Your message dated Tue, 02 Jul 2019 21:05:46 +0000 with message-id <e1hipye-00041z...@fasolo.debian.org> and subject line Bug#871321: fixed in tenshi 0.13-2.1~deb9u1 has caused the Debian Bug report #871321, regarding tenshi: CVE-2017-11746: should create its PID file before dropping privileges to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871321: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871321 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tenshi Version: 0.13-2 Severity: normal Tags: upstream patch security Forwarded: https://github.com/inversepath/tenshi/issues/6 Hi, the following vulnerability was published for tenshi. CVE-2017-11746[0]: | Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a | non-root account, which might allow local users to kill arbitrary | processes by leveraging access to this non-root account for tenshi.pid | modification before a root script executes a "kill `cat | /pathname/tenshi.pid`" command. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11746 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11746 [1] https://github.com/inversepath/tenshi/issues/6 [2] https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tenshi Source-Version: 0.13-2.1~deb9u1 We believe that the bug you reported is fixed in the latest version of tenshi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann <a...@debian.org> (supplier of updated tenshi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 16 Jun 2019 23:43:59 +0200 Source: tenshi Binary: tenshi Architecture: source Version: 0.13-2.1~deb9u1 Distribution: stretch Urgency: high Maintainer: Ignace Mouzannar <mouzan...@gmail.com> Changed-By: Andreas Beckmann <a...@debian.org> Description: tenshi - log monitoring and reporting tool Closes: 871321 Changes: tenshi (0.13-2.1~deb9u1) stretch; urgency=medium . * Non-maintainer upload. * Rebuild for stretch. . tenshi (0.13-2.1) unstable; urgency=medium . * Non-maintainer upload. * Upload to unstable. * Drop DMUA. . tenshi (0.13-2+deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Debian LTS team. * Fix CVE-2017-11746: PID file issue allows local users to kill arbitrary processes (Closes: #871321) Checksums-Sha1: 732e07d0892e03827818bd3963379705e315a70e 1903 tenshi_0.13-2.1~deb9u1.dsc 3895b3ff25f247fc5cc6583b1f142b1b8ed46fb4 10028 tenshi_0.13-2.1~deb9u1.debian.tar.xz 24bbf664ee7304a0ed16a8af91d8fa9de65d49d1 5551 tenshi_0.13-2.1~deb9u1_source.buildinfo Checksums-Sha256: 50529690054197a0362a7a89e779b8b4330bbded99012bf09cd6ef4cd6a586f9 1903 tenshi_0.13-2.1~deb9u1.dsc 6880e35f3842e086bf3f05d6eca3c79e4438572fc8644bb0bbd83dfe3419c1bd 10028 tenshi_0.13-2.1~deb9u1.debian.tar.xz 1ffb517a39f4b1a9753fd8c9c4444f2e4ad6895ec9cbe961a941d2deff2008b1 5551 tenshi_0.13-2.1~deb9u1_source.buildinfo Files: e50aa2759f2ac0a544de1bc7819b8141 1903 admin optional tenshi_0.13-2.1~deb9u1.dsc b81d9f4f09374e30b09c9d0f79f59944 10028 admin optional tenshi_0.13-2.1~deb9u1.debian.tar.xz e829c0e7c5f463fd570dc221b80a3fb5 5551 admin optional tenshi_0.13-2.1~deb9u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEE6/MKMKjZxjvaRMaUX7M/k1np7QgFAl0GuJQQHGFuYmVAZGVi aWFuLm9yZwAKCRBfsz+TWentCPQID/4gybqv0XsgjQJ8+bS1DJuzM4sBc7NuUsdd M8ZeWudMAV/91yXo0r+lL20bMNqqpPu8naD4uYacicGkJ1W6wDevNh+1RpV4zDmM eL8s3hPnR8wXq2azFPeMyCdzJ15wpBGqkP76dKL/nxrbMV/xOczeQqXfYKPbiAb6 XM79d9wHNwkAElhGD2EXxWgogqKMOY41yWuaJL+90QJd+LEezWQgcwi1+DJeeksD eQmxdRAWYCr6poq+mDdwp3X5Stl+5HsTApNVSzhGrzNBRJRMiTwt7p8vCbaBH6Pc 45fvQpvsFcn4y5NiUlZ5Ujac1N4P/dmn6gWTizKqlXWLBEY/ChCx0PZ3LGJq4QWy 9T3Xh4OkiDWuvY+w8OERwKLGicDBgYZmgUV90+NBlfS09GNMIIpX/AI5pwF4zzhP YRkfXps41OH7fCJbhSrhdBD0CNxvPMVuRKwkR5BAtyol9E7z+ggZILRa5+RBlUQX zjMOnlEKq84+K/brLSXxxnu2nuljJnW40VKALjF5UhrWtDR89m5EuZj+0tuv2eqC t9do/P1ZkuM/MUCWvNTiAMuHNufyaKkrGyGRyqY9WoyKc5XJJcVgP7MFDiICzMGK VEsnx8+0Shh6QLvVQW9aVMGW78SNrSztHS3tORaX+iiTk4PFS0Lsqpfz1JMn9wNX EQfXm28J+A== =gqxH -----END PGP SIGNATURE-----
--- End Message ---
