Your message dated Sat, 22 Jan 2005 16:02:05 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#284117: fixed in prozilla 1:1.3.7.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Dec 2004 20:37:08 +0000
>From [EMAIL PROTECTED] Fri Dec 03 12:37:08 2004
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CaKAu-0007N0-00; Fri, 03 Dec 2004 12:37:08 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id F341818068
for <[EMAIL PROTECTED]>; Fri, 3 Dec 2004 20:37:06 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 640C36E508; Fri, 3 Dec 2004 15:38:39 -0500 (EST)
Date: Fri, 3 Dec 2004 15:38:39 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: remotely exploitable buffer overflow (CAN-2004-1120)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv"
Content-Disposition: inline
X-Reportbug-Version: 3.2
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: prozilla
Version: 1:1.3.6-12
Severity: grave
Tags: security
CAN-2004-1120 describes a remote buffer overflow in prozilla:
Mulitple buffer overflows in (1) http.c, (2) http-retr.c, (3) main.c and
other code that handles network protocols in ProZilla 1.3.6-r2 and
earlier allow remote servers to execute arbitrary code via a long
Location header.
There is an exploit in the wild for this bug, see
http://www.securityfocus.com/archive/1/382219
There's no patch for this that I know of. Gentoo removed the package and
issued an advisory recommending their users stop using it.
--=20
see shy jo
--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBsM7Pd8HHehbQuO8RAmRlAKDNdulUxRB4YeAEM6Qqn4fT6LDKawCfQIDG
0hUCYUehu4t/ARrfDTkOI6c=
=mDtZ
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtfppv--
---------------------------------------
Received: (at 284117-close) by bugs.debian.org; 22 Jan 2005 21:05:43 +0000
>From [EMAIL PROTECTED] Sat Jan 22 13:05:43 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CsSRz-0002fj-00; Sat, 22 Jan 2005 13:05:43 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CsSOT-0007KL-00; Sat, 22 Jan 2005 16:02:05 -0500
From: [EMAIL PROTECTED] (Guilherme de S. Pastore)
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#284117: fixed in prozilla 1:1.3.7.3-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Sat, 22 Jan 2005 16:02:05 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: prozilla
Source-Version: 1:1.3.7.3-1
We believe that the bug you reported is fixed in the latest version of
prozilla, which is due to be installed in the Debian FTP archive:
prozilla_1.3.7.3-1.diff.gz
to pool/main/p/prozilla/prozilla_1.3.7.3-1.diff.gz
prozilla_1.3.7.3-1.dsc
to pool/main/p/prozilla/prozilla_1.3.7.3-1.dsc
prozilla_1.3.7.3-1_i386.deb
to pool/main/p/prozilla/prozilla_1.3.7.3-1_i386.deb
prozilla_1.3.7.3.orig.tar.gz
to pool/main/p/prozilla/prozilla_1.3.7.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilherme de S. Pastore <[EMAIL PROTECTED]> (supplier of updated prozilla
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 22 Jan 2005 11:38:58 -0200
Source: prozilla
Binary: prozilla
Architecture: source i386
Version: 1:1.3.7.3-1
Distribution: unstable
Urgency: high
Maintainer: Guilherme de S. Pastore <[EMAIL PROTECTED]>
Changed-By: Guilherme de S. Pastore <[EMAIL PROTECTED]>
Description:
prozilla - multi-threaded download accelerator
Closes: 271736 284117 290218 290327
Changes:
prozilla (1:1.3.7.3-1) unstable; urgency=high
.
* New upstream release
- Fixes several remotely exploitable buffer overflows
(CAN-2004-1120). Closes: #284117
- Fixed wrong comments in ftp.h (Closes: #271736)
- Made http.c not display the password it's using (Closes: #290327)
* debian/control:
- Made first letter of package's description lowercase
* debian/copyright:
- Added copyright notice correctly (Closes: #290218)
* debian/patches:
- All patches removed, since all were applied upstream
* debian/rules:
- No longer include simple-patchsys.mk, we no longer have any patches
Files:
0171544e784e07dd1b10246884fe09cd 624 net optional prozilla_1.3.7.3-1.dsc
8e26555227ad4f752d8a97439a5cfc10 217390 net optional
prozilla_1.3.7.3.orig.tar.gz
efea51282ea67b89168b69403c7198f5 10742 net optional prozilla_1.3.7.3-1.diff.gz
458db0f88272264f28515238afe3ffc7 79778 net optional prozilla_1.3.7.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB8rxCt1anjIgqbEsRAs+KAJ9F1wthWfgMohCOvWUe758QdNuAmwCgpTdD
dfBN/4N5QpH7MWeSy5EOSfU=
=BjP8
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
