Your message dated Tue, 10 Jan 2006 19:31:28 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#347298: Security concern in notify script CVE-2005-3539
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2006 22:43:59 +0000
>From [EMAIL PROTECTED] Mon Jan 09 14:43:59 2006
Return-path: <[EMAIL PROTECTED]>
Received: from dsl234-165-100.fastxdsl.nl ([80.100.165.234] helo=mailfrom.nl)
by spohr.debian.org with esmtp (Exim 4.50)
id 1Ew5aG-000831-9L
for [EMAIL PROTECTED]; Mon, 09 Jan 2006 14:33:48 -0800
Received: from ernst by mailfrom.nl with local (Exim 4.50)
id 1Ew5aD-0001G4-Bu
for [EMAIL PROTECTED]; Mon, 09 Jan 2006 23:33:45 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Ernst Oudhof <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: hylafax-server: Security concern in notify script CVE-2005-3539
X-Mailer: reportbug 3.8
Date: Mon, 09 Jan 2006 23:33:45 +0100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: hylafax-server
Version: 1:4.2.1-5sarge1
Severity: grave
Tags: security
Justification: user security hole
Hi,
An eval injection vulnerability was found in Hylafax 4.2.0 to 4.2.3
which allows an remote attacker to execute arbitrary commands.
this issue is described in candidate CVE-2005-3539
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3539
As debian stable is using 4.2.1 it is not vulnarable to the issue in the
faxrcvd script.
regards,
Ernst Oudhof
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages hylafax-server depends on:
ii debconf 1.4.30.13 Debian configuration management sy
ii gawk [awk] 1:3.1.4-2 GNU awk, a pattern scanning and pr
ii gs 8.01-5 Transitional package
ii gs-gpl [gs] 8.01-5 The GPL Ghostscript PostScript int
ii hylafax-client 1:4.2.1-5sarge1 Flexible client/server fax softwar
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libgcc1 1:3.4.3-13 GCC support library
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3
ii libtiff-tools 3.7.2-3 TIFF manipulation and conversion t
ii libtiff4 3.7.2-3 Tag Image File Format (TIFF) libra
ii mailx 1:8.1.2-0.20040524cvs-4 A simple mail user agent
ii mawk [awk] 1.3.3-11 a pattern scanning and text proces
ii mime-codecs 7.19-4 Fast Quoted-Printable and BASE64 M
ii psmisc 21.5-1 Utilities that use the proc filesy
ii sed 4.1.2-8 The GNU sed stream editor
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information excluded
---------------------------------------
Received: (at 347298-done) by bugs.debian.org; 10 Jan 2006 18:32:01 +0000
>From [EMAIL PROTECTED] Tue Jan 10 10:32:01 2006
Return-path: <[EMAIL PROTECTED]>
Received: from vsmtp12.tin.it ([212.216.176.206])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EwOHp-0005aA-3z; Tue, 10 Jan 2006 10:32:01 -0800
Received: from casa (87.0.208.45) by vsmtp12.tin.it (7.2.060.1) (authenticated
as [EMAIL PROTECTED])
id 43B76222004775FE; Tue, 10 Jan 2006 19:31:36 +0100
Received: from localhost ([127.0.0.1])
by casa with esmtpa (Exim 4.50)
id 1EwOHJ-00046U-3a; Tue, 10 Jan 2006 19:31:29 +0100
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 10 Jan 2006 19:31:28 +0100
From: Giuseppe Sacco <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 1.0.2 (X11/20051002)
X-Accept-Language: it, it-it, en-us, en
MIME-Version: 1.0
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Bug#347298: Security concern in notify script CVE-2005-3539
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-10.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,
HAS_PACKAGE,RCVD_IN_SORBS autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Package: hylafax-server
Version: 1:4.2.1-5sarge3
Hi Ernst,
thanks for your report and your patch. A new hylafax version was already
prepared with the Debian Security Team. This new package version has
been released yesterday.
I am closing this bug report since the problem has been already fixed.
Bye,
Giuseppe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
