2007-2385, Closes: #557746)
+ Addresses XSS problem. (CVE-2008-1385)
* Fix postgres errors (Closes: #519713)
* Linking to debian-packaged PEAR libraries. (Closes: #541740)
* Making package more compatible for (manual) multisite behavior.
(Closes: #579144)
* Packaging: debhelper v7.
* Switch to dpkg-source 3.0 (quilt) format.
* Fonts already in Debian: now depending on ttf-dejavu-core and
ttf-aenigma for spamblock fonts.
Checksums-Sha1:
8a680be65aebad582552f2755dddb0be9d526a0c 1463 serendipity_1.5.3-1.dsc
9b3b88dac3a2f7cdaee1bcc602a65fb05c4902d0 5339080 serendipity_1.5.3.orig.tar.gz
9b244b7ee4fe8a93138fd2d78091488578040bca 27190
serendipity_1.5.3-1.debian.tar.gz
1716fd0779ed851c0832775ac33973689fb13200 4999780 serendipity_1.5.3-1_all.deb
Checksums-Sha256:
01123d14cccfcc9f5dbbbe0c22a755278d8aeaa8c0c521a87d1b181dc09abbb3 1463
serendipity_1.5.3-1.dsc
ba7a2f4f989be2e90dae44db5964fe8faf99d46da5635ded1c1ef08ea3a0949f 5339080
serendipity_1.5.3.orig.tar.gz
996d327d671429947850a2bd0d5c6dbfa9a8a9d8aacba8d531b0ae019265c895 27190
serendipity_1.5.3-1.debian.tar.gz
be0bbcd1e635b3cdacbfd9418ad66c1b211f18a6c5473d42add8f3d8012bfcd6 4999780
serendipity_1.5.3-1_all.deb
Files:
fa72e258e714b0ffb9ac8ccb5c18df7b 1463 web optional serendipity_1.5.3-1.dsc
dc8661090f160e3619652c13ffd12e3c 5339080 web optional
serendipity_1.5.3.orig.tar.gz
c594611aba1999f6c5165a841a4eae68 27190 web optional
serendipity_1.5.3-1.debian.tar.gz
5c91f0098bb87d443742747dc9ed8a38 4999780 web optional
serendipity_1.5.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJL6t9cAAoJECIIoQCMVaAcEiQH/3JMmgxbKtbMMEPIhHJhyL3i
KzebWk34t0Ztmzxv/0SGOAdq7ynDEcdFmsRu4M9oPLQEBiURTYUOisxOjMiScw99
7UFy6xrDbHajunAK6Awcx1BNIV3AvkBceSizSCexYNDy9fKIKQsWy7JG7707f516
4PrnHdWVqZL8niYrPCIBiWcTs1cTf5gLqQcEImzMCwYAbIx9PcR1MIz2lZqlViYZ
9zj+Lqf7vi9VjwSuf2qch0IPcFFOIA1U6pyEazPopudi3vZmnHSlPTIpxAxidNo9
gTPZvbGzErupWU52qykjgDqnW1QBavTDphLaqj15AczqWxUkdTpNFnfjpBk53P8=
=LqP6
-----END PGP SIGNATURE-----
--- End Message ---
