Your message dated Mon, 23 Apr 2018 22:22:23 +0000
with message-id <[email protected]>
and subject line Bug#896703: fixed in packagekit 1.1.10-1
has caused the Debian Bug report #896703,
regarding packagekit: CVE-2018-1106: Installation of Signed Packages without
Administrator Authentication
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
896703: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896703
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: packagekit
Version: 1.1.5-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Hi,
The following vulnerability was published for packagekit. Filling it
for now with RC severity.
CVE-2018-1106[0]:
Installation of Signed Packages without Administrator Authentication
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1106
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1106
[1]
https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: packagekit
Source-Version: 1.1.10-1
We believe that the bug you reported is fixed in the latest version of
packagekit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthias Klumpp <[email protected]> (supplier of updated packagekit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Apr 2018 23:14:46 +0200
Source: packagekit
Binary: packagekit packagekit-tools packagekit-docs libpackagekit-glib2-18
libpackagekit-glib2-dev gir1.2-packagekitglib-1.0 packagekit-gtk3-module
gstreamer1.0-packagekit packagekit-command-not-found
Architecture: source amd64 all
Version: 1.1.10-1
Distribution: unstable
Urgency: high
Maintainer: Matthias Klumpp <[email protected]>
Changed-By: Matthias Klumpp <[email protected]>
Description:
gir1.2-packagekitglib-1.0 - GObject introspection data for the PackageKit GLib
library
gstreamer1.0-packagekit - GStreamer plugin to install codecs using PackageKit
libpackagekit-glib2-18 - Library for accessing PackageKit using GLib
libpackagekit-glib2-dev - Library for accessing PackageKit using GLib
(development files)
packagekit - Provides a package management service
packagekit-command-not-found - Offer to install missing programs automatically
packagekit-docs - Documentation for PackageKit
packagekit-gtk3-module - Install fonts automatically using PackageKit
packagekit-tools - Provides PackageKit command-line tools
Closes: 896703
Changes:
packagekit (1.1.10-1) unstable; urgency=high
.
* New upstream release: 1.1.10
- This release fixes CVE-2018-1106 (Closes: #896703)
- aptcc: Not all downloads have to be packages
- aptcc: Return multiple packages when using '|' operator
- aptcc: Simplify search methods
* Bump standards version: No changes needed
* Update Vcs-* URLs to point to Salsa
* Use auth_admin instead of auth_admin_keep as default authorization
for downgrades and package removals.
Checksums-Sha1:
74d51aed82edb5140c47c620fdb35b0e160a410a 3034 packagekit_1.1.10-1.dsc
f749fa7a4e2c88f705ba80bae309ae257d7027fb 1480564 packagekit_1.1.10.orig.tar.xz
c7e52aedd0d7114d456515567075250fa70bd68d 22016
packagekit_1.1.10-1.debian.tar.xz
1771b80507b83fc2e8a9abeec9ba9a82d66daed9 35104
gir1.2-packagekitglib-1.0_1.1.10-1_amd64.deb
