Your message dated Tue, 23 Oct 2007 15:03:35 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#447341: fixed in hplip 1.6.10-4.3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: hplip
Version: 1.6.10-3
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for hplip.
CVE-2007-5208[0]:
| hpssd in Hewlett-Packard Linux Imaging and Printing Project (hplip)
| 1.x and 2.x before 2.7.10 allows context-dependent attackers to
| execute arbitrary commands via shell metacharacters in a from address,
| which is not properly handled when invoking sendmail.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
You can find a patch on:
http://launchpadlibrarian.net/9737865/90_subprocess_replacement.dpatch
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5208
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp5rZJb4eWXD.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: hplip
Source-Version: 1.6.10-4.3
We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive:
hpijs-ppds_2.6.10+1.6.10-4.3_all.deb
to pool/main/h/hplip/hpijs-ppds_2.6.10+1.6.10-4.3_all.deb
hpijs_2.6.10+1.6.10-4.3_i386.deb
to pool/main/h/hplip/hpijs_2.6.10+1.6.10-4.3_i386.deb
hplip-data_1.6.10-4.3_all.deb
to pool/main/h/hplip/hplip-data_1.6.10-4.3_all.deb
hplip-dbg_1.6.10-4.3_i386.deb
to pool/main/h/hplip/hplip-dbg_1.6.10-4.3_i386.deb
hplip-doc_1.6.10-4.3_all.deb
to pool/main/h/hplip/hplip-doc_1.6.10-4.3_all.deb
hplip_1.6.10-4.3.diff.gz
to pool/main/h/hplip/hplip_1.6.10-4.3.diff.gz
hplip_1.6.10-4.3.dsc
to pool/main/h/hplip/hplip_1.6.10-4.3.dsc
hplip_1.6.10-4.3_i386.deb
to pool/main/h/hplip/hplip_1.6.10-4.3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated hplip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 22 Oct 2007 10:31:55 +0200
Source: hplip
Binary: hpijs hplip-data hpijs-ppds hplip hplip-doc hplip-dbg
Architecture: source all i386
Version: 1.6.10-4.3
Distribution: unstable
Urgency: high
Maintainer: Henrique de Moraes Holschuh <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs)
hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
hplip - HP Linux Printing and Imaging System (HPLIP)
hplip-data - HP Linux Printing and Imaging - data files
hplip-dbg - HP Linux Printing and Imaging - debugging information
hplip-doc - HP Linux Printing and Imaging - documentation
Closes: 447341
Changes:
hplip (1.6.10-4.3) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included CVE-2007-5208.dpatch to fix
arbitrary command execution in hpssd via crafted from address
because of missing sanitization (CVE-2007-5208) (Closes: #447341).
Files:
094ed210c3e1374d2c9e068c641a00ee 887 utils optional hplip_1.6.10-4.3.dsc
b2651411d5f37b2bd99337546990dd1e 257667 utils optional hplip_1.6.10-4.3.diff.gz
f40a568a2e2f3c7a1654d0474261d78a 1770786 utils optional
hpijs-ppds_2.6.10+1.6.10-4.3_all.deb
c11cd71b7be641a405a5e7ca4995f5bc 6293596 utils optional
hplip-data_1.6.10-4.3_all.deb
2a3dbd90fdf501de5dcd0811bc8329cd 1620382 doc optional
hplip-doc_1.6.10-4.3_all.deb
ad73bce3e5307892ea791e6210a953a2 345666 text optional
hpijs_2.6.10+1.6.10-4.3_i386.deb
183ce57f0381efe640450d0283e8a5c0 567272 utils optional
hplip_1.6.10-4.3_i386.deb
cfe0d661472fb502b0e2539c054e47c3 820162 utils extra
hplip-dbg_1.6.10-4.3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHHgdeHYflSXNkfP8RAmDiAKCREhxx6FS741kRH5JJBWnJLz3rcwCfSiwv
NL4m5BK9IPeHTjTNZ90rQd0=
=6B1e
-----END PGP SIGNATURE-----
--- End Message ---
