Your message dated Sat, 22 Feb 2014 12:18:45 +0000 with message-id <e1whbxz-00045a...@franck.debian.org> and subject line Bug#738509: fixed in python-gnupg 0.3.6-1 has caused the Debian Bug report #738509, regarding python-gnupg: CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 738509: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738509 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: python-gnupg Severity: grave Tags: security upstream Justification: user security hole Hi, the following vulnerabilities were published for python-gnupg. CVE-2013-7323[0]: Unrestricted use of unquoted strings in a shell CVE-2014-1927[1]: Erroneous assumptions about the usability of " characters CVE-2014-1928[2]: Erroneous insertion of a \ character allowing shell injection in python-gnupg. Plase see the treat on oss-security about more details for each of these isues[3]. Note I have not (yet) checked which of the three CVEs still apply to the 0.3.5 version. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7323 http://security-tracker.debian.org/tracker/CVE-2013-7323 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1927 http://security-tracker.debian.org/tracker/CVE-2014-1927 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1928 http://security-tracker.debian.org/tracker/CVE-2014-1928 [3] http://www.openwall.com/lists/oss-security/2014/02/09/1 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: python-gnupg Source-Version: 0.3.6-1 We believe that the bug you reported is fixed in the latest version of python-gnupg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 738...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Elena Grandi <elena.valha...@gmail.com> (supplier of updated python-gnupg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 06 Feb 2014 09:52:10 +0100 Source: python-gnupg Binary: python-gnupg python3-gnupg Architecture: source all Version: 0.3.6-1 Distribution: unstable Urgency: high Maintainer: Elena Grandi <elena.valha...@gmail.com> Changed-By: Elena Grandi <elena.valha...@gmail.com> Description: python-gnupg - Python wrapper for the Gnu Privacy Guard (Python 2.x) python3-gnupg - Python wrapper for the Gnu Privacy Guard (Python 3.x) Closes: 736496 738509 Changes: python-gnupg (0.3.6-1) unstable; urgency=high . * New upstream release. Closes: #738509, #736496. * CVE-2014-1928 (Erroneous insertion of a \ character) fixed upstream * CVE-2014-1927 (Erroneous assumptions about the usability of " characters) fixed upstream * CVE-2013-7323 (Unrestricted use of unquoted strings in a shell) fixed upstream * Updated watch file for new download source (pypi). * Updated standard versions to 3.9.5 (no change needed). * Removed use_quick_random_for_gnupg_1.patch (applied upstream). * Updated project homepage Checksums-Sha1: faf788007e68b2b3b57ffc3be7d7396d8d554de5 1461 python-gnupg_0.3.6-1.dsc 4661039e19e357bfd310bd067b212475c8fffb7e 20855 python-gnupg_0.3.6.orig.tar.gz 5a17e31c5a8740367df7f5040bba6061332c0216 4168 python-gnupg_0.3.6-1.debian.tar.xz 84544a5878ab763ac9e4321d9a64671bf14c4c0c 14692 python-gnupg_0.3.6-1_all.deb 8ccf0f119dfdd3185cdb4f3db97df193337b3336 14742 python3-gnupg_0.3.6-1_all.deb Checksums-Sha256: 6677b838771bed589768dcc22532f47ed2cb87fad9a6275025c75569b30380f0 1461 python-gnupg_0.3.6-1.dsc ffdfad1824fbde8ab94c50e08040edd6a82b4095c187994954471a38c45a094a 20855 python-gnupg_0.3.6.orig.tar.gz 33591966f27beeaeedb3cb076151f22e4188bf18c201501109e1b76845b944fb 4168 python-gnupg_0.3.6-1.debian.tar.xz 3ec9563f19a2fe471459565131618e1b5e83415740f6ff5b2db81e7ec0c8448c 14692 python-gnupg_0.3.6-1_all.deb 7a4423cf31ac5e81cae8d2bc340a090def69c1500a4f2f5c8baf3543428ebb3c 14742 python3-gnupg_0.3.6-1_all.deb Files: 0a52e80065f0c26be810492ba50f7a7b 1461 python optional python-gnupg_0.3.6-1.dsc 27415bead227e8c6906900b7c777120c 20855 python optional python-gnupg_0.3.6.orig.tar.gz c61b5b0aeccef7dc9b199c381cad2bc3 4168 python optional python-gnupg_0.3.6-1.debian.tar.xz 1708ad88a4526504432d5abd3bb34dfb 14692 python optional python-gnupg_0.3.6-1_all.deb 9ce572368a662c6442e9c7a1934082df 14742 python optional python3-gnupg_0.3.6-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlMIlCgACgkQNFDtUT/MKpB6VgCg4yf2kpyj/gY7/0mcET9V0BxF aFEAoOZPrW+1cUhHPUvsFr1p5yq0YFlv =7pWO -----END PGP SIGNATURE-----
--- End Message ---
