Your message dated Wed, 19 May 2010 19:32:27 +0000
with message-id <[email protected]>
and subject line Bug#559837: fixed in parser 3.4.0-2
has caused the Debian Bug report #559837,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559837: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559837
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: parser
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: parser
Source-Version: 3.4.0-2
We believe that the bug you reported is fixed in the latest version of
parser, which is due to be installed in the Debian FTP archive:
parser3-cgi_3.4.0-2_amd64.deb
to main/p/parser/parser3-cgi_3.4.0-2_amd64.deb
parser3-common_3.4.0-2_amd64.deb
to main/p/parser/parser3-common_3.4.0-2_amd64.deb
parser3-dev_3.4.0-2_amd64.deb
to main/p/parser/parser3-dev_3.4.0-2_amd64.deb
parser3_3.4.0-2_all.deb
to main/p/parser/parser3_3.4.0-2_all.deb
parser_3.4.0-2.debian.tar.gz
to main/p/parser/parser_3.4.0-2.debian.tar.gz
parser_3.4.0-2.dsc
to main/p/parser/parser_3.4.0-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergey B Kirpichev <[email protected]> (supplier of updated parser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Wed, 19 May 2010 21:20:06 +0400
Source: parser
Binary: parser3 parser3-common parser3-cgi parser3-dev
Architecture: source amd64 all
Version: 3.4.0-2
Distribution: unstable
Urgency: low
Maintainer: Sergey B Kirpichev <[email protected]>
Changed-By: Sergey B Kirpichev <[email protected]>
Description:
parser3 - Parser 3, HTML-embedded scripting language (metapackage)
parser3-cgi - Parser 3, HTML-embedded scripting language (CGI binary)
parser3-common - Common files for packages built from the Parser 3 source
parser3-dev - Files for Parser 3 module development
Closes: 559837 560608
Changes:
parser (3.4.0-2) unstable; urgency=low
.
* Add ${misc:Depends} for parser3.
* Use "3.0 (quilt)" package format.
* Update format of debian/copyright, copyright years.
* Bump Standards-Version to 3.8.4.
* Patch embedded copy ltdl.c from upstream branch-1-5 (CVE-2009-3736).
Closes: #559837.
* Use automake-1.9 for 199 patch (Closes: #560608).
Checksums-Sha1:
a2791e8e6f375dd6230047f6d1e5f4191c80acd4 1255 parser_3.4.0-2.dsc
426fa7e02a20d6147dde3895315dbe2398d5bfe9 261311 parser_3.4.0-2.debian.tar.gz
77e7793930890efb66754e8dc13ae4cd07aba9d0 92846 parser3-common_3.4.0-2_amd64.deb
a8e0327eb63ec92e577f1352004997fe4590f26a 519662 parser3-cgi_3.4.0-2_amd64.deb
c13fa2b318fc530fb322393a008647d065f6d5e2 3082 parser3-dev_3.4.0-2_amd64.deb
e8a13f18a5b23147c7e832e2a438fb3e8adb3769 1056 parser3_3.4.0-2_all.deb
Checksums-Sha256:
c884ef4534339979d082948f93bee76f1dcf5666f26d184c6f5cdb69db63c4d0 1255
parser_3.4.0-2.dsc
3370d7584051efead7e9e70b02fb558686210807ed6e2d62ce1a38f2a0a4bca3 261311
parser_3.4.0-2.debian.tar.gz
bc1b89d85498426398e976de5d9c9ecbb68a1514816e754ae271188f7659e242 92846
parser3-common_3.4.0-2_amd64.deb
cc455eeb953ec597f947fe60cd1c3b2c1568d30c0699e463ec6a6e9a0163b7f5 519662
parser3-cgi_3.4.0-2_amd64.deb
46220c89444296040ea92652f49676d928fbbf9dc3d15b79c162f8292aacfb5d 3082
parser3-dev_3.4.0-2_amd64.deb
9cca05a7dc84210dbe5bc4b0dfde300d0582d16168ec99ce77314b455b1e98ec 1056
parser3_3.4.0-2_all.deb
Files:
63476b7a4975904a0a47963773fc4230 1255 web optional parser_3.4.0-2.dsc
bab3011ab098fb22fee5e6c936527b29 261311 web optional
parser_3.4.0-2.debian.tar.gz
a6403f17365f108499776b39f4ef2503 92846 web optional
parser3-common_3.4.0-2_amd64.deb
47817ffd6629482c59bea2a72dbf5495 519662 web optional
parser3-cgi_3.4.0-2_amd64.deb
78968340a4d1b85ffe77ac017a42c24c 3082 devel optional
parser3-dev_3.4.0-2_amd64.deb
489bc45379e94d7b517b33437a15a149 1056 web optional parser3_3.4.0-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAkv0OisACgkQq4wAz/jiZTcZwgCgmmEOgkYU2S8IbDkRLELxdLwU
E9cAnRYvneo0vATw+bmKEhhLGnI2xyXZ
=eMZI
-----END PGP SIGNATURE-----
--- End Message ---