Your message dated Mon, 28 May 2018 19:47:09 +0000 with message-id <e1fno6n-000ep1...@fasolo.debian.org> and subject line Bug#896703: fixed in packagekit 1.1.5-2+deb9u1 has caused the Debian Bug report #896703, regarding packagekit: CVE-2018-1106: Installation of Signed Packages without Administrator Authentication to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 896703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896703 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: packagekit Version: 1.1.5-2 Severity: grave Tags: patch security upstream Justification: user security hole Hi, The following vulnerability was published for packagekit. Filling it for now with RC severity. CVE-2018-1106[0]: Installation of Signed Packages without Administrator Authentication If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1106 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1106 [1] https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: packagekit Source-Version: 1.1.5-2+deb9u1 We believe that the bug you reported is fixed in the latest version of packagekit, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 896...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthias Klumpp <m...@debian.org> (supplier of updated packagekit package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 04 May 2018 10:46:18 +0200 Source: packagekit Binary: packagekit packagekit-tools packagekit-docs libpackagekit-glib2-18 libpackagekit-glib2-dev gir1.2-packagekitglib-1.0 packagekit-gtk3-module gstreamer1.0-packagekit packagekit-command-not-found Architecture: source amd64 all Version: 1.1.5-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Matthias Klumpp <m...@debian.org> Changed-By: Matthias Klumpp <m...@debian.org> Description: gir1.2-packagekitglib-1.0 - GObject introspection data for the PackageKit GLib library gstreamer1.0-packagekit - GStreamer plugin to install codecs using PackageKit libpackagekit-glib2-18 - Library for accessing PackageKit using GLib libpackagekit-glib2-dev - Library for accessing PackageKit using GLib (development files) packagekit - Provides a package management service packagekit-command-not-found - Offer to install missing programs automatically packagekit-docs - Documentation for PackageKit packagekit-gtk3-module - Install fonts automatically using PackageKit packagekit-tools - Provides PackageKit command-line tools Closes: 896703 Changes: packagekit (1.1.5-2+deb9u1) stretch-security; urgency=high . * Add 02_dont-set-just_reinstall-on-auth-failure.patch - Resolves an authentication bypass flaw allowing users without privileges to install local packages. (Closes: #896703, CVE-2018-1106) Checksums-Sha1: 998901ad2bd602908f24d6cd18054627ebe214fe 3151 packagekit_1.1.5-2+deb9u1.dsc b7805e8ddd6cee697575afe0931f10ab2e09aed0 1418292 packagekit_1.1.5.orig.tar.xz 8cda0f7f239a9e4b6fa0b0f98d87bf1cddf2dee3 22860 packagekit_1.1.5-2+deb9u1.debian.tar.xz 9da953e25015d26edecd6897a6c480be125491f8 34706 gir1.2-packagekitglib-1.0_1.1.5-2+deb9u1_amd64.deb 24beda040220c8516b337bc50d36df74e6c953f7 16304 gstreamer1.0-packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb bf5d9e670085f2747c4df0d6461c63bbbdf6a174 