Your message dated Thu, 17 Feb 2022 11:20:18 +0000
with message-id <[email protected]>
and subject line Bug#1005921: fixed in php-crypt-gpg 1.6.7-1
has caused the Debian Bug report #1005921,
regarding CVE-2022-24953: Crypt_GPG <1.6.7 does not prevent additional options
in GPG calls
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1005921: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005921
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: php-crypt-gpg
Version: 1.6.6-1
Severity: important
Tags: security upstream
Control: found -1 1.6.4-2
Control: found -1 1.6.6-1
Crypt_GPG upstream recently published for CVE-2022-24953: “The Crypt_GPG
extension before 1.6.7 for PHP does not prevent additional options in
GPG calls, which presents a risk for certain environments and GPG
versions.”
The fix is trivial:
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
.
Dunno if that warrants a DSA, but I'll prepare & test a debdiff for
bullseye-security or s-p-u.
--
Guilhem.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: php-crypt-gpg
Source-Version: 1.6.7-1
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
php-crypt-gpg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated php-crypt-gpg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 17 Feb 2022 11:36:52 +0100
Source: php-crypt-gpg
Architecture: source
Version: 1.6.7-1
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PEAR Maintainers <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1005921
Changes:
php-crypt-gpg (1.6.7-1) unstable; urgency=high
.
* New upstream bugfix/security release, with fix for CVE-2022-24953:
Crypt_GPG <1.6.7 does not prevent additional options in GPG calls, which
presents a risk for certain environments and GPG versions.
(Closes: #1005921)
.
[ Guilhem Moulin ]
* d/watch: Use substitution strings.
* Update standards version to 4.6.0, no changes needed.
* Override lintian's 'very-long-line-length-in-source-file' tag for
tests/data-files.
Checksums-Sha1:
c27d39506dc5ac8504bcd1edc9ca78ce5bfa3d8f 2244 php-crypt-gpg_1.6.7-1.dsc
09dbf1918f170dafde17094d4c014891fc30370c 343957 php-crypt-gpg_1.6.7.orig.tar.gz
7ab1d293248b0cfe7dcb17dd465bc0feb6d43bb5 6580
php-crypt-gpg_1.6.7-1.debian.tar.xz
4a0c95638d30a9da86bd73dca041bcb4d904ee0e 8043
php-crypt-gpg_1.6.7-1_amd64.buildinfo
Checksums-Sha256:
14a09b769e04a2511f362712c1fe2c8817f59142ce068acdf9dc5e6aabcda8c1 2244
php-crypt-gpg_1.6.7-1.dsc
50bbc63a501bc379adeb0d2b88b50511fcac16f83776ed517a8947a0dcbd6334 343957
php-crypt-gpg_1.6.7.orig.tar.gz
3f0e3b143a163e83b5265508ba809d2c73f38f81f1898be50b14deaa9e146f49 6580
php-crypt-gpg_1.6.7-1.debian.tar.xz
bf2e676ffdd5b483cdd681d99a18c3cf9928f5332edd18c641eaf25eb56ef2b8 8043
php-crypt-gpg_1.6.7-1_amd64.buildinfo
Files:
f41ab90ac472fcff96a5193540a000b6 2244 php optional php-crypt-gpg_1.6.7-1.dsc
69ea135cf475d2f006adaecbf14ff926 343957 php optional
php-crypt-gpg_1.6.7.orig.tar.gz
38bb4c1374b1a3c29d963dce0892853f 6580 php optional
php-crypt-gpg_1.6.7-1.debian.tar.xz
5dd59206e16a8d94c6f3b08bec7f2f6f 8043 php optional
php-crypt-gpg_1.6.7-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmIOKEIACgkQ05pJnDwh
pVIYaA//Vy9UWuayfClww15AwcabbEN/hm7Df9cTsEqqDUJek5zFOFPDK9RaUstt
bBb3/MBEHzXPxnKpzzmrLB1i+iKKs/yzqvZ2vwGGu4vfRDIfykaOTbh9XkAVelth
Qhas0GTIFZMRpoRO5BlZa7yJmI7V4yb3wur5E7PEfA5OKh90f8+KS5V2N8crnMcp
QzKIzSKS7K8WgjPtGIxbexH9KBZHpQXccuPCpvp1D7MltUFzsiya9g/2FSWpqszn
OoKPogcWySC4+iwnA7YiIZsEgWdMaZVsnFMnH3jlsmD0q9XPLcndrRAwtWNJHh8h
GFbFQbsC82UMJ6K2KtXRsvJ9FiR8vRXjEv8hpaKXoeJVZB1DU2L9LnLir9FdczX+
QSzMrsIKiUJmLgohXvd0000R4ph4HNfhaY7TpMnPn25D2mXhRYOyN4l84YsEmMoU
MVC1xwAOfysBl43DLR6/yjzc4gfgOkWmcPbwCGhcLOLSPaYeqBRXRNt5hAAv703z
K/As7raTHgloKO1JuqI/Km4yAxivgerTFpN00Buk73QPpZ+HfR0DXISonUYrtQ6e
NaVU7vUhoXivGnSvVKvRPgNUv27+gAxP4Ajecx5vgZdh0Lwp+5nD2v2YWbzm4veq
2CYqD/jD1VSxmt9NudZZ5WY1MHaIzNDXZ7zjSZx4lNIUJHUs0EE=
=vnae
-----END PGP SIGNATURE-----
--- End Message ---
