Your message dated Fri, 09 Sep 2011 01:55:08 +0000
with message-id <[email protected]>
and subject line Bug#640028: fixed in bcfg2 1.0.1-3+squeeze1
has caused the Debian Bug report #640028,
regarding Unescaped shell command vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
640028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640028
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bcfg2-server
Version: 1.1.2-1
Severity: critical
Tags: security pending patch
All released stable versions of the bcfg2-server contain several cases
where data from the client is used in a shell command without properly
escaping it first. The 1.2 prerelease series has been fixed.
At least the SSHbase plugin has been confirmed as being exploitable.
This is a remote root hole, which requires that the SSHbase plugin is
enabled and that the attacker has control of a bcfg2 client machine.
See
https://github.com/solj/bcfg2/commit/f4a35efec1b6a1e54d61cf1b8bfc83dd1d89eef7
for the original security fix, and
https://github.com/solj/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
for the backport to the 1.1 series.
--
Arto Jantunen
--- End Message ---
--- Begin Message ---
Source: bcfg2
Source-Version: 1.0.1-3+squeeze1
We believe that the bug you reported is fixed in the latest version of
bcfg2, which is due to be installed in the Debian FTP archive:
bcfg2-server_1.0.1-3+squeeze1_all.deb
to main/b/bcfg2/bcfg2-server_1.0.1-3+squeeze1_all.deb
bcfg2_1.0.1-3+squeeze1.debian.tar.gz
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze1.debian.tar.gz
bcfg2_1.0.1-3+squeeze1.dsc
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze1.dsc
bcfg2_1.0.1-3+squeeze1_all.deb
to main/b/bcfg2/bcfg2_1.0.1-3+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arto Jantunen <[email protected]> (supplier of updated bcfg2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 18 Aug 2011 20:06:06 +0300
Source: bcfg2
Binary: bcfg2 bcfg2-server
Architecture: source all
Version: 1.0.1-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Arto Jantunen <[email protected]>
Changed-By: Arto Jantunen <[email protected]>
Description:
bcfg2 - Configuration management client
bcfg2-server - Configuration management server
Closes: 640028
Changes:
bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high
.
* Apply patch from Chris St. Pierre to fix several problems with
unescaped shell commands (Closes: #640028).
Checksums-Sha1:
d192c262185cc77ee9f8cb73fdd7e0bd3585df0e 1139 bcfg2_1.0.1-3+squeeze1.dsc
36cac49009c906d4cb61e36a7a8c7b6859518862 936209 bcfg2_1.0.1.orig.tar.gz
a2cbd93f6f76fd7c072945abd84cf462fd3da824 16542
bcfg2_1.0.1-3+squeeze1.debian.tar.gz
a4848c3dc4e115e56f0a7ba54a02376c6b6046a1 258570 bcfg2_1.0.1-3+squeeze1_all.deb
37af018ebb26e385376e4b5d85e1a90ecee64599 339722
bcfg2-server_1.0.1-3+squeeze1_all.deb
Checksums-Sha256:
bdd50ac6242729fae0283530a914368ea497e8ff450ba6ec18517e1588abb838 1139
bcfg2_1.0.1-3+squeeze1.dsc
d5985c6b20cbda74dc22bd60efda3f063b7071ddb5cf39e06fdca779bb6b779d 936209
bcfg2_1.0.1.orig.tar.gz
e301988ac5a8d7852ee39895a3d0f4fdce943330169ca6f24cdce5bf8dd756b3 16542
bcfg2_1.0.1-3+squeeze1.debian.tar.gz
3861b61d66da2a44ed88bef53c33eb35ab4109f83c0148c66c9a58be3a6caf81 258570
bcfg2_1.0.1-3+squeeze1_all.deb
5a8f63e13ff3e5e2868c17513fe8eb524ddc5f91b24582246e6011508ed37e69 339722
bcfg2-server_1.0.1-3+squeeze1_all.deb
Files:
323e867a177a6f9d7bd4cd579a49b5d8 1139 admin optional bcfg2_1.0.1-3+squeeze1.dsc
6fbf36acc5cc58b2504a25c25cad3921 936209 admin optional bcfg2_1.0.1.orig.tar.gz
5f333a42cc163d81b6c59dbd7c4f6ebc 16542 admin optional
bcfg2_1.0.1-3+squeeze1.debian.tar.gz
855d6aed0a1de25ecbc097a3dab72fda 258570 admin optional
bcfg2_1.0.1-3+squeeze1_all.deb
373e1da7761594242a3016527de34f4d 339722 admin optional
bcfg2-server_1.0.1-3+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk5nZC4ACgkQHYflSXNkfP9bIACeOOQ31GqxWzqf9jOYQ6IJqjZB
GSMAn21dSygKTPf9GzP+VHVqvTBjtKdk
=N3zn
-----END PGP SIGNATURE-----
--- End Message ---