6715d054534dff276dc90aba49cab840d5aee0a4 16276
gstreamer1.0-packagekit-dbgsym_1.1.10-1_amd64.deb
5c491bde81c420abd0351797e8705ebd9eaf5d82 22368
gstreamer1.0-packagekit_1.1.10-1_amd64.deb
76ddb21bd2a7185e6cba4da9541a47e33b0433df 354776
libpackagekit-glib2-18-dbgsym_1.1.10-1_amd64.deb
2ee20211796d7fafee28f5279a21e70780cc758d 114568
libpackagekit-glib2-18_1.1.10-1_amd64.deb
275cd71001670705fe9e3b77b1b9075ee120cf63 75784
libpackagekit-glib2-dev_1.1.10-1_amd64.deb
62a191240f7f362cc7b1ea2c3410a7224e939803 38180
packagekit-command-not-found-dbgsym_1.1.10-1_amd64.deb
c4eb1ec7ffcb9d6645ea785185f068e3ad342811 30564
packagekit-command-not-found_1.1.10-1_amd64.deb
dcf231ee599117c786dcce28d1ea519329083d96 1646724
packagekit-dbgsym_1.1.10-1_amd64.deb
d3f7e3654890b88cada7e2f9263c33aca9d58e9f 390812
packagekit-docs_1.1.10-1_all.deb
3912eb057e37c7c9910073b971404fca6f3f2755 19932
packagekit-gtk3-module-dbgsym_1.1.10-1_amd64.deb
ebcbbad29c329a6b65ca0fc1ed29a4d42d8c20f7 21980
packagekit-gtk3-module_1.1.10-1_amd64.deb
bb3a2a41f4bd9f1aef7f04ae2eda2a61b4c39598 76620
packagekit-tools-dbgsym_1.1.10-1_amd64.deb
789f233ec970ad9db30039d91cc6fafb9aeaeea7 46108
packagekit-tools_1.1.10-1_amd64.deb
e7ab75d4cc4d4c45a5a790e53f447878534d4191 22474
packagekit_1.1.10-1_amd64.buildinfo
e5b75b0bcabee987eea1f40c76c0f5e7c2465317 590332 packagekit_1.1.10-1_amd64.deb
Checksums-Sha256:
3af02840e8cb3beb9ab21b7817890773d6e9c5634e0db5e0d9a9a13e80309f0d 3034
packagekit_1.1.10-1.dsc
4bc4061420e6fc831e1eeab167bc3e096da0d132282fbd0d1d9a5426c4aa4ed7 1480564
packagekit_1.1.10.orig.tar.xz
4937e4a3ee80ee4c5065778e235d90f05b911024060deacb0dc4f12f96144278 22016
packagekit_1.1.10-1.debian.tar.xz
4dd42d1312ad8d2973fe7bd24c9e87df8c19f23088c76a3f94121041cda256a2 35104
gir1.2-packagekitglib-1.0_1.1.10-1_amd64.deb
cb69a2b7f484f0358b64cafc84c33fbe59e9ad38c3913d1021a0b2b51eb17c32 16276
gstreamer1.0-packagekit-dbgsym_1.1.10-1_amd64.deb
9692197bd374e15fbf2a76d80a08746ac02a3ee45bbde861d43f818a5d09a7a2 22368
gstreamer1.0-packagekit_1.1.10-1_amd64.deb
cd869870962e5dc5916acd612a1088c3112022ff1debb2d280d26cf32cb5ecb7 354776
libpackagekit-glib2-18-dbgsym_1.1.10-1_amd64.deb
a8bf5f1a8b9b653c17f9022cf087d2d92cfea32ccf1047e48cf180a68cdfae9c 114568
libpackagekit-glib2-18_1.1.10-1_amd64.deb
334ecb839d3a390630f4e05eea58bc76c648453aa40fdac2ccec69cb02c6f350 75784
libpackagekit-glib2-dev_1.1.10-1_amd64.deb
9b6a897e5503abe2896eeade4c8550249f0b87b4c140bd6ede635235e2dd34c8 38180
packagekit-command-not-found-dbgsym_1.1.10-1_amd64.deb
373abe01b08ad8df28fbda3b342feb0073a957925aaa7adadaaadfc8e6a17192 30564
packagekit-command-not-found_1.1.10-1_amd64.deb
34f7bce5f949c2b7123bee12ea54dc47dcb294c5d22fe8596aed331a1306e5ab 1646724
packagekit-dbgsym_1.1.10-1_amd64.deb
ef0b2d822055461c95ffab5fcd3b1f4c5f4bc428981762a068d63bd2a9ad581f 390812
packagekit-docs_1.1.10-1_all.deb
2d04423affffbe215a294e3d5fa8601bcc04dbace4f9dbfb0e49ff2fb03ee242 19932
packagekit-gtk3-module-dbgsym_1.1.10-1_amd64.deb
226f822a7d79c7e86159d3e31677c5a3c7037cd77712ec269b4d2f4b546f12b0 21980
packagekit-gtk3-module_1.1.10-1_amd64.deb
