Your message dated Fri, 13 Mar 2015 15:48:56 +0000
with message-id <e1ywrpy-0005ql...@franck.debian.org>
and subject line Bug#780410: fixed in osc 0.149.0-2
has caused the Debian Bug report #780410,
regarding osc: CVE-2015-0778: osc _service file shell injection flaw
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780410: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780410
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: osc
Version: 0.134.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for osc. Note that I have
choosen severity grave since it allows client side arbitrary command
execution via a crafted service file, but I don't know osc well
enough, so please adjust severity if you disagree.
CVE-2015-0778[0]:
shell command injection via crafted _service files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0778
[1] https://bugzilla.novell.com/show_bug.cgi?id=901643
[2] https://bugzilla.novell.com/attachment.cgi?id=626334
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: osc
Source-Version: 0.149.0-2
We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <ni...@debian.org> (supplier of updated osc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Mar 2015 16:32:15 +0100
Source: osc
Binary: osc
Architecture: source all
Version: 0.149.0-2
Distribution: unstable
Urgency: high
Maintainer: Michal Čihař <ni...@debian.org>
Changed-By: Michal Čihař <ni...@debian.org>
Description:
osc - OpenSUSE (buildsystem) commander
Closes: 769547 780410
Changes:
osc (0.149.0-2) unstable; urgency=high
.
* Change default build-cmd to obs-build (Closes: #769547).
* Recommend obs-build.
* Fix shell injection (Closes: #780410, CVE-2015-0778).
Checksums-Sha1:
e008ac44dc53432976457ea5b643d04037ae3b77 1954 osc_0.149.0-2.dsc
150e8cd3dc4960f6e6a9e277059a3d2bd197e60e 6460 osc_0.149.0-2.debian.tar.xz
50193b427c08c8ac603e2caeb7e85484eca6c074 209524 osc_0.149.0-2_all.deb
Checksums-Sha256:
75918f116f78f28205f3aaa35a5d7e449a8f516d4b210923d1a834801dcabff6 1954
osc_0.149.0-2.dsc
eb7436a57add684cc4eacc57c435c3851b35c80bf8556828fe9f4341aaf45998 6460
osc_0.149.0-2.debian.tar.xz
35906aefc7f1aee45202f066775be07346dcd7901231a4fbc024dae69f5c9a32 209524
osc_0.149.0-2_all.deb
Files:
9f55c7a2c5693583eee866e703576b13 1954 devel extra osc_0.149.0-2.dsc
58c86c52bd798b0cb79532da72d9ee0f 6460 devel extra osc_0.149.0-2.debian.tar.xz
6572ef11d3af49df40058d886a69ef26 209524 devel extra osc_0.149.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVAwPqAAoJEGo39bHX+xdNtQQP/246pK45qetDzWHSrCKgwniY
Bb2asDXG5pXsFy8usfaROcbknymiIYqu8bkYeqHobDADWq8kv1yOziqLGnAI7jKp
LIcSXMxFx0/fgqy+symoSKw/arIN+XHfzTY//b++RKWkiT7dpGyX7X+wkGQdTc9k
ggk1Slq3XIHQa0p7Sb25gEiljVMB7sTt6XxGULdVRLJswwTRqxe/bS8GYfdedZtE
Fyz+DzgX0bgPiU7x0Fs0LExJeTrjNdMryg/YpG0Q76o9+0bKwHbw1qgFpAYR1V5a
MGi7tdGvK1vsob28h9EbWV2tL1w3FgAjQU4RQANYJoyyNSt8alg/4xtK+DO0hT0i
KhbJ3PqSBjRYCWsF9swozTdroBl8e3GafOhN1H2SmNiLyUZk+jX5cs4GNd4pTeWW
mSh3IufUNDgHskoMV6iR38Sa/JmAOwkqiRwYLYO/rurT8BLDWNHIo2a7xSAiVpjI
8yZUHMjN8k8w5oMMAnS7hWu5YAXMnhLldlTJs+LdIJ4lmk0uRPbofJ9yAOeeIpH0
J+JqPXlHFi7ZOfP9LkthrS1zQLYZr2Zi8WVYq5kO2dtUIsodOM+0nRPV4pIOFx+P
jzJIg2TQkgxvx22BgKa54B6UUdarRkRbt2dtxHhnSNH4Wc5P6Q4coHrCDGsL1mUJ
6fCtjU7Thkx+MxOCJC3R
=eTnn
-----END PGP SIGNATURE-----
--- End Message ---
