Your message dated Tue, 07 Apr 2020 20:23:42 +0000 with message-id <e1jlul4-0000ar...@fasolo.debian.org> and subject line Bug#932539: fixed in qbittorrent 4.1.5-1+deb10u1 has caused the Debian Bug report #932539, regarding qbittorrent: CVE-2019-13640 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932539: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932539 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qbittorrent Version: 4.1.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/qbittorrent/qBittorrent/issues/10925 Control: found -1 4.1.5-1 Hi, The following vulnerability was published for qbittorrent. CVE-2019-13640[0]: | In qBittorrent before 4.1.7, the function | Application::runExternalProgram() located in app/application.cpp | allows command injection via shell metacharacters in the torrent name | parameter or current tracker parameter, as demonstrated by remote | command execution via a crafted name within an RSS feed. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13640 [1] https://github.com/qbittorrent/qBittorrent/issues/10925 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: qbittorrent Source-Version: 4.1.5-1+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of qbittorrent, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated qbittorrent package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Mar 2020 18:14:15 +0200 Source: qbittorrent Architecture: source Version: 4.1.5-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Cristian Greco <crist...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 932539 Changes: qbittorrent (4.1.5-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * Prevent command injection via "Run external program" function (CVE-2019-13640) (Closes: #932539) Checksums-Sha1: de60fcd73a23b0d4de5263f7cbbfcef32757de07 2358 qbittorrent_4.1.5-1+deb10u1.dsc 217bac25e98fdcf48cf5b43f807612a3982e0b91 4405688 qbittorrent_4.1.5.orig.tar.xz 3a9916e2c2c87528e1acc774952fbe845d6f4533 122792 qbittorrent_4.1.5-1+deb10u1.debian.tar.xz Checksums-Sha256: 4c9d7a5adbbcce45f39ffc68b83729f342c9127c9dfce2605589800fbc247586 2358 qbittorrent_4.1.5-1+deb10u1.dsc 866e07c7886dea62cf0d7dc9a68d9aee1931cd18483b418298b2b072c9afd62a 4405688 qbittorrent_4.1.5.orig.tar.xz 4fde58603748d6dce6ea4e69e3a0e8cf5730488df37794706c7bdfc1942c6c2c 122792 qbittorrent_4.1.5-1+deb10u1.debian.tar.xz Files: b3b67dd7a186b70a259c486485f8ae4e 2358 net optional qbittorrent_4.1.5-1+deb10u1.dsc 4650cc8bcf5149de2785b07a5ade7d2c 4405688 net optional qbittorrent_4.1.5.orig.tar.xz 859ee9fc333d83e5bfd26f9b132462c3 122792 net optional qbittorrent_4.1.5-1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl6A8FhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E0W4P/iOaaMy7WxtYvhbsMlxh/NxOBw/W0HsM JlxRlv2+h5WbJ5viPYht7FRrXtalJwetxSq6P3UIUCB+pZLNhbiQ0JvbFDaepbdw QqR8sa+7e3dR97xI0AwP8s3EvPAZ9JDuvz83tptJV8ZPXrjAWqOUDYAgvvKlY7vP lwbePXVZ6Qj1r3rC0EbWK6HC32gQ6S3Fm6muYc5+ok2O8LrdEulc+4tv2jT5yA+L mXryQ9/LGqcVr/Cuqkllw7KQjXc4YfMLYT3gKBHWa1Ap6Wv53pXA5JxA9tl6Z2X3 C+gl21byxilNLEXrmSZefEEudD92fzCTtdtL0H7/161XpeMW41XWTlAwBiJMJMiQ kjWcuK9Kf9woiLa0uppFY97yAodVBlTWqXp+glBMVxfcAYG618721c/Vdkepqzz+ gnDs1y3Fy291zLzZUULaybAxmLD7sIXUIrR0XjIAA5E7s3JM4/myV0hXpQwu7pR8 WXbuJLDlC7c5128A+LFuSKxlcU3WgVP/Zw+RBsuz8YcZ50cmLe6e5IOO0rG7guUM NWWHCDHDBrrbAoFIWlNL63sY9cjJ1wSJF8P1J94xbMoSk50l0J5mzPsbacuCv6zL b+xHFIpA32HE3kTzkoYjSTvL3P9txGSbMSMe935f4B5ChsrrBlZzYugDHs9OquLN DF8e/CpRJ7qF =KkPG -----END PGP SIGNATURE-----
--- End Message ---
