Your message dated Tue, 14 Sep 2010 14:00:05 +0000
with message-id <e1ovw3j-0004u2...@franck.debian.org>
and subject line Bug#593884: fixed in cvsnt 2.5.03.2382-3.3+lenny1
has caused the Debian Bug report #593884,
regarding cvsnt: Bug in branch ACLs may allow a remote attacker to execute
arbitrary code
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
593884: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593884
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cvsnt
Version: 2.5.04.3236-1.2
Severity: critical
Tags: security upstream
Justification: root security hole
March Hare Software CVSNT contains a branch name ACL vulnerability or
exposure in the cvs.exe, cvsnt.exe or /usr/bin/cvs file, which may allow a
remote, unauthorised attacker to execute arbitrary code on any installed
operating system.
See: http://march-hare.com/cvspro/vuln.htm
and: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1326
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32 (SMP w/2 CPU cores)
Locale: LANG=de_CH.utf8, LC_CTYPE=de_CH.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to de_CH.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cvsnt depends on:
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcomerr2 1.41.12-2 common error description library
ii libgcc1 1:4.4.4-9 GCC support library
ii libgssapi-krb5-2 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8.3+dfsg~beta1-1 MIT Kerberos runtime libraries
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libpam0g 1.1.1-4 Pluggable Authentication Modules l
ii libpcre3 8.02-1.1 Perl 5 Compatible Regular Expressi
ii libpq5 8.4.4-2 PostgreSQL C client library
ii libsqlite3-0 3.7.0.1-1 SQLite 3 shared library
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii libstdc++6 4.4.4-9 The GNU Standard C++ Library v3
ii libxml2 2.7.7.dfsg-4 GNOME XML library
ii unixodbc 2.2.14p2-2 ODBC tools libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages cvsnt recommends:
ii libiodbc2 3.52.6-4 iODBC Driver Manager
cvsnt suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: cvsnt
Source-Version: 2.5.03.2382-3.3+lenny1
We believe that the bug you reported is fixed in the latest version of
cvsnt, which is due to be installed in the Debian FTP archive:
cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
cvsnt_2.5.03.2382-3.3+lenny1.dsc
to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1.dsc
cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
to main/c/cvsnt/cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 593...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated cvsnt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 12 Sep 2010 10:41:09 +0200
Source: cvsnt
Binary: cvsnt
Architecture: source i386
Version: 2.5.03.2382-3.3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Andreas Tscharner <a...@vis.ethz.ch>
Changed-By: Sebastien Delafond <s...@debian.org>
Description:
cvsnt - A better CVS
Closes: 593884
Changes:
cvsnt (2.5.03.2382-3.3+lenny1) stable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix branch name ACL vulnerability leading to arbitrary code execution
(Closes: #593884).
CVE-2010-1326
Checksums-Sha1:
d71de144f3953daa65102e2e7c5a9771cd522490 1214 cvsnt_2.5.03.2382-3.3+lenny1.dsc
f499be0263195effa6e6ba82ea50a7507baf2ecf 6804247 cvsnt_2.5.03.2382.orig.tar.gz
d8e1cc9b31932c17b70d787ab4953c2273114881 124606
cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
635b006aa04db89915ffad08a498b01a146116f7 1085060
cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
Checksums-Sha256:
4e6d6d0889bd535fc44b86e6fd8d2a707c96366380a32c3e899a1fd1c3cd2234 1214
cvsnt_2.5.03.2382-3.3+lenny1.dsc
b443a9beda1d87c31e07547d5cd68118153550f579ecb7ffcdfff8afaa6684b9 6804247
cvsnt_2.5.03.2382.orig.tar.gz
fd0ffde5e2daef4537f017debf9781c700bd0399ea9793f9047539d5f7849395 124606
cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
a9cd4ead8c13e6ef1f6e1c5929146153dda18a5422c548b85a23dc767d399763 1085060
cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
Files:
753ba20f4b7c368e962eb304807241ba 1214 devel optional
cvsnt_2.5.03.2382-3.3+lenny1.dsc
c50c2d82aeb274a664d8d1cf53ccd0da 6804247 devel optional
cvsnt_2.5.03.2382.orig.tar.gz
f55d905fa0273040e2b3cd85896fb783 124606 devel optional
cvsnt_2.5.03.2382-3.3+lenny1.diff.gz
b6149560ad1931a5a6283d7263e3f41b 1085060 devel optional
cvsnt_2.5.03.2382-3.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyN55oACgkQiZgNKcDdyD9TzgCgv1Jxmpnu/uesk+TqUFKq1Oo7
faAAnAuRTo59ZI8NWLxDJc3tXcBJeBP5
=9aP0
-----END PGP SIGNATURE-----
--- End Message ---
