Your message dated Wed, 16 Dec 2009 03:33:55 +0000
with message-id <[email protected]>
and subject line Bug#559806: fixed in ggobi 2.1.9~20091212-1
has caused the Debian Bug report #559806,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559806: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559806
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ggobi
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: ggobi
Source-Version: 2.1.9~20091212-1
We believe that the bug you reported is fixed in the latest version of
ggobi, which is due to be installed in the Debian FTP archive:
ggobi_2.1.9~20091212-1.diff.gz
to main/g/ggobi/ggobi_2.1.9~20091212-1.diff.gz
ggobi_2.1.9~20091212-1.dsc
to main/g/ggobi/ggobi_2.1.9~20091212-1.dsc
ggobi_2.1.9~20091212-1_i386.deb
to main/g/ggobi/ggobi_2.1.9~20091212-1_i386.deb
ggobi_2.1.9~20091212.orig.tar.gz
to main/g/ggobi/ggobi_2.1.9~20091212.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dirk Eddelbuettel <[email protected]> (supplier of updated ggobi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 10 Dec 2009 22:53:59 -0600
Source: ggobi
Binary: ggobi
Architecture: source i386
Version: 2.1.9~20091212-1
Distribution: unstable
Urgency: low
Maintainer: Dirk Eddelbuettel <[email protected]>
Changed-By: Dirk Eddelbuettel <[email protected]>
Description:
ggobi - Data visualization system for high-dimensional data
Closes: 495390 559806
Changes:
ggobi (2.1.9~20091212-1) unstable; urgency=low
.
* New upstream pre-release built with new libltdl from libtool 2.2.6b
in regards to CVE-2009-3736[0] (Closes: #559806)
.
* debian/patches:
- 01_graphviz.patch: two lines carried over from previous ggobi
and needed as Debian's graphviz seems to be too old
- 02_manual.patch: switch to using includegraphics in latex
.
* debian/control: Added latex toolchain to Build-Depends: to support
upstream change of building manual (Closes: #495390)
.
* debian/control: Added Build-Depends on libltdl-dev (>= 2.2.6b)
* debian/rules: Add --without-included-ltdl to configure call
.
* debian/control: Added Build-Depends: on libtool (>= 2.2.6b), autoconf
gettext, cvs, automake, gob2 in order to run './bootstrap' as this is
straight from SVN
* debian/rules: Added ./bootstrap call
.
* debian/control: Increased Standard-Version: to 3.8.3
Checksums-Sha1:
5dbd4db6f8023432f7c35a66a0758bfc34044c59 1326 ggobi_2.1.9~20091212-1.dsc
544f6f55975afd451909d1fac7a24bc04a7f7c6b 13302956
ggobi_2.1.9~20091212.orig.tar.gz
1c43d67d939caaef5af4f8f8d2d2ee1eaaacaf3d 20562 ggobi_2.1.9~20091212-1.diff.gz
66b567410bb2e00ee0b06c020cdf3c7d30581869 1572294
ggobi_2.1.9~20091212-1_i386.deb
Checksums-Sha256:
51b2718b0914260e9e45d0422ba147c69cf87a657155343f0d69c873d037e9c5 1326
ggobi_2.1.9~20091212-1.dsc
80ae3fa73e41dbca1fe5558a80bf445b2bf9fd67b9741df64f92e05ee07a2a5c 13302956
ggobi_2.1.9~20091212.orig.tar.gz
9768a98e188c1d9a835f85f7860dfab48abec2f8636e4c4adbe1c49d3fe76da2 20562
ggobi_2.1.9~20091212-1.diff.gz
758b049a1fd6a8179953600cad15d1fcfab648f4212d64e121088f4409bbd3f9 1572294
ggobi_2.1.9~20091212-1_i386.deb
Files:
b7b036bc46dd48cf83f834d055a70723 1326 math optional ggobi_2.1.9~20091212-1.dsc
99fd4a158f40fd80036705c3ca53496d 13302956 math optional
ggobi_2.1.9~20091212.orig.tar.gz
e877c8ab65378ad13928adb0c4d81a47 20562 math optional
ggobi_2.1.9~20091212-1.diff.gz
1dd00df65ebd91b518aebb385bd11968 1572294 math optional
ggobi_2.1.9~20091212-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLKDxKCZSR95Gw07cRAmYZAJ9g+fQcHASsfzmSXGYvEbYEWlXHuwCfXUAd
4ZBfS14LtPWS0lRzazYEUUQ=
=44TW
-----END PGP SIGNATURE-----
--- End Message ---
