Your message dated Fri, 22 Sep 2006 09:02:24 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#375617: fixed in spread 3.17.3-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: spread
Severity: normal
Tags: security
Hi,
recently, a bug about insecure temporary file handling was filed in
Ubuntu [1]. After looking into the code, it does not seem that bad at
all (removal of an already existing file which might be important, and
a small race condition for a local DoS). However, it should be cleaned
up.
"On start, spread creates a file /tmp/PORTNUMBER where PORTNUMBER is
4803 by default.
If an existing file named /tmp/PORTNUMBER exists, it will be deleted
before a socket with the same name is created."
It probably does not deserve a CVE number, but now that it has got
one, please mention it in the changelog when you fix this
(CVE-2006-3118).
Can you please pass this to upstream?
Thanks,
Martin
[1] https://launchpad.net/bugs/44171
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: spread
Source-Version: 3.17.3-4
We believe that the bug you reported is fixed in the latest version of
spread, which is due to be installed in the Debian FTP archive:
libspread-perl_3.17.3-4_amd64.deb
to pool/main/s/spread/libspread-perl_3.17.3-4_amd64.deb
libspread1-dev_3.17.3-4_amd64.deb
to pool/main/s/spread/libspread1-dev_3.17.3-4_amd64.deb
libspread1_3.17.3-4_amd64.deb
to pool/main/s/spread/libspread1_3.17.3-4_amd64.deb
spread_3.17.3-4.diff.gz
to pool/main/s/spread/spread_3.17.3-4.diff.gz
spread_3.17.3-4.dsc
to pool/main/s/spread/spread_3.17.3-4.dsc
spread_3.17.3-4_amd64.deb
to pool/main/s/spread/spread_3.17.3-4_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Mende <[EMAIL PROTECTED]> (supplier of updated spread package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 10 Sep 2006 12:13:43 +0200
Source: spread
Binary: libspread1-dev spread libspread1 libspread-perl
Architecture: source amd64
Version: 3.17.3-4
Distribution: unstable
Urgency: high
Maintainer: Michael Mende <[EMAIL PROTECTED]>
Changed-By: Michael Mende <[EMAIL PROTECTED]>
Description:
libspread-perl - Perl bindings for the Spread messaging service
libspread1 - C library for the Spread messaging service
libspread1-dev - Development files for libspread
spread - The Spread messaging daemon
Closes: 375617
Changes:
spread (3.17.3-4) unstable; urgency=high
.
* CVE-2006-3118: insecure temporary file handling (Closes: #375617)
* Build depends now on dpatch
* Update standards version to 3.7.2
Files:
615e82179bf9cad908afa5577d5fe3e2 702 net optional spread_3.17.3-4.dsc
61cab5b08c07c50b292d2abce836f7b5 10141 net optional spread_3.17.3-4.diff.gz
cdce64c483773cea3d2a592ab30e14e1 81346 libdevel optional
libspread1-dev_3.17.3-4_amd64.deb
a4a2b415c3ede3283fd1ea97e338e0d7 56000 libs optional
libspread1_3.17.3-4_amd64.deb
91aa02793a98984fcf7da2abf31b1e9b 31792 perl optional
libspread-perl_3.17.3-4_amd64.deb
79e3fdfe67441882cf911e4e010463f3 201812 net optional spread_3.17.3-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFFAWE6n7So0GVSSARAuF1AJ4yA+cZlB6qSuIZ88UEBfo35xNaeQCfddO5
WtRSTTNP+ZZtNz2SGenAifs=
=JzTN
-----END PGP SIGNATURE-----
--- End Message ---
