Your message dated Thu, 29 Jul 2010 01:17:16 +0000
with message-id <[email protected]>
and subject line Bug#559835: fixed in lam 7.1.2-1.6
has caused the Debian Bug report #559835,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559835: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559835
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: lam
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: lam
Source-Version: 7.1.2-1.6
We believe that the bug you reported is fixed in the latest version of
lam, which is due to be installed in the Debian FTP archive:
lam-mpidoc_7.1.2-1.6_all.deb
to main/l/lam/lam-mpidoc_7.1.2-1.6_all.deb
lam-runtime_7.1.2-1.6_i386.deb
to main/l/lam/lam-runtime_7.1.2-1.6_i386.deb
lam4-dev_7.1.2-1.6_i386.deb
to main/l/lam/lam4-dev_7.1.2-1.6_i386.deb
lam_7.1.2-1.6.diff.gz
to main/l/lam/lam_7.1.2-1.6.diff.gz
lam_7.1.2-1.6.dsc
to main/l/lam/lam_7.1.2-1.6.dsc
liblam4_7.1.2-1.6_i386.deb
to main/l/lam/liblam4_7.1.2-1.6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Muehlenhoff <[email protected]> (supplier of updated lam package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 27 Jul 2010 22:29:03 -0400
Source: lam
Binary: lam-mpidoc lam4-dev liblam4 lam-runtime
Architecture: source i386 all
Version: 7.1.2-1.6
Distribution: unstable
Urgency: medium
Maintainer: Camm Maguire <[email protected]>
Changed-By: Moritz Muehlenhoff <[email protected]>
Description:
lam-mpidoc - Documentation for the Message Passing Interface standard
lam-runtime - LAM runtime environment for executing parallel programs
lam4-dev - Development of parallel programs using LAM
liblam4 - Shared libraries used by LAM parallel programs
Closes: 559835
Changes:
lam (7.1.2-1.6) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2009-3726 in the internal ltdl copy (Closes: #559835)
Checksums-Sha1:
5e45a9e1ce1b3b971a0a2321433a7cd0e4b480a8 1040 lam_7.1.2-1.6.dsc
d023217fa85dfdabe3d58a7e14fb490e04ce8623 162745 lam_7.1.2-1.6.diff.gz
b905c7e2876cf700d6053b34549984ebdbfff060 1948988 lam4-dev_7.1.2-1.6_i386.deb
5cce98b3c999617e74d2902d05b45fc9189fc3d2 563846 liblam4_7.1.2-1.6_i386.deb
6960bc8e159e0d039981a250a1c8afe44f340f9b 963430 lam-runtime_7.1.2-1.6_i386.deb
5d79eb0a0a39bbdfbbb2eb1e695c4fb693988d68 299534 lam-mpidoc_7.1.2-1.6_all.deb
Checksums-Sha256:
6d5768a4d44d5454c405223d262972060afe5d39a651d6a13b9ab93e0b7be504 1040
lam_7.1.2-1.6.dsc
4d109ab0109c143af4dc54e67e1ed9135c5442e9e424d7d5a8a3826832d23abe 162745
lam_7.1.2-1.6.diff.gz
294dde1469fdcad4bec9511b8231505547782f79631c85ff6436cc1f0357d4ac 1948988
lam4-dev_7.1.2-1.6_i386.deb
f6939f01c1b63b2534e3c20a6f8a12fcdc0b7329405fe3d85e100d37eb98bc4f 563846
liblam4_7.1.2-1.6_i386.deb
a5eab67547c4b87fe6205a198c0ded1e7ba0dedb1af84288590357df2404647a 963430
lam-runtime_7.1.2-1.6_i386.deb
75421902d5a6496dbbc6a81b6ef82e9ce7fe761f2c423c5be1913b8336b93cc8 299534
lam-mpidoc_7.1.2-1.6_all.deb
Files:
9f218e7a41f898de199e4970ff09539e 1040 devel extra lam_7.1.2-1.6.dsc
2763ad96343e2a48ef7436325fd2e6e5 162745 devel extra lam_7.1.2-1.6.diff.gz
570103d979c08598b1613a729986b256 1948988 devel extra
lam4-dev_7.1.2-1.6_i386.deb
f53842f2438caaad83969f844a922de3 563846 libs extra liblam4_7.1.2-1.6_i386.deb
4c4e2ac99d7b277deed0f45433dc1d0f 963430 utils extra
lam-runtime_7.1.2-1.6_i386.deb
c4510fa224902a4ad219ae8169de661e 299534 doc extra lam-mpidoc_7.1.2-1.6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkxPnK4ACgkQXm3vHE4uylpjlgCgvtFmTwfStxoIYlVmPN6SzydM
T7sAoIJwpUlfvJF1e91vug8bGotr6Tpq
=HcGG
-----END PGP SIGNATURE-----
--- End Message ---