21820 gstreamer1.0-packagekit_1.1.5-2+deb9u1_amd64.deb d7544118e2df6d27111397c62b31244c6b67367e 351838 libpackagekit-glib2-18-dbgsym_1.1.5-2+deb9u1_amd64.deb b81f32a1b550817b6996f81f8e9f5e5c59fe524f 114042 libpackagekit-glib2-18_1.1.5-2+deb9u1_amd64.deb b875a68ff92adbdd606c75364ecbe3a9bd060fff 69844 libpackagekit-glib2-dev_1.1.5-2+deb9u1_amd64.deb bcd6542189f963ca48e09bd186b353b56f35cede 38390 packagekit-command-not-found-dbgsym_1.1.5-2+deb9u1_amd64.deb 4f35dd8d1039ef8605c5e3b35eb1ec69b8d82e19 29878 packagekit-command-not-found_1.1.5-2+deb9u1_amd64.deb 8e502dbbcb1a07b824f6f83ac972a110c15bdf46 1267640 packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb 05b9c2ee1a175d777e2dc55be0b4fd3ca7e23eae 374802 packagekit-docs_1.1.5-2+deb9u1_all.deb 5559e3b9272d893ba6567aa45db42356f014d130 19994 packagekit-gtk3-module-dbgsym_1.1.5-2+deb9u1_amd64.deb 24984b885235a0d757bc8ca8a98e8bf709408fb7 21316 packagekit-gtk3-module_1.1.5-2+deb9u1_amd64.deb e1b26826ac55650e02246b137cbc793e55c60146 77338 packagekit-tools-dbgsym_1.1.5-2+deb9u1_amd64.deb 4206d3716dfbf14abcfa4f7b47cf8bb0cc0afef6 45312 packagekit-tools_1.1.5-2+deb9u1_amd64.deb 9f70fe7a314f6449f8b26e9a29b9571fd025dd98 22107 packagekit_1.1.5-2+deb9u1_amd64.buildinfo be52ff60e1743af401b75297ea8ffe578a3aaae1 546358 packagekit_1.1.5-2+deb9u1_amd64.deb Checksums-Sha256: e1a1b9f16619476788c6894cf5ccf37be3e9c12620c94720f150d031fb4152cd 3151 packagekit_1.1.5-2+deb9u1.dsc 50f448ced5b460bd79ba0c97e9fe080153eaeecad909eee108284e3f5fc7b70c 1418292 packagekit_1.1.5.orig.tar.xz 70b6e39b4b6f6708441ddbab2b4c6f2660f0c71548a17c99b4166de4f1d7e8e6 22860 packagekit_1.1.5-2+deb9u1.debian.tar.xz 3a1cdac9b0fd40998b843316f9d0f2f8754f64ec583ac1e90689552e574f6ae1 34706 gir1.2-packagekitglib-1.0_1.1.5-2+deb9u1_amd64.deb 0d298c12b4c4413993c5e4ea7a7a84cb84cabf0070405785a5d68e09699f08e2 16304 gstreamer1.0-packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb 3b36d3b9d83f57f5032f2e7ff3cfcffb417fb1af507628c3162fb0e98c53515e 21820 gstreamer1.0-packagekit_1.1.5-2+deb9u1_amd64.deb ebe5502828ba9b39702a2d1077c63da176140ec6768dc65be33675af5e1c1f32 351838 libpackagekit-glib2-18-dbgsym_1.1.5-2+deb9u1_amd64.deb dfc33a45c536b3030221b4c94c8dab66e8eeb6b3bd67b17a1dc5f6c991f2a696 114042 libpackagekit-glib2-18_1.1.5-2+deb9u1_amd64.deb cb1119e28364a1c218e1e3acaffbc2f17dd2d33e3ee7be7221af5f572cf3ba7c 69844 libpackagekit-glib2-dev_1.1.5-2+deb9u1_amd64.deb 556b4a33b6b36fd4fde79db57a556aa78c7450895be33426e9f7b931b4880e1d 38390 packagekit-command-not-found-dbgsym_1.1.5-2+deb9u1_amd64.deb 8201d12dc352ddd2635d81a75602606d0b9ee67bedf808656032f71095a1d275 29878 packagekit-command-not-found_1.1.5-2+deb9u1_amd64.deb 812f841448728110e9a27856a2d7590548ed99734986ebbc9afbad8a7da16264 1267640 packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb 9f71fcd1fe4b019e321c0dfe378df1afdf6764331f05d10ae0549ebcf4742302 374802 packagekit-docs_1.1.5-2+deb9u1_all.deb 716af42de99cab98b8e255af39491d2bfbba8b3420ae75c4eb6a52c739b26ef0 19994 packagekit-gtk3-module-dbgsym_1.1.5-2+deb9u1_amd64.deb ef2df3213edac479469eb62b65ac374f3b3caa3f4ac46c9bd44edbee03fede32 21316 packagekit-gtk3-module_1.1.5-2+deb9u1_amd64.deb b5cfbf564f9f5fd828d2f8f92ca1b9f6e7087cc1784160747ff03f6e92dc2fcd 