Your message dated Mon, 13 Oct 2008 21:32:43 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#475221: fixed in mondo 1:2.2.7-1 has caused the Debian Bug report #475221, regarding mondo: CVE-2008-1633 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 475221: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475221 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: mondo Severity: grave Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for mondo. CVE-2008-1633[0]: | Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown | impact and attack vectors, related to the use of (1) /tmp and (2) | MINDI_CACHE. Since you (as co-upstream maintainer) didn't specify any useful description or parts of source code when you fixed this, you get this poor description ;) If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. BTW, grepping the source code for /tmp does show a lot of hardcoded tmp paths in the source code an shipped scripts (ide-opt e.g). Are you sure all of these are secure and not possible to exploit via symlinks? I did not check this in detail because I have no idea how mondo is really used and if this would apply in mondo usage scenarios but it's bad coding style anyway. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633 http://security-tracker.debian.net/tracker/CVE-2008-1633 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpfNTiuCjpXX.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: mondo Source-Version: 1:2.2.7-1 We believe that the bug you reported is fixed in the latest version of mondo, which is due to be installed in the Debian FTP archive: mondo-doc_2.2.7-1_all.deb to pool/main/m/mondo/mondo-doc_2.2.7-1_all.deb mondo_2.2.7-1.diff.gz to pool/main/m/mondo/mondo_2.2.7-1.diff.gz mondo_2.2.7-1.dsc to pool/main/m/mondo/mondo_2.2.7-1.dsc mondo_2.2.7-1_amd64.deb to pool/main/m/mondo/mondo_2.2.7-1_amd64.deb mondo_2.2.7.orig.tar.gz to pool/main/m/mondo/mondo_2.2.7.orig.tar.gz A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andree Leidenfrost <[EMAIL PROTECTED]> (supplier of updated mondo package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 13 Oct 2008 21:24:05 +1100 Source: mondo Binary: mondo mondo-doc Architecture: source amd64 all Version: 1:2.2.7-1 Distribution: unstable Urgency: high Maintainer: Andree Leidenfrost <[EMAIL PROTECTED]> Changed-By: Andree Leidenfrost <[EMAIL PROTECTED]> Description: mondo - powerful disaster recovery suite mondo-doc - manual for Mondo, a powerful disaster recovery suite Closes: 355751 409291 414948 431685 440463 441784 450893 475221 Changes: mondo (1:2.2.7-1) unstable; urgency=high . * New upstream release: - closes: #355751 (cf. upstream bug 63); - closes: #409291, #414948, #440463, #441784 (floppy creation and the -F option have been removed upstream); - closes: #450893, #475221. * Changes and additions to upstream source: - replaced all occurrences of mkisofs with genisoimage because this is what Debian contains - following files are affected: my-stuff.h, libmondo-tools.c, libmondo-fork.c, libmondo-archive.c; - replaced all occurrences of cdrecord with wodim because this is what Debian contains - following files are affected: libmondo-stream.c, libmondo-fork.c, libmondo-cli.c, libmondo-archive.c, libmondo-devices.c; - call ntfsresize with --bad-sectors option to get a size for NTFS volumes that have bad hardware sectors; - call ntfsclone with --rescue option to save as much of an NTFS volume as possible in case data is actually stored in bad sectors. * Packaging changes: - introduced epoch and reverted to upstream versioning; - adjusted rules and mondo-doc.docs files to reflect change in upstream documentation structure; - new proper copyright line with years and names in copyright file; - make use of new Homepage field in control file; - replaced invalid Section 'utils' with 'File Management' to be in line with doc-base manul 0.8.16; - replaced dependency on obsolete package cdrecord with wodim (closes: #431685 - mkisofs dependency changed in mindi, library dependencies updated via rebuilt); - changed standards version to 3.8.0 without further changes; - depend on mindi 1:2.0.4 or higher; - removed superfluous space character from mondo-doc.doc-base (fixes lintian warning); - replace /var/cache/mondo-archive with /var/cache/mondo in mondo.docs because this is what upstream (now) uses; - the howto is now just a single html file called mondorescue-howto.html so we use this as Index in mondo-doc.doc-base (fixes lintian warning). Checksums-Sha1: 4a1409c3fadb10706d36b4c40319eb43e8745c7d 1039 mondo_2.2.7-1.dsc c2f0db047652e53ad852823856e9c9e39ed85f1a 2085950 mondo_2.2.7.orig.tar.gz c245d6833e052d58d964ad1e34b0c3542ed3a25a 23083 mondo_2.2.7-1.diff.gz 205f9d4ddeb87b1b8b9d4d71389f747aa1403492 476666 mondo_2.2.7-1_amd64.deb 69a99990beb76d152c88c589b6c1e625ad4caa58 2100758 mondo-doc_2.2.7-1_all.deb Checksums-Sha256: e60c32d073b75941e2ace093478c3b6547921923364fa2ec1dcb8c389a2f462f 1039 mondo_2.2.7-1.dsc 748f5adb99afff39cb46e73ca7ce229cfc88e088f3b9574d88ae6f7856caad4b 2085950 mondo_2.2.7.orig.tar.gz 625494824e22779bc09a77c8085e7e35df2fdfc0680d3d547805cbc8558c8b94 23083 mondo_2.2.7-1.diff.gz 8274e466ee4b2299ef97e7ba1c1bbe26caa3c4e20eb01b712dd57631d77c5d3f 476666 mondo_2.2.7-1_amd64.deb 993ffcd3ce6ee7acda13fd17fd568b1ab9436b6f8fd78ea77355d02ded885b87 2100758 mondo-doc_2.2.7-1_all.deb Files: f82116ec52723f8300df82e6f574988e 1039 utils optional mondo_2.2.7-1.dsc 6c45f2c8d00d09ded33a6742e6489844 2085950 utils optional mondo_2.2.7.orig.tar.gz 374e153e945f4fe9e545489cfe1ce2a1 23083 utils optional mondo_2.2.7-1.diff.gz d0cbf729596712957c77cfd7de1d7316 476666 utils optional mondo_2.2.7-1_amd64.deb c5369b2c295e4815e4e483e78f8989e6 2100758 doc optional mondo-doc_2.2.7-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjzI/QACgkQiLvX3b2IzayG0ACeI7tQ+7wQufx8HbmcakvYVjG8 by8AoJy/sYyMrGdFVpnpm4VkCe8VWLVm =ENAE -----END PGP SIGNATURE-----
--- End Message ---