Bug#640028: marked as done (Unescaped shell command vulnerabilities)

[Debian Bug Tracking System]

Your message dated Thu, 01 Sep 2011 17:17:12 +0000
with message-id <e1qzat6-0003xw...@franck.debian.org>
and subject line Bug#640028: fixed in bcfg2 1.1.2-2
has caused the Debian Bug report #640028,
regarding Unescaped shell command vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
640028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640028
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: bcfg2-server
Version: 1.1.2-1
Severity: critical
Tags: security pending patch

All released stable versions of the bcfg2-server contain several cases
where data from the client is used in a shell command without properly
escaping it first. The 1.2 prerelease series has been fixed.

At least the SSHbase plugin has been confirmed as being exploitable.
This is a remote root hole, which requires that the SSHbase plugin is
enabled and that the attacker has control of a bcfg2 client machine.

See
https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
for the original security fix, and
https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
for the backport to the 1.1 series.

-- 
Arto Jantunen

--- End Message ---

--- Begin Message ---

Source: bcfg2
Source-Version: 1.1.2-2

We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:

bcfg2-server_1.1.2-2_all.deb
  to main/b/bcfg2/bcfg2-server_1.1.2-2_all.deb
bcfg2_1.1.2-2.debian.tar.gz
  to main/b/bcfg2/bcfg2_1.1.2-2.debian.tar.gz
bcfg2_1.1.2-2.dsc
  to main/b/bcfg2/bcfg2_1.1.2-2.dsc
bcfg2_1.1.2-2_all.deb
  to main/b/bcfg2/bcfg2_1.1.2-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 640...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arto Jantunen <vi...@debian.org> (supplier of updated bcfg2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 01 Sep 2011 18:38:51 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server
Architecture: source all
Version: 1.1.2-2
Distribution: unstable
Urgency: high
Maintainer: Arto Jantunen <vi...@debian.org>
Changed-By: Arto Jantunen <vi...@debian.org>
Description: 
 bcfg2      - Configuration management client
 bcfg2-server - Configuration management server
Closes: 634875 638826 640028
Changes: 
 bcfg2 (1.1.2-2) unstable; urgency=high
 .
   * Urgency=high due to security fix
   * Apply patch from Torsten Rehn to honor BCFG2_SERVER_OPTIONS in the
     server init script (Closes: #634875)
   * Remove deprecated Breaks: ${python:Breaks}
   * Add dependency on patch to bcfg2-server, the Cfg plugin needs it
     (Closes: #638826)
   * Build-Depend on python-all instead of just python
   * Refresh patches to match what current gbp-pq generates
   * Apply patch from Chris St. Pierre to fix security issues caused by
     unescaped shell commands (Closes: #640028)
Checksums-Sha1: 
 d405b1d83503601451a68f43ed6cde6037dc0fa4 1075 bcfg2_1.1.2-2.dsc
 75bc0e45453369deb35876ef6f751f304aaeff52 16920 bcfg2_1.1.2-2.debian.tar.gz
 766b659c72a46f25edff49833276dcd0c0f6b679 94190 bcfg2_1.1.2-2_all.deb
 3e992f1e1e8830c0d8151a746d556fdb5125dba4 180990 bcfg2-server_1.1.2-2_all.deb
Checksums-Sha256: 
 4282006ac6215ea1149f1e6864f645682a1ec86e0a312436f936a7e2d3a9e274 1075 
bcfg2_1.1.2-2.dsc
 3d71df90d4232722528bd4bc27bee30539983a2014ff21e42dd6a878a865babf 16920 
bcfg2_1.1.2-2.debian.tar.gz
 e1821d4880ab437860cc7ad8beb958eedede1bc0294e5774d90db8509f90ab51 94190 
bcfg2_1.1.2-2_all.deb
 a02ababe979e06fe809fb1492467d991488d5af92dcc473472a12a58f0282cad 180990 
bcfg2-server_1.1.2-2_all.deb
Files: 
 c67e8983c7a6d17cc0fa733f8bb821dd 1075 admin optional bcfg2_1.1.2-2.dsc
 7ce92c4ee961dbf6610245b922f0a16d 16920 admin optional 
bcfg2_1.1.2-2.debian.tar.gz
 75d752e9cd3b66abe8ae7f222172ac67 94190 admin optional bcfg2_1.1.2-2_all.deb
 dd550b9c1e0bd569a4d60006d0317262 180990 admin optional 
bcfg2-server_1.1.2-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5fuN0ACgkQQ9/iJIjcFnqI9ACghG5MF5y+3owiivKhkrZmvN1R
S4gAoLy4XWZVyAkBwZ1QbuXUk/YcqIrm
=t8A/
-----END PGP SIGNATURE-----

--- End Message ---