Your message dated Tue, 09 Oct 2018 11:49:22 +0000
with message-id <[email protected]>
and subject line Bug#900133: fixed in open-build-service 2.7.4-3
has caused the Debian Bug report #900133,
regarding open-build-service: CVE-2017-5188: worker VM escape via relative
symbolic links
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
900133: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900133
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: open-build-service
Version: 2.7.1-10
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for open-build-service.
CVE-2017-5188[0]:
| The bs_worker code in open build service before 20170320 followed
| relative symlinks, allowing reading of files outside of the package
| source directory during build, allowing leakage of private
| information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5188
[1]
https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661
[2] https://bugzilla.suse.com/show_bug.cgi?id=1029824
[3]
https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: open-build-service
Source-Version: 2.7.4-3
We believe that the bug you reported is fixed in the latest version of
open-build-service, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrew Lee (李健秋) <[email protected]> (supplier of updated open-build-service
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 13 Sep 2018 15:00:41 +0800
Source: open-build-service
Binary: obs-server obs-worker obs-api obs-productconverter obs-utils
Architecture: source
Version: 2.7.4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<[email protected]>
Changed-By: Andrew Lee (李健秋) <[email protected]>
Description:
obs-api - Open Build Service (api)
obs-productconverter - Open Build Service (product definition utility)
obs-server - Open Build Service (server component)
obs-utils - Open Build Service (utilities)
obs-worker - Open Build Service (build host component)
Closes: 872093 894778 900133
Changes:
open-build-service (2.7.4-3) unstable; urgency=medium
.
[ Héctor Orón Martínez ]
* Embed sanitize 4.0.0 ruby gem to fix breakeage.
- add obs-api runtime depends on ruby-nokogumbo and ruby-crass.
* worker: document enable switch
* worker: use /var/lib/obsworker as OBS_RUN_DIR
.
[ Andrew Lee (李健秋) ]
* debian/gbp.conf: adjust gbp configuration file.
* obs-worker: depends on fdisk | util-linux (<< 2.29.2-3~). (Closes:
#872093)
* CVE-2017-5188.patch: Apply upstream fixes for
CVE-2017-5188.(Closes:#900133)
* fix-kiwitree-symlink.patch: cherry-pick bad code fix from upstream.
* Handle links properly when doing backend build operations.
* Make passenger rubyapp runs as obsapi user.
* Update correct group permission for rb_sysopen.
.
[ Lucas Kanashiro ]
* Remove patches related to ruby2.3.
* Add patch to use ruby provided by the system instead of ruby2.3.
(Closes:#894778)
.
[ Andrew Lee (李健秋) ]
* Drop superseded dh-systemd with debhelper (>= 9.20160709).
* Add missing fix-sphinx.patch into series file.
Checksums-Sha1:
d36da6fae97a5a827d8e446c22c2064a5700894a 3299 open-build-service_2.7.4-3.dsc
f7fe6d0ac00bb437173aa6320973d1e03d3579e6 216576
open-build-service_2.7.4-3.debian.tar.xz
baa89cb6867b2662e4eeb8c6e6247b33158a6150 7720
open-build-service_2.7.4-3_source.buildinfo
Checksums-Sha256:
8e715b37c1a450cd91ee927230460dc831618d6c6f21a7caac626bb4e2162c9c 3299
open-build-service_2.7.4-3.dsc
f9b6e1a395a5f1026835a442c4d1c161dad888425a0c43a262cf13ed5efc2227 216576
open-build-service_2.7.4-3.debian.tar.xz
35cbd85d8ef6b1b0a05db113c85e4f31c2b1211f8609456713fb7c2b553859df 7720
open-build-service_2.7.4-3_source.buildinfo
Files:
8d8794b308f238cf6be0422cee43bc71 3299 devel optional
open-build-service_2.7.4-3.dsc
5bcb173824a95588a88f3c44684a5456 216576 devel optional
open-build-service_2.7.4-3.debian.tar.xz
6f503fa3fb2983d80443686350acd79f 7720 devel optional
open-build-service_2.7.4-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE703UlH90QYpfEyJV58vhUqwX+XMFAlu8kQYACgkQ58vhUqwX
+XN+wA/+IO0WLLWj+2K/HHnjiZHzOCWyE7CRENYLy9YJXMJ1vOkFwfk1/cWls04a
rO5syq6A8+fR6ASaah/s6fAfK2z2G0FE/05ohFXb+WOPoDdVSnU1FY87r2IeIKpB
J/D3c/0V3LrLzX7fRKxKAcq3k3g3IEbkRUN3WnfrIT4RtN7ooiOahwKm6UwwymOE
EENZHLMJFCoQ/JiIhH6sWAx3PWDFkdAAEOwa6hv+ta0D+aelOET5YaC5VfOZBtqW
rtZEhu7Nj+X2KIcIDV099lvbhS3e06/ScuKxJM5yUR2y13R6eV9+u4QDMtbBIony
HVq43tRMcRDoyRg3b8XIUx7X7K8rwIReLtYS1GEZmJJploehCScJJg4YTL2Ugc4K
rJWUJ73/5pVoLYK5Hp1WwNQaB7PVCZYUHE3zOLqQZo0/eG+D4goN+bNAVG2720Rc
CpaCr9my0nv66dKfF0iRcKCs/5RJEXu4BHX6u1Byy7AV2BRo3WDlgn7g7juDUdRW
fqcvoqt3s5y82I6mFYI+WHEYOYZZWeMacBsyo4oFztyzDI9rIMpWQfEt2/aIMZUq
HJUrV0Kn7d3g5nHeQfJ6oUvAuNg//M0SMuIoxUC9D6s3QC5L9eCZ700U9M9vvbti
E8hC6ATKV3yzjhsobjdTNX3tQtyODhPqaNj3zjbag85lEHe5G8o=
=boFZ
-----END PGP SIGNATURE-----
--- End Message ---
