Your message dated Sun, 27 Aug 2017 15:05:21 +0000
with message-id <[email protected]>
and subject line Bug#872436: fixed in db5.3 5.3.28-13.1
has caused the Debian Bug report #872436,
regarding db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
872436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872436
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: db5.3
Version: 5.3.28-9
Severity: grave
Tags: upstream security
Hi,
the following vulnerability was published for db5.3.
CVE-2017-10140[0]:
Berkeley DB reads DB_CONFIG from cwd
Fedora used the patch in [3], and according to [1], comment #9 this
has been acknowledged by upstream to be fine solution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-10140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10140
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1464032
[2] https://bugzilla.novell.com/show_bug.cgi?id=1043886
[3]
https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: db5.3
Source-Version: 5.3.28-13.1
We believe that the bug you reported is fixed in the latest version of
db5.3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated db5.3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Aug 2017 14:35:22 +0200
Source: db5.3
Binary: db5.3-doc libdb5.3-dev libdb5.3 db5.3-util db5.3-sql-util libdb5.3++
libdb5.3++-dev libdb5.3-tcl libdb5.3-dbg libdb5.3-java-jni libdb5.3-java
libdb5.3-java-dev libdb5.3-sql-dev libdb5.3-sql libdb5.3-stl-dev libdb5.3-stl
Architecture: source
Version: 5.3.28-13.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Berkeley DB Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
db5.3-doc - Berkeley v5.3 Database Documentation [html]
db5.3-sql-util - Berkeley v5.3 SQL Database Utilities
db5.3-util - Berkeley v5.3 Database Utilities
libdb5.3 - Berkeley v5.3 Database Libraries [runtime]
libdb5.3++ - Berkeley v5.3 Database Libraries for C++ [runtime]
libdb5.3++-dev - Berkeley v5.3 Database Libraries for C++ [development]
libdb5.3-dbg - Berkeley v5.3 Database Libraries [debug]
libdb5.3-dev - Berkeley v5.3 Database Libraries [development]
libdb5.3-java - Berkeley v5.3 Database Libraries for Java
libdb5.3-java-dev - Berkeley v5.3 Database Libraries for Java [development]
libdb5.3-java-jni - Berkeley v5.3 Database Libraries for Java
libdb5.3-sql - Berkeley v5.3 Database Libraries [SQL runtime]
libdb5.3-sql-dev - Berkeley v5.3 Database Libraries [SQL development]
libdb5.3-stl - Berkeley v5.3 Database Libraries [STL runtime]
libdb5.3-stl-dev - Berkeley v5.3 Database Libraries [STL development]
libdb5.3-tcl - Berkeley v5.3 Database Libraries for Tcl [module]
Closes: 872436
Changes:
db5.3 (5.3.28-13.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2017-10140: Reads DB_CONFIG from the current working directory.
Do not access DB_CONFIG when db_home is not set. (Closes: #872436)
Checksums-Sha1:
055f65f46fbef63f8426fa869e9865dc2b332b7d 3124 db5.3_5.3.28-13.1.dsc
9ecf25e1b9855ee2401c80e6a71046685438bbbd 28180 db5.3_5.3.28-13.1.debian.tar.xz
433cf019b6aecceafe58dd2c06b1e6410178a92e 6089
db5.3_5.3.28-13.1_source.buildinfo
Checksums-Sha256:
8941edcad8e16fe6bc76ffcbe86dbdaadc654b5ed994654689cf5408602a84f3 3124
db5.3_5.3.28-13.1.dsc
9e04b9269be51de4e73536584addc61e19b29e34f769e263c180228064c72ec9 28180
db5.3_5.3.28-13.1.debian.tar.xz
ceac7ee4268092db85df99b084eb5ffa8905e7f5fbe1db73d47075c7599f2177 6089
db5.3_5.3.28-13.1_source.buildinfo
Files:
0c44e9b0f9d88e1f78185872aed60169 3124 libs standard db5.3_5.3.28-13.1.dsc
20445d4c813e83a72389138171a7bc0b 28180 libs standard
db5.3_5.3.28-13.1.debian.tar.xz
516f6560c792b44fba9f3fbc172c28da 6089 libs standard
db5.3_5.3.28-13.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlmVlJxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EAnEP/1uTCZ8dQQ3WZjsSGBk/ctEQK86jVzHy
WwyA+0Y1RvwGTjK8MhxdIKS8Kda5E3M/Mle/oJTaCNQnAacRsrZGJC4NVWAnTHjl
Tnlc7p7w0oMk/rhekRPyxD7CvNu4JkuSpVqMDd0wIF91hy2vQBtfWBBta9ICHYic
vX4kuKC4XtxFdN/ZJz5Reeim4qDJKrIM1CYEDw49Xb0AuVc57tyAnM1vcGFi24rc
9FKfnaxcKnFqdd1wEkSADXfHTNUznRoFHFNIX1oXHeHxIFy9k4ptWy75qYIyFm2H
oFFN5yLWisa/NN/9r10LfWO9xwLVVx4wYTHusc9pLtyGHIiXyxXplLjA6fVsjgf6
PVDfESqTFrGVL/a1Znr3zjgTl8YvMjFb4VdaIKTibSWqhjAtZdlUmDd6uvGahMcX
4BCjUWwW2LKpEUKDGPZDA/VYta+dS+6ytC6Bt+ID/OywXU1ZIJFjIWm4teOXXzc/
LQeoIjAXZW5vK0PeXpxLDjNBq8VrtjIjI5XEQDXDh1B4NEz+GpxnUNW5tGUNbJLT
j9OmmjHzSMbNatHUjf06fVLfrnc3pQxOwfWARflTox5f21UeSZP26+XYP4EINWNk
w5v7iHqWprJzVn7fpLF7K5J4eTNeeJQRpzp/0B0m+Ir9rVL2zZkhxIluRRYrO61r
376PuAbGTeCS
=qow8
-----END PGP SIGNATURE-----
--- End Message ---