Your message dated Tue, 07 Apr 2020 20:25:18 +0000 with message-id <e1jlumc-00017o...@fasolo.debian.org> and subject line Bug#932539: fixed in qbittorrent 3.3.7-3+deb9u1 has caused the Debian Bug report #932539, regarding qbittorrent: CVE-2019-13640 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qbittorrent Version: 4.1.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/qbittorrent/qBittorrent/issues/10925 Control: found -1 4.1.5-1 Hi, The following vulnerability was published for qbittorrent. CVE-2019-13640[0]: | In qBittorrent before 4.1.7, the function | Application::runExternalProgram() located in app/application.cpp | allows command injection via shell metacharacters in the torrent name | parameter or current tracker parameter, as demonstrated by remote | command execution via a crafted name within an RSS feed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640 [1] https://github.com/qbittorrent/qBittorrent/issues/10925 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qbittorrent Source-Version: 3.3.7-3+deb9u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of qbittorrent, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated qbittorrent package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Mar 2020 17:45:52 +0200 Source: qbittorrent Architecture: source Version: 3.3.7-3+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Cristian Greco <crist...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 932539 Changes: qbittorrent (3.3.7-3+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent command injection via "Run external program" function (CVE-2019-13640) (Closes: #932539) Checksums-Sha1: def66fdc879c899f9826037bda9ec0e39d9a91e9 2363 qbittorrent_3.3.7-3+deb9u1.dsc 5256adf60b3189ab49f3b394043d54890c54b005 2884792 qbittorrent_3.3.7.orig.tar.xz 9b56f2fd95bc8f67187da22a445592e64b709eef 123516 qbittorrent_3.3.7-3+deb9u1.debian.tar.xz Checksums-Sha256: 71ac4790071d183f029e45aa65cc99ae8c6eb508629eb03d154e9993d1f0ebb0 2363 qbittorrent_3.3.7-3+deb9u1.dsc 72dc824a90fadc0825e6be6f1c215e38f976262c7f83b625061d542b2b664c40 2884792 qbittorrent_3.3.7.orig.tar.xz c388178630091de5f1ea2545206d8b3623bbd55266a86170b30a2f05e9485115 123516 qbittorrent_3.3.7-3+deb9u1.debian.tar.xz Files: 77f3618bb7dfc33eeb1b6e42e5235f8c 2363 net optional qbittorrent_3.3.7-3+deb9u1.dsc 646cc40b551700ec4988c36da8638183 2884792 net optional qbittorrent_3.3.7.orig.tar.xz b77889ab60f475295aacfefd20a15d2b 123516 net optional qbittorrent_3.3.7-3+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6AxVJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EmPMP+wc1sbGz0N8XfiE2XqRD9gS+gpA9PJBf HpmentI2xPyHVzBCBnGm/UnVz5/8Y4LNx5SThxwGWllh7BSCDG7hw+0UpE3bkmdU SXuxA9fy2thgUTNan7UdLh2AobEBE1I4BajsKh1X8I/IuVxqq6L1u1oWm6DH6C/O hLPP/X/Q7Z0DYASP5yH1hohNT/3kevr2U3PdmeCysq274MAGO9DX6J13lX61xcO3 vJKmmkmD3LZkHLxuNjc/RnHpj14yMAYaFegbht0WieQD5pCXccb8fGIzvQdK6GTC U/SVGH1s1NW8lktFdy0XQ4PHD4BfTdhZ6iPr641j4pg0FIYKSzUKeoE41Li3WqS/ dKEnCzn/QTUaGBpDcF5kNh2ZOAehIhCEngcII5RuikzddzDL4eR5Bprh817FiuLW rL5KnSf0kzNjQcXP1Sobid+qkB9XrPPz/h+NS9EAMuiZQKJWHPuEgnwTFXwyxVHb HaIC3B+YvUzVJyb7SfLN+DPrgS5RBPtYwyFMVk9IAKKpPK7yRImTF8XmNh6RkNQz dzakNdEioLac260sAbz+QnnGZ0x+q4haMu6TV3gMWPDCSeAW+cH0hrK/3GnnK+Q7 SkNVTtFOaPvUE5UyLoqIEcYgfRTudFdP/6Nt/OJFzYijQna/SoExXDiffWB00mPX h+qyXmSGWUV7 =f2PB -----END PGP SIGNATURE-----
--- End Message ---
