Your message dated Fri, 31 Oct 2008 21:17:36 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#503645: fixed in jhead 2.84-2 has caused the Debian Bug report #503645, regarding jhead: CVE-2008-4640, CVE-2008-4641 command injection via filename and insecure file handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 503645: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503645 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: jhead Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for jhead. CVE-2008-4641[0]: | The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and | earlier allows attackers to execute arbitrary commands via shell | metacharacters in unspecified input. CVE-2008-4640[1]: | The DoCommand function in jhead.c in Matthias Wandel jhead 2.84 and | earlier allows local users to delete arbitrary files via vectors | involving a modified input filename in which (1) a final "z" character | is replaced by a "t" character or (2) a final "t" character is | replaced by a "z" character. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4641 http://security-tracker.debian.net/tracker/CVE-2008-4641 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4640 http://security-tracker.debian.net/tracker/CVE-2008-4640 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpZA0p3feQET.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: jhead Source-Version: 2.84-2 We believe that the bug you reported is fixed in the latest version of jhead, which is due to be installed in the Debian FTP archive: jhead_2.84-2.diff.gz to pool/main/j/jhead/jhead_2.84-2.diff.gz jhead_2.84-2.dsc to pool/main/j/jhead/jhead_2.84-2.dsc jhead_2.84-2_amd64.deb to pool/main/j/jhead/jhead_2.84-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ludovic Rousseau <[EMAIL PROTECTED]> (supplier of updated jhead package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 31 Oct 2008 19:53:26 +0100 Source: jhead Binary: jhead Architecture: source amd64 Version: 2.84-2 Distribution: unstable Urgency: high Maintainer: Ludovic Rousseau <[EMAIL PROTECTED]> Changed-By: Ludovic Rousseau <[EMAIL PROTECTED]> Description: jhead - manipulate the non-image part of Exif compliant JPEG files Closes: 503645 Changes: jhead (2.84-2) unstable; urgency=high . * urgency high since it fixes a security RC bug: CVE-2008-4641 * debian/patches/11_jhead.c.dpatch: Closes: #503645: jhead: CVE-2008-4641 command injection via filename and insecure file handling Checksums-Sha1: 840e7f3741dbe7971b4595aa4abbcd17d4f9adee 980 jhead_2.84-2.dsc 40a5243622759368f3ebcd24fcc0acc02741f2b4 6597 jhead_2.84-2.diff.gz 7eb2888ac4834aadfe5c6d544e40b04f3a0323f9 43698 jhead_2.84-2_amd64.deb Checksums-Sha256: 69dd1b566ba5cedd2ad4d5d03e3dd6e7654bdb4cf86bf4e3462afc5e14cf4eea 980 jhead_2.84-2.dsc 4e905e96ca2949132e7ecc02a9310da1ebe467a12664e687f146fcd784ade592 6597 jhead_2.84-2.diff.gz ca9c7d28ee18c9a3cda76ca9a3013bc9a6ae559d514f61ee313132be072f2d21 43698 jhead_2.84-2_amd64.deb Files: 8e00bc64adde8d58561b1a42b8635d2c 980 graphics optional jhead_2.84-2.dsc 15d3b55f006328fcfe0bb72e6c739627 6597 graphics optional jhead_2.84-2.diff.gz c93f08ad9e6f5ebc221be6cc45775148 43698 graphics optional jhead_2.84-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkLYecACgkQP0qKj+B/HPk0QACeNs/liqlJxZVygD+218FGYzaO Ui8An27+xRmi+MiTNefnrjO6wEw0PNtT =6EEy -----END PGP SIGNATURE-----
--- End Message ---