Your message dated Fri, 10 Dec 2010 19:47:08 +0000
with message-id <e1pr8vs-0001dj...@franck.debian.org>
and subject line Bug#605166: fixed in calendarserver 2.4.dfsg-2.1
has caused the Debian Bug report #605166,
regarding calendarserver: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
605166: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605166
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: calendarserver
Version: 2.4.dfsg-2
Severity: grave
Tags: security
User: debian-pyt...@lists.debian.org
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to have vulnerable scripts in PATH: you can
find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact debian-pyt...@lists.debian.org in case of
help.
--- End Message ---
--- Begin Message ---
Source: calendarserver
Source-Version: 2.4.dfsg-2.1
We believe that the bug you reported is fixed in the latest version of
calendarserver, which is due to be installed in the Debian FTP archive:
calendarserver_2.4.dfsg-2.1.diff.gz
to main/c/calendarserver/calendarserver_2.4.dfsg-2.1.diff.gz
calendarserver_2.4.dfsg-2.1.dsc
to main/c/calendarserver/calendarserver_2.4.dfsg-2.1.dsc
calendarserver_2.4.dfsg-2.1_all.deb
to main/c/calendarserver/calendarserver_2.4.dfsg-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 605...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com> (supplier of updated
calendarserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 03 Dec 2010 21:28:40 +0000
Source: calendarserver
Binary: calendarserver
Architecture: source all
Version: 2.4.dfsg-2.1
Distribution: unstable
Urgency: high
Maintainer: Rahul Amaram <amaramra...@users.sourceforge.net>
Changed-By: Dmitrijs Ledkovs <dmitrij.led...@ubuntu.com>
Description:
calendarserver - Apple's Calendar Server
Closes: 605157 605166
Changes:
calendarserver (2.4.dfsg-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Do not set PYTHONPATH env var, not needed (Closes: #605166, #605157)
* Prevent setup.py from automagically setting #PYTHONPATH in an insecure way
Checksums-Sha1:
e1736e684126c2b076742eb31081531624cf8eeb 1796 calendarserver_2.4.dfsg-2.1.dsc
02cdd957876841770f57482d0f78acd962d9b4e8 21682
calendarserver_2.4.dfsg-2.1.diff.gz
4ba401f82606b7fa2982d0d7344fa674a1883393 598726
calendarserver_2.4.dfsg-2.1_all.deb
Checksums-Sha256:
de5745eb09c001159583f1d12b0d9f62357f5ee6652554fc4ee88bfcb5ad0f0a 1796
calendarserver_2.4.dfsg-2.1.dsc
c9b5373cadb7f50d3890464f1c0d3673ef4a0bad620e9d099559795c1e9fafca 21682
calendarserver_2.4.dfsg-2.1.diff.gz
6f52cdb55a03c85d51f55fbcdb75d8dc400daf2bdcc4a6449b66cb0066c9aee8 598726
calendarserver_2.4.dfsg-2.1_all.deb
Files:
25930e4fd56cc38ac601e74c84d210d5 1796 python optional
calendarserver_2.4.dfsg-2.1.dsc
73d7e54519a6e8a6d6bc30f27f9ff9e2 21682 python optional
calendarserver_2.4.dfsg-2.1.diff.gz
832731a95db472158c85d3e5a620264f 598726 python optional
calendarserver_2.4.dfsg-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJNAn6/AAoJEC1Os6YBVHX1HUYP/jZObEQLuOc5sKEXibBgOjVv
wZ1zyVsmD5r+BbPZ+I6xR0hythTUQ2i6W4YzhXD/D3aqj0b7RQVT+TQrYMScJy7e
lXy3hWXCLiNdOk/MDbyQSJYBUPzxYt/2K1AZNxTgjX6tMuDsv1RPdetVSMG+ivkB
79gHFsR0v5JQpI0buCOptxuTlgHB+Bi3jwe2mTa2pDHhuy7HxuB76KHJUuIbDYfs
VJbBPjPwWBDHy4qPEIZjRDlhjcDc6kKPmylZTxsiXPyEAfrO9S5BLIF9CHvsf6T5
B6pAC/W8D++MXcicML69Z3dirgFU6fs9svbRFD8wecoKUBa7yKYhGa1DGGS8HSO/
iUPePsf3YH+avIcSwol5nR3mgpO6bFrlZBtY1PP0QD1WYN4LqK8FiI248gM42xmR
1jweyzxSajJLZvGbGZYiRY3tvgrYGHIoV7OdUFSaMXorM9g0SRcdBzzfEnbhDVSU
VXNgYFbCUYKoP6kqdeJeV9WkuSJhDqYveCJHPJF8+5PjTk9Vm5xagFsFfodzm9Wc
MTFz3X2rXXDszSaMOo7cN74UT03K8w3Pt9rj+wLqNeuDquYqG5hjx3jF/VWVn5af
aujsVtsRBwgbYqSNH09ttogwjM+71RYxwb0fiGPxi+Z4J81dpu2X5xghtUjVLFkA
xvCAoMpTD2IB9yyxb6GC
=Ist2
-----END PGP SIGNATURE-----
--- End Message ---
