Your message dated Thu, 22 Sep 2005 12:04:15 +0200
with message-id <[EMAIL PROTECTED]>
and subject line fixed...
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Sep 2005 14:01:49 +0000
>From [EMAIL PROTECTED] Fri Sep 02 07:01:49 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EBC73-00052x-00; Fri, 02 Sep 2005 07:01:49 -0700
Received: from dragon.kitenet.net (va-65-173-90-83.sta.sprint-hsd.net
[65.173.90.83])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 886E018490
for <[EMAIL PROTECTED]>; Fri, 2 Sep 2005 14:01:48 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id AA733BF21F; Fri, 2 Sep 2005 10:01:50 -0400 (EDT)
Date: Fri, 2 Sep 2005 10:01:50 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [SECURITY] [DSA 799-1] New webcalendar packages fix remote code
execution
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="Qbvjkv9qwOGw/5Fx"
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--Qbvjkv9qwOGw/5Fx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: webcalendar
Version: 0.9.45-5
Tags: security
Severity: grave
A second security issue has been found in webcalendar, DSA is below.
Note that webcalendar is still vulnerable to the previous security issue
that got DSA-766-1. What is the holdup?
Michael Stone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> - -----------------------------------------------------------------------=
---
> Debian Security Advisory DSA 798-1 [EMAIL PROTECTED]
> http://www.debian.org/security/ Michael Stone
> September 2, 2005 http://www.debian.org/security/faq
> - -----------------------------------------------------------------------=
---
>=20
> Package : webcalendar
> Vulnerability : remote code execution
> Problem-Type : input validation
> Debian-specific: no
> CVE ID : CAN-2005-2717
>=20
> A trivially-exploitable bug was discovered in webcalendar that
> allows an attacker to execute arbitrary code with the privileges of
> the HTTP daemon on a system running a vulnerable version.
>=20
> The old stable distribution (woody) does not contain the webcalendar
> package.
>=20
> For the stable distribution (sarge) this problem has been fixed in
> version 0.9.45-4sarge2.
>=20
> For the unstable distribution (sid) this problem will be fixed
> shortly.
>=20
> We recommend that you upgrade your webcalendar package immediately.
>=20
>=20
> Upgrade Instructions
> - --------------------
>=20
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>=20
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>=20
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>=20
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>=20
>=20
> Debian GNU/Linux 3.1 alias sarge
> - --------------------------------
>=20
> Source archives:
>=20
> http://security.debian.org/pool/updates/main/w/webcalendar/webcalenda=
r_0.9.45-4sarge2.diff.gz
> Size/MD5 checksum: 9908 ae927afd627778637759df5f2e4e8336
> http://security.debian.org/pool/updates/main/w/webcalendar/webcalenda=
r_0.9.45-4sarge2.dsc
> Size/MD5 checksum: 725 0e765e2795bba3a7ccaedea569f2475c
> http://security.debian.org/pool/updates/main/w/webcalendar/webcalenda=
r_0.9.45.orig.tar.gz
> Size/MD5 checksum: 612360 a6a66dc54cd293429b604fe6da7633a6
>=20
> Architecture independent packages:
>=20
> http://security.debian.org/pool/updates/main/w/webcalendar/webcalenda=
r_0.9.45-4sarge2_all.deb
> Size/MD5 checksum: 627470 1206a45774cad65c0b2b85bdc48a2d53
>=20
> These files will probably be moved into the stable distribution on
> its next update.
>=20
> - -----------------------------------------------------------------------=
----------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/upda=
tes/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>=20
> iQCVAwUBQxg44Q0hVr09l8FJAQI8NAQAxzIFF24u4nS4YAgxH2DYMo0m+lzSsMfy
> hRIbHkgbOVCXi4tAAR/UsYeEI2Fh5En6CBjYHJ1tFRPhAlCspShTaQRpxwPUH6aI
> vYZPwYB1umNMlumwkIiBYgcoAT11ymLfHuloosBUV4WmnEF3BdYC1K8m/tI6v4z8
> NbehXMMEV6c=3D
> =3D4Gmy
> -----END PGP SIGNATURE-----
>=20
>=20
> --=20
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
=2Eorg
>=20
--=20
see shy jo
--Qbvjkv9qwOGw/5Fx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDGFtOd8HHehbQuO8RApBGAKCfHvXfqC/i16gFvVdVfsP0RDwZ5gCeIA9s
kOqGmGhsG9rR9ML1JC0xKgw=
=LrId
-----END PGP SIGNATURE-----
--Qbvjkv9qwOGw/5Fx--
---------------------------------------
Received: (at 326223-done) by bugs.debian.org; 22 Sep 2005 10:04:24 +0000
>From [EMAIL PROTECTED] Thu Sep 22 03:04:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EINwG-0000LH-00; Thu, 22 Sep 2005 03:04:24 -0700
Received: from dragon.kitenet.net (dhcp-sn38-07.hrz.uni-oldenburg.de
[134.106.38.27])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id B7E5D185B2
for <[EMAIL PROTECTED]>; Thu, 22 Sep 2005 10:04:23 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id B40B3BEEF3; Thu, 22 Sep 2005 12:04:15 +0200 (CEST)
Date: Thu, 22 Sep 2005 12:04:15 +0200
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: fixed...
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr"
Content-Disposition: inline
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Version: 0.9.45-7
I see this was fixed.
--=20
see shy jo
--liOOAslEiF7prFVr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDMoGed8HHehbQuO8RAk86AKCVoK4f7q+lasCSQ+0CeYXT7uTw8gCbBAJv
oTkoJyUT8ktylEHeCkrVdXU=
=iwGL
-----END PGP SIGNATURE-----
--liOOAslEiF7prFVr--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
