Your message dated Sat, 12 Aug 2017 21:19:02 +0000 with message-id <e1dgdoe-000gyd...@fasolo.debian.org> and subject line Bug#871810: fixed in cvs 2:1.12.13+real-24 has caused the Debian Bug report #871810, regarding cvs: CVE-2017-12836: CVS and ssh command injection to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: cvs Version: 2:1.12.13+real-9 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for cvs. CVE-2017-12836[0]: CVS and ssh command injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 [1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: cvs Source-Version: 2:1.12.13+real-24 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser <t...@mirbsd.de> (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Format: 1.8 Date: Sat, 12 Aug 2017 22:18:41 +0200 Source: cvs Binary: cvs Architecture: source Version: 2:1.12.13+real-24 Distribution: unstable Urgency: high Maintainer: Thorsten Glaser <t...@mirbsd.de> Changed-By: Thorsten Glaser <t...@mirbsd.de> Description: cvs - Concurrent Versions System Closes: 871810 Changes: cvs (2:1.12.13+real-24) unstable; urgency=high . * Update from MirBSD - fix for CVE-2017-12836 (Closes: #871810) - more robust $CVSROOT parsing * Policy 4.0.1 - add nodoc build option ‣ I’m unclear on how this mixes with build profiles and/or Build-Depends exclusion; should I exclude ghostscript, groff, texinfo, texlive-* with <!nodocs> now, or are DEB_BUILD_OPTIONS=nodoc and the profile independent of each other? Info and patches welcome. * Drop explicit (thus redundant) autotools-dev B-D (lintian) * Update lintian overrides Checksums-Sha1: 85f024f04c53d4290658ff1a4e6baab8b1e512f2 2011 cvs_1.12.13+real-24.dsc d8c087ff4d0b61056d58719d37bad9cdc3a265cb 138310 cvs_1.12.13+real-24.diff.gz Checksums-Sha256: cad964354a526ec9b5da0d1711def6f6ca54ab640fee0599b8410312f6ab9ec8 2011 cvs_1.12.13+real-24.dsc 77f9e0c2921b180829cce3bfd15a709ab59efdf4c4fa619510c3a12700df3c25 138310 cvs_1.12.13+real-24.diff.gz Files: 1e8dc16f9c7aa0f81666537d630a92c8 2011 vcs optional cvs_1.12.13+real-24.dsc e4c6162b1d97edc7a0b806ea1f4da9e6 138310 vcs optional cvs_1.12.13+real-24.diff.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJZj2b0AAoJEHa1NLLpkAfgJssP/jd1qbNAGcF60MiUXqLA7nXo uz2lmRfesxWynpaqWpt5HdLN3wmGTx8U94wOFdvGubkbPJ1YPqSmgfRqIODKQc+Y eYWRCnnZexTKRtoyuClVgAj3PJyWGsGdw0aFXBYBjFpvpn6BS/6ziX8Kn9oiu1/f NHrQEWutfute7Vp7b9nhmulg//0dhOkjH21o1t0PaJRIwesEU1JnxeyiAEvM63IZ IQ1pfcU+r9nWt+xN/n13Itsbx3zUcZEs50mg2OJ4ubx87I9XEJaBAMGNbPG/q5mQ fHuG/3D1FroGZRVMLfDZA7PEI4tT2YfpxstfSemlLJUFdloU8TDcqZCzdj+c1rwB TB+2Qrqid7v3AOeUsWtmRANPULPr0PWbUmayaQaM6Ub8a5kulxuUAh5S7xsFL65Z iNng+q8GqHTgZyXryJHiUMELCR+7tVIOMlx2kI9l0JnKSHRul4sXhy7ahQSBF20h sGeL2e64gUd/sGTKosDQoqyRp8uGaUQ1k3VpqPZp9BJ08RSfDK26FaQpz+XdAE0C SEray97gc77NLikJZIogyeFfC7PRw0dTy5Hi39GaM3R/63+YXQ069rniHm6e9WQl MLLSduIZagJq2KgGclTkDAM/4hayCjX6Yjpyy2uCwd5kpduccBrWKHhvKkxFsYxg gg/vy6DsopATR4/nXOIE =Pj7h -----END PGP SIGNATURE-----
--- End Message ---
