Your message dated Sun, 05 Dec 2010 20:47:06 +0000 with message-id <e1pplua-0003oi...@franck.debian.org> and subject line Bug#605159: fixed in gnumed-client 0.7.10-1 has caused the Debian Bug report #605159, regarding gnumed-client: Use of PYTHONPATH env var in an insecure way to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 605159: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605159 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gnumed-client Version: 0.8.4-1 Severity: grave Tags: security User: debian-pyt...@lists.debian.org Usertags: pythonpath Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in an insecure way. Those packages do something like: PYTHONPATH=/spam/eggs:$PYTHONPATH This is wrong, because if PYTHONPATH were originally unset or empty, current working directory would be added to sys.path. [1] http://lists.debian.org/debian-python/2010/11/msg00045.html Your package turns out to have vulnerable scripts in PATH: you can find a complete log at [2]. [2] http://people.debian.org/~morph/mbf/pythonpath.txt Some guidelines on how to fix these bugs: in the case given above, you can use something like PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH} (If you don't known this construct, grep for "Use Alternative Value" in the bash/dash manpage.) Also, in cases like PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH or PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py you shouldn't need to touch PYTHONPATH at all. Feel free to contact debian-pyt...@lists.debian.org in case of help.
--- End Message ---
--- Begin Message ---Source: gnumed-client Source-Version: 0.7.10-1 We believe that the bug you reported is fixed in the latest version of gnumed-client, which is due to be installed in the Debian FTP archive: gnumed-client-de_0.7.10-1_all.deb to main/g/gnumed-client/gnumed-client-de_0.7.10-1_all.deb gnumed-client_0.7.10-1.debian.tar.gz to main/g/gnumed-client/gnumed-client_0.7.10-1.debian.tar.gz gnumed-client_0.7.10-1.dsc to main/g/gnumed-client/gnumed-client_0.7.10-1.dsc gnumed-client_0.7.10-1_all.deb to main/g/gnumed-client/gnumed-client_0.7.10-1_all.deb gnumed-client_0.7.10.orig.tar.gz to main/g/gnumed-client/gnumed-client_0.7.10.orig.tar.gz gnumed-common_0.7.10-1_all.deb to main/g/gnumed-client/gnumed-common_0.7.10-1_all.deb gnumed-doc_0.7.10-1_all.deb to main/g/gnumed-client/gnumed-doc_0.7.10-1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 605...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Tille <ti...@debian.org> (supplier of updated gnumed-client package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 05 Dec 2010 20:42:46 +0100 Source: gnumed-client Binary: gnumed-client gnumed-client-de gnumed-common gnumed-doc Architecture: source all Version: 0.7.10-1 Distribution: testing-proposed-updates Urgency: low Maintainer: Debian Med Packaging Team <debian-med-packag...@lists.alioth.debian.org> Changed-By: Andreas Tille <ti...@debian.org> Description: gnumed-client - medical practice management - Client gnumed-client-de - medical practice management - Client for German users gnumed-common - medical practice management - common files gnumed-doc - medical practice management - Documentation Closes: 605159 Changes: gnumed-client (0.7.10-1) testing-proposed-updates; urgency=low . * New upstream release. Closes: #605159 Checksums-Sha1: cb41c3fc631300834119f016538c4157fea96be1 1473 gnumed-client_0.7.10-1.dsc 53584c6cedc086e40d03e26958d9dfbfd297be3d 9943401 gnumed-client_0.7.10.orig.tar.gz d0766a139c3ab96441e24ef6c0d72a4599e397b2 18473 gnumed-client_0.7.10-1.debian.tar.gz f41366b2e492e5570eebddbefe99c7dade1546f4 790258 gnumed-client_0.7.10-1_all.deb bcd5304f13f669991bd4b2f7957fe41e3d0a242b 14048 gnumed-client-de_0.7.10-1_all.deb fdba47ea18559e27e130d49e2af93fe9db1b65dd 134108 gnumed-common_0.7.10-1_all.deb 8908a2c9d01f1555727ad6d8ab4318bbc6f26f76 84576 gnumed-doc_0.7.10-1_all.deb Checksums-Sha256: c759eaad243a198c547595c4cc9273179dc74ca96ff7471a65785d7c224d8b79 1473 gnumed-client_0.7.10-1.dsc cc5270357256cbeebec2b682ddf51535614b2218da1d1534a87eb391567d4d1d 9943401 gnumed-client_0.7.10.orig.tar.gz 0f1c70a3f20a617f09cc6ab5d8588c0573d2aba20cffeb6e56638b195817d028 18473 gnumed-client_0.7.10-1.debian.tar.gz 709ce0759a01a11c7a3dad97972cec9e4ba2635964d5429b03a27cbc2ac904ec 790258 gnumed-client_0.7.10-1_all.deb 89923671bdc23ef63cf7d75075d4b9ef2fa687362147ad906bf3898517727744 14048 gnumed-client-de_0.7.10-1_all.deb 9b014599983fb393ed33371defe52b930abb9a3a4b5b35c4155f1807e900fe77 134108 gnumed-common_0.7.10-1_all.deb 4caf6c0398c865922c6238597082a17100271a351eed11cbd6fab869bec8f719 84576 gnumed-doc_0.7.10-1_all.deb Files: a808778084296aafe588f9d099974fec 1473 misc optional gnumed-client_0.7.10-1.dsc e5d3346d9ec0244223e11830433ef32d 9943401 misc optional gnumed-client_0.7.10.orig.tar.gz 1685949bc1b20ab1cb987a9c7d42c773 18473 misc optional gnumed-client_0.7.10-1.debian.tar.gz 8bec9fe06e8647f18f6baa264497d039 790258 misc optional gnumed-client_0.7.10-1_all.deb 0e1512d43e8945fd777826ae521684b7 14048 misc optional gnumed-client-de_0.7.10-1_all.deb fe0889a88bdd5e22f322182d9e1ba1bd 134108 misc optional gnumed-common_0.7.10-1_all.deb 92d8d67fc5b7ebe8cf662f15e5308abd 84576 doc optional gnumed-doc_0.7.10-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkz777AACgkQYDBbMcCf01o5ngCdGJHs1VVKo3D0+AM5L2+5ufEw ta0AoI1b7FvazY+oaW7iu648wljDEm9z =Mr6Y -----END PGP SIGNATURE-----
--- End Message ---
