Your message dated Wed, 08 Jul 2020 13:19:32 +0000 with message-id <e1jt9z2-0008dc...@fasolo.debian.org> and subject line Bug#949393: fixed in storebackup 3.2.1-2 has caused the Debian Bug report #949393, regarding storebackup: CVE-2020-7040: denial of service and symlink attack vector via fixed lockfile path /tmp/storeBackup.lock to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 949393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949393 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: storebackup Version: 3.2.1-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for storebackup. CVE-2020-7040[0]: |storeBackup: denial of service and symlink attack vector via fixed |lockfile path /tmp/storeBackup.lock The RC severity per se is a bit exagerated for the issue, but given the package is orphaned we should be careful on including the package in bullseye. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7040 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7040 [1] https://www.openwall.com/lists/oss-security/2020/01/20/3 [2] https://bugzilla.suse.com/show_bug.cgi?id=1156767 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: storebackup Source-Version: 3.2.1-2 Done: Adrian Bunk <b...@debian.org> We believe that the bug you reported is fixed in the latest version of storebackup, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 949...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Adrian Bunk <b...@debian.org> (supplier of updated storebackup package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 08 Jul 2020 15:54:21 +0300 Source: storebackup Architecture: source Version: 3.2.1-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packa...@qa.debian.org> Changed-By: Adrian Bunk <b...@debian.org> Closes: 949393 Changes: storebackup (3.2.1-2) unstable; urgency=medium . * QA upload. * Set maintainer to Debian QA Group. (see #856299) * Add patch to change the way the lockfile is opened in the Perl code. (Fixes: CVE-2020-7040) (Closes: #949393) Checksums-Sha1: ab75bf2e5432e02126e9cab6e058af6c201850cd 1884 storebackup_3.2.1-2.dsc 7b6fb97ea24507a2f6df4d7ea0f259cf34a4a60c 8872 storebackup_3.2.1-2.debian.tar.xz Checksums-Sha256: b83e1d2e47a70b1fdf59a9faf5a60f6f92b1423e34da6d3a8f0a2ef807a7d30f 1884 storebackup_3.2.1-2.dsc 0ee28aaada1633748559b9804e24a8c109937650c701f89431a4b2c7ddabf50f 8872 storebackup_3.2.1-2.debian.tar.xz Files: 34c0d722e9e32db4efda8b1de3b1ce21 1884 utils optional storebackup_3.2.1-2.dsc 6f348263d02f2f7103e98012b3449eb7 8872 utils optional storebackup_3.2.1-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl8Fw3AACgkQiNJCh6LY mLEdHQ/+KtznJQlCw6/C+AJGWqor8cFb89WOMzaoBkRS/zK7nVYLE1HrY2TW+0PD O9E0OMsC/Gb3//pwZgFws2OUu/Qo5yQxIpZIt0iHxPKHBA454DMxnyyKsCRjP1Br PSHQayh/gUPmSxUj9L3G4cnl/xezy0CvP6XSwNCI3KXSC63/KyHjYmKmEsya3AUe mliMMrxqx1PCbQg61/+/tzhaDkLRieYH/Ej5h2JtOfcJx+pIdciF0EO/Z85l5EmB x6opQ9h3h6BUww4u1KCqrI1IWrGqIGLwtgRTVvc+vtfNxaKh6bQ2NJqbfwFhvUQr FxpKV2dGg8jEt60+RukgnJfODuc8P4QHY41+SD6DNNbD53pj9zDx5+aDlgn+JjOn uLo3ukyfPlcY3L+0+vv/ZvHfvjjy4Pu68aqRbs8FiWY2RjQCcOLrVclUPMRhJsDx W87MbI1fNXpOvG2rJzmgjMGwCYiWLeUe2Y/b/qvtSX91LL0OLPckN85c+35kdDUx M0uLUwG4MsGhHIcWngPNs2UHKTsL0I3jaaVd/cyDCC5ocMLfbPAettGQMFz8AeLz wGhA0DJaTBvS/EPlhnY/HTrJGuO+6qjIU9b6/dMfVu5wq8wMOyAYnD0IuL3/+Yn0 jvOlmSyW0yRuVx0iM+BcoqR0267nmG/HmOjpMgkkEWl21yVot/0= =nvKa -----END PGP SIGNATURE-----
--- End Message ---