77338 packagekit-tools-dbgsym_1.1.5-2+deb9u1_amd64.deb 56d7079a1f8e8f3b99c708b3dc22b77a46e17f6441b15308732a934284e374a8 45312 packagekit-tools_1.1.5-2+deb9u1_amd64.deb fa9d13fbc4deb3c466b87e6c02e77fafae5756640162b15f74e66e6b5b77e5d8 22107 packagekit_1.1.5-2+deb9u1_amd64.buildinfo 46ea329dcbaf974c075f3bb9c9bc8a96d2dd673832f877eeaa665b170dc1f955 546358 packagekit_1.1.5-2+deb9u1_amd64.deb Files: 8c9aa13bd87ac9ffcf3646809011aaa2 3151 admin optional packagekit_1.1.5-2+deb9u1.dsc 5777afc107bab4ed55efb5e1bc312630 1418292 admin optional packagekit_1.1.5.orig.tar.xz 4191ba07ca4ec62b913952c25bd82932 22860 admin optional packagekit_1.1.5-2+deb9u1.debian.tar.xz 7eaed0605b3a12fe0a6c865d1d02062a 34706 introspection optional gir1.2-packagekitglib-1.0_1.1.5-2+deb9u1_amd64.deb a22c98d7e7de4ade2ccca1d1bb328f4a 16304 debug extra gstreamer1.0-packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb 0cd3e4f592bd5af9b560e76f2a87d2df 21820 libs optional gstreamer1.0-packagekit_1.1.5-2+deb9u1_amd64.deb a17d30266998a6721d8c84f72acb80e8 351838 debug extra libpackagekit-glib2-18-dbgsym_1.1.5-2+deb9u1_amd64.deb af67cc6057f28a51a587971fa99aad30 114042 libs optional libpackagekit-glib2-18_1.1.5-2+deb9u1_amd64.deb 45163700bbc80767a65f072582f2e6be 69844 libdevel optional libpackagekit-glib2-dev_1.1.5-2+deb9u1_amd64.deb 807345113f8b7285628ae40a823b600d 38390 debug extra packagekit-command-not-found-dbgsym_1.1.5-2+deb9u1_amd64.deb e03a1114a662ba4d8900bed9981edf95 29878 misc optional packagekit-command-not-found_1.1.5-2+deb9u1_amd64.deb efd2b5baeb91bd791b1c12f2bce3a1c0 1267640 debug extra packagekit-dbgsym_1.1.5-2+deb9u1_amd64.deb 239c53efb7ecb13d6d8f8cfb5e38dd18 374802 doc optional packagekit-docs_1.1.5-2+deb9u1_all.deb e3aee7f792dbd3ffadab5b76aa1e43bc 19994 debug extra packagekit-gtk3-module-dbgsym_1.1.5-2+deb9u1_amd64.deb e24a398fa9989a57b9f1cad718dc7ae0 21316 libs optional packagekit-gtk3-module_1.1.5-2+deb9u1_amd64.deb a31077893a938b7cbcdbd7792917892c 77338 debug extra packagekit-tools-dbgsym_1.1.5-2+deb9u1_amd64.deb 8579a29101710ed5c2c9e986fbf1e945 45312 admin optional packagekit-tools_1.1.5-2+deb9u1_amd64.deb 004c822b2f40fa67d2a04e873aa5cc39 22107 admin optional packagekit_1.1.5-2+deb9u1_amd64.buildinfo 169fa47c7b17dca65985d23277cb06c2 546358 admin optional packagekit_1.1.5-2+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJDBAEBCgAtFiEE0zo/DKFrCsxRpgc4SUyKX79N7OsFAlrvaQoPHG1ha0BkZWJp YW4ub3JnAAoJEElMil+/TezrrMgP/jN3oP8jjBlLLAeE9LuXY85JuLy6fi8WAdVf eOrnwO256qAk09vV/Go4SAIm+Np4eo6BphbpTJpLi7qy8/VA2gPgWQQEFtjEHQoR iqQlnLmrFTaHPDTx6zkTJEtHHKXifg8RKPdvsjX3XzJphDabR0IqwpTUE8y7dp8/ YsDd3q7dOnsBsdm5LCkb9DHHFxQMACBDqQCnVjAIG2lQy96V2OxDzNdO91jirq+a FS+3nUhX5MzbaGAj2oG843ftZXHw4P9FGuZJWh4T1m8w+xDx9bF+cHa9OhcWpEHt 0jtcWMM+Xry1GQS5Nsbl4Go781YACDuN7xM4n9vEY8AVLA1bglfcQZW2tPRAnjG9 7MRZln4zvgiY/keGuEf6eQJ1J4cu/O+j3Pftu/e55FmgCyjEHOg9CBLdXVivENe5 qQCj2rRbWpVZVUu9K73jk/LG3gC2nlp/RKioctD1NQKNu6gonVIfxK2MQps3zf57 KtLviiMObt6Un6wuRhHchl4sW9l4nIhShcSWHltwKzyI6usznbCG9aMHGUyXUmfW E7js0CZcfeW3Gzuvpbs+Z2GNdImosjwtt9t6BTgFPaBsC+dZ2a25FCzkuRUePniw tIEdYIqTCGa6uLb+KbyhyJ7BeZbJv+3RxKxwVb+2vwb73DBsvUHX/ZouMH0txnAG kvmGo8vI =vRgy -----END PGP SIGNATURE-----
--- End Message ---
