Your message dated Sun, 16 Jun 2019 12:48:57 +0000 with message-id <e1hcuaf-000fau...@fasolo.debian.org> and subject line Bug#871321: fixed in tenshi 0.13-2.1 has caused the Debian Bug report #871321, regarding tenshi: CVE-2017-11746: should create its PID file before dropping privileges to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871321 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tenshi Version: 0.13-2 Severity: normal Tags: upstream patch security Forwarded: https://github.com/inversepath/tenshi/issues/6 Hi, the following vulnerability was published for tenshi. CVE-2017-11746[0]: | Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a | non-root account, which might allow local users to kill arbitrary | processes by leveraging access to this non-root account for tenshi.pid | modification before a root script executes a "kill `cat | /pathname/tenshi.pid`" command. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11746 [1] https://github.com/inversepath/tenshi/issues/6 [2] https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tenshi Source-Version: 0.13-2.1 We believe that the bug you reported is fixed in the latest version of tenshi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann <a...@debian.org> (supplier of updated tenshi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 16 Jun 2019 14:24:39 +0200 Source: tenshi Architecture: source Version: 0.13-2.1 Distribution: unstable Urgency: high Maintainer: Ignace Mouzannar <mouzan...@gmail.com> Changed-By: Andreas Beckmann <a...@debian.org> Closes: 871321 Changes: tenshi (0.13-2.1) unstable; urgency=medium . * Non-maintainer upload. * Upload to unstable. * Drop DMUA. . tenshi (0.13-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * Fix CVE-2017-11746: PID file issue allows local users to kill arbitrary processes (Closes: #871321) Checksums-Sha1: 614253e1f73e77d236e9d0ab5397dcaa13e1770b 1875 tenshi_0.13-2.1.dsc 568a6b5a2745afea4992e13dcbae7a22363ad41d 10008 tenshi_0.13-2.1.debian.tar.xz 798f8b5ee290fa732e6df3e9d2b3135b2fdc4529 4997 tenshi_0.13-2.1_source.buildinfo Checksums-Sha256: 71cb5a5eb38784b1ce7bfe79e658adaa453930aaf9606a25a0db561d6385096f 1875 tenshi_0.13-2.1.dsc 20409c56f7c6b0e2d2a58aa7162657fa051ce4c1ef51ed83594e4a2638bc445f 10008 tenshi_0.13-2.1.debian.tar.xz 1d9379706a74ebed80ef3d554cd5bd69460a4209de4617ffb0eb19e52331142f 4997 tenshi_0.13-2.1_source.buildinfo Files: 4be4e4bfd80cbe7ee48610702ef5fa75 1875 admin optional tenshi_0.13-2.1.dsc 9612e2fc18b285ff82ba7c27d3cab116 10008 admin optional tenshi_0.13-2.1.debian.tar.xz b3df5d2c355ba6971001d15a917aabe2 4997 admin optional tenshi_0.13-2.1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAl0GNWgQHGFuYmVAZGVi aWFuLm9yZwAKCRBfsz+TWentCPRXD/9J6SCyq7ND/1gsnbuyPrVAmu9vZ6LIK00J 2AFDbxOKM7WfzLqiXxhULH2hco5ZqUbijt3o/O79T+W3+yy2kXQ3cUnAy6C9J30i 94VHVEFXY5abSepU6icI8WZTtoeCERZ3ZObLIZM7VM6dup4udGFznIaJKBR+0aOo cGDnupvVAJEH0gjvTo27PxyQgYzYuDmcQXc2e5HI8zjIOhunCon8TBVED7uhuHEq RsSY6TT47WF1EZY+4lv9W8SPNfWshYnSXbYsoN9fBUgSuHfKj+SPdzq4HmBCE4sn MHX301xOWO3Qz9yulC04Yng7Wo13F+QpfWF7O90mu9IdJYj/MOKJj0GMTlvrp1Tx YjuV2SIyVrDvBxgTiktSFGR6djGMxKJZVM5HIGrNrw03+fc7F0MjQtJDpXkvCcJT 7gYSSeVDdPsuA10KaWkMpJDX/MqSdm2VliC9Z41+t7zNIUpG5evUKuwoGWdbwwPM WLAsj+IPqVa0kgBaFH7cw/e0OdkxS8RqaiVZghW2kmh02KhfXwabNgMeFUjq7Rcu el0hTDax0KNIARlhoL/hkI60LngXLvPjXt7sWXolgxntWn4Fiu52nou08ijbhWfn 3StFrTD4dQdNeE5N0yEjoVVRNLVo8DGl+7gSgX4Ib6vzKbxjeivWWi7Mvq6BFp8K XH0LQTJpWg== =TKzW -----END PGP SIGNATURE-----
--- End Message ---