2cdf3c35fe3c6edb7d0c71889e71feb8f98a6e12128ade2cbdfa3c79ab525b28 76620
packagekit-tools-dbgsym_1.1.10-1_amd64.deb
67fa842945668fc5f4fec7a820008861b01485bfb47610413b3cacd95da46443 46108
packagekit-tools_1.1.10-1_amd64.deb
12d4e7c629b8bb060a7f95bb30f285745c44c449bdcc9496700340477703cc96 22474
packagekit_1.1.10-1_amd64.buildinfo
7d9ef68353d0f48079666222f370543513c723c978485717e9f38611aa6479ed 590332
packagekit_1.1.10-1_amd64.deb
Files:
b7c5a5fdbcf42121cec14fd677c5c524 3034 admin optional packagekit_1.1.10-1.dsc
04703a41f855c323f15d7c94ec0771b5 1480564 admin optional
packagekit_1.1.10.orig.tar.xz
03ef863edc9f7bd3d5cb9c506a5f1337 22016 admin optional
packagekit_1.1.10-1.debian.tar.xz
db641ba7669ed627ee16449d2d450ed0 35104 introspection optional
gir1.2-packagekitglib-1.0_1.1.10-1_amd64.deb
decc8fea6eafe3fa42556100c2672cd8 16276 debug optional
gstreamer1.0-packagekit-dbgsym_1.1.10-1_amd64.deb
7fb136f883abe66b0348491bdaf1ea37 22368 libs optional
gstreamer1.0-packagekit_1.1.10-1_amd64.deb
4b23cd7e3bf025dc402ad43cc2588860 354776 debug optional
libpackagekit-glib2-18-dbgsym_1.1.10-1_amd64.deb
b35edb7db90d970b7adbdfcd701917a4 114568 libs optional
libpackagekit-glib2-18_1.1.10-1_amd64.deb
6639a9e98ec6174b3cee73edb3a2086b 75784 libdevel optional
libpackagekit-glib2-dev_1.1.10-1_amd64.deb
b88eb0ce3250c935aa0f8836237b47e8 38180 debug optional
packagekit-command-not-found-dbgsym_1.1.10-1_amd64.deb
ee691d17df2f5e119e4bda21f88d7f49 30564 misc optional
packagekit-command-not-found_1.1.10-1_amd64.deb
32586d448ad29252d16b26b986618846 1646724 debug optional
packagekit-dbgsym_1.1.10-1_amd64.deb
3c0cdf77c6fc0752a29fab8e7efd096f 390812 doc optional
packagekit-docs_1.1.10-1_all.deb
d67b3133bf301ad7fc95ae462c75a561 19932 debug optional
packagekit-gtk3-module-dbgsym_1.1.10-1_amd64.deb
056e16ba6706542111d38f707d5e05e6 21980 libs optional
packagekit-gtk3-module_1.1.10-1_amd64.deb
d8996535dcb7919a300abe7b86e3f125 76620 debug optional
packagekit-tools-dbgsym_1.1.10-1_amd64.deb
d26673948708a812c6846fb1fb59051a 46108 admin optional
packagekit-tools_1.1.10-1_amd64.deb
4e28e5632b1f4f7dd629b4f8f4f662d7 22474 admin optional
packagekit_1.1.10-1_amd64.buildinfo
d59382dc87b7c411a70cdd7f06ea19dd 590332 admin optional
packagekit_1.1.10-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEE0zo/DKFrCsxRpgc4SUyKX79N7OsFAlreVzcPHG1ha0BkZWJp
YW4ub3JnAAoJEElMil+/TezrL7wP/R0JO18Mu1nUeXju4QFX3UYTXS0kmX23khYj
gwuXFVy9bulI9TiajiLD+W6F5EawObUHASOePNI67n7zPtjMEE8OlmZ0jGsmQthk
7zvHOg+aKtNtgz8uzi/Ezgmxwn7z8Iw/REjsPIyAPzDFU3eqjSVz91Pn0pH9baQo
M5+fZSfqXAadoTeb0PJrv2movFCbgaKRPK/jLqG9R+/cbwMOyNjyrka0ghhVw5Qa
dx6julDwkcgV1hdWuhIz5zNP6iqi6dCjOntlJlKM1kjfMSMeTliANhti/cI9aVza
26RS/T+GvZsFKGPL+lLb7QxczyvZ71jPzG8ei5S54oiSEvtH6U6k7vhoLEBdwNtw
JkdKwzVPS+C9NugxEjLBvh8fq6+hZiX2QM2JQqoez6x7ep2Ss71UhDISgF5g0M2w
MD3bs/dY+Wj9vApJszDJ1MoNF9sXOs0kHpERfnQWOREQNyDQzX5YwomNPW39HhTN
wR259YbeOnMWgQ+c8iGWRbq0L8S2j4/xI7tzXQ6VK+UclwEtJBowkHtLI5u/fTEt
wbZdF70cbao4GsZdrmDu5COTtVhYEPbZD2mS4qzb56dJuUpzhp4TekZuZqLb6vG4
HTUauCfhxc/g2X1pr0HUDE0Que9b44GRMyT/2xMQqOBb6Hu2Wk9jGMqKFok283Oj
t9nShU9H
=lLvB
-----END PGP SIGNATURE-----
--- End Message ---
