Your message dated Tue, 14 Feb 2012 18:02:34 +0000 with message-id <e1rxmi2-0002iy...@franck.debian.org> and subject line Bug#659379: fixed in uzbl 0.0.0~git.20111128-2 has caused the Debian Bug report #659379, regarding uzbl: world-readable (and writable!) cookie jar to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 659379: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659379 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: uzbl Version: 0.0.0~git.20100403-3 Severity: grave Tags: security Justification: user security hole $ ls -ld ~/.local/{,share/{,uzbl/{,cookies.txt}}} drwxr-xr-x 3 user users 4096 Feb 9 23:29 /home/user/.local/ drwxr-xr-x 4 user users 4096 Feb 9 23:29 /home/user/.local/share/ drwxr-xr-x 2 user users 4096 Feb 9 23:29 /home/user/.local/share/uzbl/ -rw-rw-rw- 1 user users 732 Feb 9 23:29 /home/user/.local/share/uzbl/cookies.txt This allows local users to steal cookies (and tamper with them). -- Jakub Wilk
--- End Message ---
--- Begin Message ---Source: uzbl Source-Version: 0.0.0~git.20111128-2 We believe that the bug you reported is fixed in the latest version of uzbl, which is due to be installed in the Debian FTP archive: uzbl_0.0.0~git.20111128-2.diff.gz to main/u/uzbl/uzbl_0.0.0~git.20111128-2.diff.gz uzbl_0.0.0~git.20111128-2.dsc to main/u/uzbl/uzbl_0.0.0~git.20111128-2.dsc uzbl_0.0.0~git.20111128-2_amd64.deb to main/u/uzbl/uzbl_0.0.0~git.20111128-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 659...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Luca Bruno <lu...@debian.org> (supplier of updated uzbl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 14 Feb 2012 18:14:55 +0100 Source: uzbl Binary: uzbl Architecture: source amd64 Version: 0.0.0~git.20111128-2 Distribution: unstable Urgency: high Maintainer: Luca Bruno <lu...@debian.org> Changed-By: Luca Bruno <lu...@debian.org> Description: uzbl - Lightweight Webkit browser following the UNIX philosophy Closes: 659379 Changes: uzbl (0.0.0~git.20111128-2) unstable; urgency=high . * Security fix for CVE-2012-0843 + Restrict third-party access to cookie jar (Closes: #659379) Checksums-Sha1: 33c7b9cf9f7a08655e427a9a20a7693db2b90793 1345 uzbl_0.0.0~git.20111128-2.dsc 6750935ba9d919de99c3c3361fe2fbef5c47e849 9590 uzbl_0.0.0~git.20111128-2.diff.gz b1885be729003d047b510a5e077c3f18e53bcf60 141720 uzbl_0.0.0~git.20111128-2_amd64.deb Checksums-Sha256: 3e8df6fb81a7d26b86de40f862a9321a8b612490f9dc14567bf3cc1d80ab0f16 1345 uzbl_0.0.0~git.20111128-2.dsc 5064ba3b87617a61b5ccff10c2a775765ce2f426b022c32ae0e19273f637872f 9590 uzbl_0.0.0~git.20111128-2.diff.gz 4266c4737ff0b591d9d3c8e4bd95a2d60aa1375d875c1889c9c20e381ebfa733 141720 uzbl_0.0.0~git.20111128-2_amd64.deb Files: 913cd41d21c75283be13a1d2d1ea8a82 1345 web extra uzbl_0.0.0~git.20111128-2.dsc 1061447b3dfbe0244c10ae118a0ca093 9590 web extra uzbl_0.0.0~git.20111128-2.diff.gz 794833c6e92718b0c13a88df82f48bea 141720 web extra uzbl_0.0.0~git.20111128-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk86nhoACgkQRqobajv7n7P1pQCaA9Jv3CmjJbJsaMNfNYSvPqC0 9GIAoK8h6RTnXvpIVLWiZSsIy/+IUVe/ =0LAX -----END PGP SIGNATURE-----
--- End Message ---
