Your message dated Tue, 12 Jun 2018 22:03:32 +0000 with message-id <e1fsro0-0008uy...@fasolo.debian.org> and subject line Bug#901088: fixed in gnupg1 1.4.21-4+deb9u1 has caused the Debian Bug report #901088, regarding gnupg1: CVE-2018-12020: filename sanitization problem in GnuPG to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 901088: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901088 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gnupg1 Version: 1.4.21-4 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://dev.gnupg.org/T4012 Hi, The following vulnerability was published for gnupg1. I'm aware this is only the legacy packages, the issue though is present there and not having the fix in buster will later on represent a regression from updates from stretch. Thus the RC severity as well as reasoning. CVE-2018-12020[0]: filename sanitization problem in GnuPG If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-12020 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12020 [1] https://dev.gnupg.org/T4012 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gnupg1 Source-Version: 1.4.21-4+deb9u1 We believe that the bug you reported is fixed in the latest version of gnupg1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 901...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated gnupg1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 08 Jun 2018 22:19:01 +0200 Source: gnupg1 Binary: gnupg1 gnupg1-curl gpgv1 gpgv1.4-udeb gnupg1-l10n Architecture: source Version: 1.4.21-4+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian GnuPG-Maintainers <pkg-gnupg-ma...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 901088 Description: gnupg1 - GNU privacy guard - a PGP implementation (deprecated "classic" ve gnupg1-curl - GNU privacy guard (cURL helpers for deprecated "classic" version) gnupg1-l10n - GNU privacy guard "classic" - localization files (deprecated) gpgv1 - GNU privacy guard - signature verification tool (deprecated "clas gpgv1.4-udeb - minimal signature verification tool (deprecated "classic" version (udeb) Changes: gnupg1 (1.4.21-4+deb9u1) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * gpg: Sanitize diagnostic with the original file name (CVE-2018-12020) (Closes: #901088) Checksums-Sha1: ca693ea397d2efe3cf63e97d89bed483fdd27953 2503 gnupg1_1.4.21-4+deb9u1.dsc e3bdb585026f752ae91360f45c28e76e4a15d338 3689305 gnupg1_1.4.21.orig.tar.bz2 7b58d94b49c821fbc8498b9ddda42aa0900e30ef 35592 gnupg1_1.4.21-4+deb9u1.debian.tar.xz Checksums-Sha256: 2afaa8fd8edf1def53d08f4b8d22eb8f466932bf40abf774f55ac26a28ae2735 2503 gnupg1_1.4.21-4+deb9u1.dsc 6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276 3689305 gnupg1_1.4.21.orig.tar.bz2 40da2728c370b52e86508e2f52d8f551c57871cb3860129497896b9d9a2b2e71 35592 gnupg1_1.4.21-4+deb9u1.debian.tar.xz Files: e04161b2064f5141f82f21e7a0c0bef2 2503 utils extra gnupg1_1.4.21-4+deb9u1.dsc 9bdeabf3c0f87ff21cb3f9216efdd01d 3689305 utils extra gnupg1_1.4.21.orig.tar.bz2 2cc611eb3f471d6a0e36bc109e30983f 35592 utils extra gnupg1_1.4.21-4+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsa581fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EV+YP/jW2ALE1mJVubwbSLB6OuQHUJlENSfbA qxekQaCV4c3ZCqW4WhcSiI6GpjxITJUo9ANqvgjJCMrYjg9lpP7N/KAc/WH12Pag xt/Z1O83m8VaDuHcqwlsJesiAqEGtpMW0aNZiVaj9t+ESY4rgxGEEsxDHFHudR+4 nkdOwJrD5eAvgKAO/pSWNJ1YYDlu59NcBI9PDytUa/TZek1mtirhCcOlurOaQdlL ujMNZDZEMH3xrqdvtARVXV0GSONmZvtW8zmbFT3yBUr716YgeVe035yYDa4ohZ+S eeB+qRh2yHjK2U1XvR6DOEagMtTN13ndgGfNTFKHyno5LTWjAKlJUhVb/BwZCMv/ qgUQMtMCNfvtytZOhNosGlKXStGfM1fjOy42XEY7F6PiW3cv+ySDYwafU2C15Z+j 98wopkM1kXCy5a2/VE/t859v4AkABSyGdmkB8QEL+27KETlfHIRnNLkEP5atw6s9 A7llcH/GsIDPxVcrjiXvzSGu70TgPjBRBFOdf39yJJEdqBEmExxMajKeKZ0xephT 0rB1XSg4A86P1YA3vfEeaR7DGk8v3yBM9WU6MpxJ+awLFdIfHX4OQs5XL+ZWVt6K FeaF7mKEwF8cS6EfNFf7z4iteg8+4Hzwe02KlO51fKlN6WpNhickvp07OdNIEWvH Z0dXgxo4kIFt =CXmk -----END PGP SIGNATURE-----
--- End Message ---
