Your message dated Fri, 08 Jun 2018 20:56:23 +0000 with message-id <e1froqp-00018n...@fasolo.debian.org> and subject line Bug#901088: fixed in gnupg1 1.4.22-5 has caused the Debian Bug report #901088, regarding gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 901088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gnupg1 Version: 1.4.21-4 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://dev.gnupg.org/T4012 Hi, The following vulnerability was published for gnupg1. I'm aware this is only the legacy packages, the issue though is present there and not having the fix in buster will later on represent a regression from updates from stretch. Thus the RC severity as well as reasoning. CVE-2018-12020[0]: filename sanitization problem in GnuPG If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-12020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 [1] https://dev.gnupg.org/T4012 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gnupg1 Source-Version: 1.4.22-5 We believe that the bug you reported is fixed in the latest version of gnupg1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 901...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Kahn Gillmor <d...@fifthhorseman.net> (supplier of updated gnupg1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Jun 2018 16:24:29 -0400 Source: gnupg1 Binary: gnupg1 gpgv1 gnupg1-l10n Architecture: source Version: 1.4.22-5 Distribution: unstable Urgency: medium Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Changed-By: Daniel Kahn Gillmor <d...@fifthhorseman.net> Description: gnupg1 - GNU privacy guard - a PGP implementation (deprecated "classic" ve gnupg1-l10n - GNU privacy guard "classic" - localization files (deprecated) gpgv1 - GNU privacy guard - signature verification tool (deprecated "clas Closes: 901088 Changes: gnupg1 (1.4.22-5) unstable; urgency=medium . * use DEP-14 branch naming * d/control: add Rules-Requires-Root: no * Standards-Version: bump to 4.1.4 (no changes needed) * cherry-pick patches from upstream (Closes: #901088) fixing CVE-2018-12020 Checksums-Sha1: 64ba96ca35fad662192373769751d68b3bf987d8 1632 gnupg1_1.4.22-5.dsc cff95e95788306897e59040221ea3b4d0571410b 37596 gnupg1_1.4.22-5.debian.tar.xz 107617efc26a52930d9ea5338bfec8ea605ed437 7626 gnupg1_1.4.22-5_amd64.buildinfo Checksums-Sha256: 6421f0c698de64a61026614bdf44ebb10ded9e49a2da807a65a4341dab370b50 1632 gnupg1_1.4.22-5.dsc 7f0991de4279cea10ae8ce5cbf73f1851fc4c9d4036939d5f98e248f538e617a 37596 gnupg1_1.4.22-5.debian.tar.xz a5aacba0e2bc2bd5129bb984901543c66286ab8e4e20ae1c7d67b17460111b41 7626 gnupg1_1.4.22-5_amd64.buildinfo Files: ac8dcd5ad587bfb465b0b75e09c076fd 1632 utils optional gnupg1_1.4.22-5.dsc 428166fda38cffa2480b252422721abf 37596 utils optional gnupg1_1.4.22-5.debian.tar.xz 1d4b775626c6a0d03fda22d366484080 7626 utils optional gnupg1_1.4.22-5_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTTaP514aqS9uSbmdJsHx7ezFD6UwUCWxrrmAAKCRBsHx7ezFD6 U5rIAP4nTgulMyt1T/aUW7QYHOIBPa6hX55ALB6BAGu5IGZAswEAxaKuVyn7kNB1 dgl2sHQNy+wDkFac705WV428wBnQ4ww= =WZaP -----END PGP SIGNATURE-----
--- End Message ---
