Your message dated Tue, 31 Oct 2006 11:34:05 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#396277: fixed in thttpd 2.23beta1-5 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Package: thttpd Severity: grave Tags: security Insecure use of /tmp in /etc/logrotate.d/thttpd: if pidof thttpd 2>&1 > /dev/null; then touch /tmp/start_thttpd fi By creating a /tmp/start_thttpd symlink a local attacker will be able to create/touch any file as root. -- ciao, Marco
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: thttpd Source-Version: 2.23beta1-5 We believe that the bug you reported is fixed in the latest version of thttpd, which is due to be installed in the Debian FTP archive: thttpd-util_2.23beta1-5_i386.deb to pool/main/t/thttpd/thttpd-util_2.23beta1-5_i386.deb thttpd_2.23beta1-5.diff.gz to pool/main/t/thttpd/thttpd_2.23beta1-5.diff.gz thttpd_2.23beta1-5.dsc to pool/main/t/thttpd/thttpd_2.23beta1-5.dsc thttpd_2.23beta1-5_i386.deb to pool/main/t/thttpd/thttpd_2.23beta1-5_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated thttpd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Tue, 31 Oct 2006 20:13:00 +0200 Source: thttpd Binary: thttpd-util thttpd Architecture: source i386 Version: 2.23beta1-5 Distribution: unstable Urgency: high Maintainer: Daniel Baumann <[EMAIL PROTECTED]> Changed-By: Daniel Baumann <[EMAIL PROTECTED]> Description: thttpd - tiny/turbo/throttling HTTP server thttpd-util - Support utilities for thttpd Closes: 396277 Changes: thttpd (2.23beta1-5) unstable; urgency=high . * Applied patch from Steve Kemp <[EMAIL PROTECTED]> on thttpd.logrotate to fix the insecure use of temporary files when invoked by logrotate [CVE-2006-4248] (Closes: #396277). Files: 001713be9e39d2662b2b43b2bf80cda3 602 web optional thttpd_2.23beta1-5.dsc ac9085e9051e8d6d456bd3ebfd447dce 15102 web optional thttpd_2.23beta1-5.diff.gz 18e7b8b8e80975a13b6ef3b9770cecb6 54482 web optional thttpd_2.23beta1-5_i386.deb afd66763ec36d12704919dd511b0eea4 26420 web optional thttpd-util_2.23beta1-5_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFR6EN+C5cwEsrK54RAiMXAKCyzgZ7Qk5IipkFwLlB2lGsqnIuhwCfQTo+ mNw7zT5nqs/2Eez4KsX40qc= =Q8CZ -----END PGP SIGNATURE-----
--- End Message ---
