Bug#577057: marked as done (CVE-2010-0826: allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses this module.)

[Debian Bug Tracking System]

Your message dated Wed, 04 May 2011 06:20:30 +0000
with message-id <e1qhvrm-0003z4...@franck.debian.org>
and subject line Bug#577057: fixed in libnss-db 2.2.3pre1-3.2
has caused the Debian Bug report #577057,
regarding CVE-2010-0826: allows local users to obtain sensitive information via 
a symlink attack involving a setgid or setuid application that uses this module.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
577057: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577057
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libnss-db
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libnss-db.

CVE-2010-0826[0]:
| The Free Software Foundation (FSF) Berkeley DB NSS module (aka
| libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working
| directory, which allows local users to obtain sensitive information
| via a symlink attack involving a setgid or setuid application that
| uses this module.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0826
    http://security-tracker.debian.org/tracker/CVE-2010-0826


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku+8rIACgkQNxpp46476arazQCdEeT99R+RjheufWMZGPStt86t
5swAniH/EMnFLJN+XkF0irBdpVBtiyEo
=smYk
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: libnss-db
Source-Version: 2.2.3pre1-3.2

We believe that the bug you reported is fixed in the latest version of
libnss-db, which is due to be installed in the Debian FTP archive:

libnss-db_2.2.3pre1-3.2.diff.gz
  to main/libn/libnss-db/libnss-db_2.2.3pre1-3.2.diff.gz
libnss-db_2.2.3pre1-3.2.dsc
  to main/libn/libnss-db/libnss-db_2.2.3pre1-3.2.dsc
libnss-db_2.2.3pre1-3.2_amd64.deb
  to main/libn/libnss-db/libnss-db_2.2.3pre1-3.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 577...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aure...@debian.org> (supplier of updated libnss-db package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 04 May 2011 07:31:48 +0200
Source: libnss-db
Binary: libnss-db
Architecture: source amd64
Version: 2.2.3pre1-3.2
Distribution: unstable
Urgency: medium
Maintainer: Piotr Roszatycki <dex...@debian.org>
Changed-By: Aurelien Jarno <aure...@debian.org>
Description: 
 libnss-db  - NSS module for using Berkeley Databases as a naming service
Closes: 548484 577057
Changes: 
 libnss-db (2.2.3pre1-3.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Build depends on libdb-dev (>> 4.6) instead of libdb4.6-dev.  Closes:
     #548484.
   * Fix security issue which allows to read arbitrary file contents
     (CVE-2010-0826), patch taken from Ubuntu. Closes: #577057.
Checksums-Sha1: 
 7fc3340a3c8df876b9e95f271b1e3f3777e02320 1307 libnss-db_2.2.3pre1-3.2.dsc
 4243f0a44642e6b6517af28a2513b648b0c29904 18551 libnss-db_2.2.3pre1-3.2.diff.gz
 756797386a5d62b4dcd66f496c74077216881237 29728 
libnss-db_2.2.3pre1-3.2_amd64.deb
Checksums-Sha256: 
 d7847b0cdb4da5d601bf7c5dbb6943a60ecf70bd50ef78a27b6ba3e5cd370808 1307 
libnss-db_2.2.3pre1-3.2.dsc
 b4f2d9cab5f26e0b05b6dfb1d17e54e9d1f16af13d355948fe42f8ac5956515a 18551 
libnss-db_2.2.3pre1-3.2.diff.gz
 a7b8b773acc4d81da2a24516b832ae2d9dd23a01ea1d7e10d5a0bc57215f640a 29728 
libnss-db_2.2.3pre1-3.2_amd64.deb
Files: 
 daf32e1b8f39dfee3d89a71b45ee3411 1307 admin standard 
libnss-db_2.2.3pre1-3.2.dsc
 4cc3d777041da5163d88732727f8a29d 18551 admin standard 
libnss-db_2.2.3pre1-3.2.diff.gz
 7d5036da15e0052109ffe6728d00a9e6 29728 admin standard 
libnss-db_2.2.3pre1-3.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFNwOnnw3ao2vG823MRAkSiAJ9pftKt6Ut09BQxtBsUp+iUyXdBTgCggHfo
CIuNU4Z4UFo48nA6bKw6Uis=
=L279
-----END PGP SIGNATURE-----

--- End Message ---