Your message dated Tue, 17 Mar 2015 22:18:15 +0000
with message-id <e1yxzov-0002m9...@franck.debian.org>
and subject line Bug#780410: fixed in osc 0.134.1-2+deb7u1
has caused the Debian Bug report #780410,
regarding osc: CVE-2015-0778: osc _service file shell injection flaw
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
780410: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780410
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: osc
Version: 0.134.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for osc. Note that I have
choosen severity grave since it allows client side arbitrary command
execution via a crafted service file, but I don't know osc well
enough, so please adjust severity if you disagree.
CVE-2015-0778[0]:
shell command injection via crafted _service files
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-0778
[1] https://bugzilla.novell.com/show_bug.cgi?id=901643
[2] https://bugzilla.novell.com/attachment.cgi?id=626334
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: osc
Source-Version: 0.134.1-2+deb7u1
We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 780...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <ni...@debian.org> (supplier of updated osc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Mar 2015 09:19:04 +0100
Source: osc
Binary: osc
Architecture: source all
Version: 0.134.1-2+deb7u1
Distribution: stable
Urgency: high
Maintainer: Michal Čihař <ni...@debian.org>
Changed-By: Michal Čihař <ni...@debian.org>
Description:
osc - OpenSUSE (buildsystem) commander
Closes: 780410
Changes:
osc (0.134.1-2+deb7u1) stable; urgency=high
.
* Fix shell injection (Closes: #780410, CVE-2015-0778).
Checksums-Sha1:
a12360403780bd1c7a95533a91bcc89a0edaf931 1981 osc_0.134.1-2+deb7u1.dsc
1af7a5b96131b0fbe2e928a2eb4fe1d9becfa5b7 5761
osc_0.134.1-2+deb7u1.debian.tar.gz
69266de67a7fbfcbb4f872aaa1bdcfddc1f7b96c 226038 osc_0.134.1-2+deb7u1_all.deb
Checksums-Sha256:
aaa45062a5f3f2daecbdb6f1d3b55a91f6352f38b66a0d5eace5c2108ef370d3 1981
osc_0.134.1-2+deb7u1.dsc
bd9748dfd288f900f880b610cf8ec6269f85d70fd13639c2317f88db355b0e52 5761
osc_0.134.1-2+deb7u1.debian.tar.gz
e45220dd342aca140dca1e55590895abc17510e23745f95fcd0db8e871b85442 226038
osc_0.134.1-2+deb7u1_all.deb
Files:
245ca1c949a159360b98d53f4d82840f 1981 devel extra osc_0.134.1-2+deb7u1.dsc
cddf3dfe7118d7c29fa199a8b502be0e 5761 devel extra
osc_0.134.1-2+deb7u1.debian.tar.gz
09c34f3acc66bb1419fa6eb5fc47d145 226038 devel extra
osc_0.134.1-2+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJVB+jyAAoJEGo39bHX+xdN/BAP/jlneekMTEsDFm3Wgtpev6Hi
zjVmeJs9O2ssyBOnHGMDv8zTVP4go8acAUS6hNdcAbfRA53jBynqkLiOMFDEnlXD
ja5A2w7tu5sB99b0bStlnkOrb8NrE/i31UbIL5H0YCI5+zJ+3+QQ5GDgM9zhTK3R
1uppkjuVdcDaMnXX8QZoQT1A/Y2b1OTy5+vWDoQE+k7MmdzBmfXVKXXE73CHY2Sf
sMY6MuDZmSc7trBWK5+hISmBQwOA3YeCYp9XJbfSeqhnYQ/ryOzZqkVhlkcFEEwv
HnwfpvbOJ/4AeC9Zdf3PdCBRcZb+8BSr5Y/irt3V9/EhOl56JK7Frip1vjyNwqcN
M+XmEanADJSf2uHDUUjzb5HuB7z/8eRc/VYKrocuTl6+Qs2pZHzMbTj83tmVDFzp
WY/c85xyCz2wNsVWQxPyRfy7pBX5kxO1W7R6wVgT5nasgeY9YjzXDDY5hiik7qlV
1KiXf9ZjT6+kQoyvoq51jvCPounQfhtiLLD4yj4OwfBZLPCS5716HOg3uEA5CEzu
ROXZwQw7pUspGLcyHeKcI5GBIaVJdme4gkpycnrURPrNXBkqYAp12ERs5ovlgdp7
L0J/TWk+iVAAwOzG8jjEm3tM5fb22Uj3nR35ELB0vdOAEMSZ5EA9hpk7NZ/xWI7s
8RnwECKhibzDPDMDfcuJ
=enQM
-----END PGP SIGNATURE-----
--- End Message ---
