Your message dated Sat, 09 Feb 2019 13:19:14 +0000
with message-id <[email protected]>
and subject line Bug#921816: fixed in gvfs 1.38.1-3
has caused the Debian Bug report #921816,
regarding gvfs: CVE-2019-3827: Incorrect authorization in admin backend allows
privileged users to read and modify arbitrary files without prompting for
password
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
921816: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921816
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: gvfs
Version: 1.38.1-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/gvfs/issues/355
Control: found -1 1.30.4-1
Hi,
The following vulnerability was published for gvfs.
CVE-2019-3827[0]:
|Incorrect authorization in admin backend allows privileged users to
|read and modify arbitrary files without prompting for password
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3827
[1] https://gitlab.gnome.org/GNOME/gvfs/issues/355
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gvfs
Source-Version: 1.38.1-3
We believe that the bug you reported is fixed in the latest version of
gvfs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated gvfs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Feb 2019 12:02:33 +0000
Source: gvfs
Architecture: source
Version: 1.38.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 921816
Changes:
gvfs (1.38.1-3) unstable; urgency=high
.
* Team upload
* d/p/admin-Prevent-access-if-any-authentication-agent-isn-t-av.patch:
Add patch from upstream to prevent members of the sudo group from
bypassing the intended password check for privileged access to files
via the admin: backend if no polkit authentication agents are
available (CVE-2019-3827, Closes: #921816)
* d/p/*: Update to upstream gnome-3-30 branch, commit 1.38.1-9-gd4dab113
- admin: Fix CVE-2019-3827 (see above)
- autorun: Don't crash if an autorun file is not valid UTF-8
- mtp: Don't busy-loop retrying reading an event after failure
- udisks2: Reinstate support for deprecated comment=x-gvfs-show fstab
option syntax (but please use x-gvfs-show instead)
- tests: Use the right SMB port if running in the sandbox
- Update translations: eu, sk, sr
* d/gbp.conf: Configure for debian/buster and upstream/1.38.x branches
* d/control: Use debian/buster branch in Vcs-Git
Checksums-Sha1:
63068733b36a9cb18b17f410456c806dfc0ad754 3392 gvfs_1.38.1-3.dsc
89bc952bb5e38731ee3dd03510b8ced6cc3d498b 59108 gvfs_1.38.1-3.debian.tar.xz
3d46aadcb3d28ae25d2055d9aab1cc0ba49df611 18639 gvfs_1.38.1-3_source.buildinfo
Checksums-Sha256:
3b385c16680a828148a61cec7b05f60410bd088ff7711128d3fb962627d5a797 3392
gvfs_1.38.1-3.dsc
766fa4fc44a491d4ceb466122d4d7dcdd63005410269b955f3bf2011f7b3d9a0 59108
gvfs_1.38.1-3.debian.tar.xz
b24a3c620bc2fdfec55994010d745ff00a794d71ca97da847633967d7ed062c9 18639
gvfs_1.38.1-3_source.buildinfo
Files:
b915fefe4cbe56f359b2141c36dd3675 3392 gnome optional gvfs_1.38.1-3.dsc
4e1fbd51872839437faffaf366708509 59108 gnome optional
gvfs_1.38.1-3.debian.tar.xz
6a63d135ff6e0783975e112c9b9067ee 18639 gnome optional
gvfs_1.38.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlxezsgACgkQ4FrhR4+B
TE8SeA/6AlwCRypT6meBP56FjMX74lHx4u5HO+xP7wrkRrqoaxgWHf1XWgpWyb63
EWgaIehfGN4qErgahju3BGJO1tRTF4viNUhaxF94u2mQscyttgaCMSHbAaGa37A+
Mg9n9tgYua5gJxa1XnWQ5dh/aZ9adIbFgWdhjpXSe+rsgabzG6R3MVcPDtT9Lm9n
4o30OaEwn+mSfbQMKTFEF+yI03qEWbtTr3GUpNVCqWg9pVwkqvxYDMNyamxGhQaQ
HjxFLK1kihfb/1oHuC3h2og9+wC1pdI+czdSJIjMhrkcejr5t+SaqlfAaPImc2fI
SEzz21lOeuPXwW0nXjCww/GKDPxXS5x01iR1m/es4+O5DB3vCOg0+Mx7rExu/tva
CdAhm5dK6M+OPVHZjwOKv+xqrG3X7j3/p7vFE54XPfY+qsSazhAesf8LkRSBpDxt
LEwQcXIbSSqmaUJjaSrH0Mqs5I8cHa+fa8RWiasg3/aGZQ9dBK6gGRMLos8A4skA
vxTPwmv4/2FgOrIf8mPqMOeXlL5mwFFgPZthWymhEazir5cdzj7Xx/w7mImopbj5
XZhZwofW/5x3bZ9vHpji2ntjMerQ1ifj3xwU3pylX2nLbSxaiGcn4dO6ADPkz5XM
Pmrx4tyfgVZWmXGYNe46OCzPwzlCtUiAZEi30xum/6BXvPAVCWk=
=sbkk
-----END PGP SIGNATURE-----
--- End Message ---
