Bug#864800: marked as done (Mail::DeliveryStatus::BounceParser contains a live virus and some real spam/phishing mails)

[Debian Bug Tracking System]

Your message dated Fri, 28 Sep 2018 17:05:22 +0000
with message-id <e1g5wcg-000j1o...@fasolo.debian.org>
and subject line Bug#864800: fixed in libmail-deliverystatus-bounceparser-perl 
1.542+repacked-1
has caused the Debian Bug report #864800,
regarding Mail::DeliveryStatus::BounceParser contains a live virus and some 
real spam/phishing mails
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
864800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864800
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libmail-deliverystatus-bounceparser-perl
Version: 1.531-1
Severity: serious
X-Debbugs-CC: Ricardo Signes <r...@cpan.org>
Control: forwarded -1 Ricardo Signes <r...@cpan.org>
Control: found -1 1.536-1
Control: found -1 1.542-1
User: debian-ad...@lists.debian.org
Usertags: needed-by-DSA-Team

The Mail::DeliveryStatus::BounceParser source contains a live virus and
some real spam/phishing mails. This is leading to Netcraft and other
virus detection systems on the Internet reporting Debian mirrors as
malicious, which potentially reduces the reputation of debian.org on
various anti-spam and anti-malware services. Please fix this in
upstream git, with a new release on CPAN and in all Debian suites.

https://incident.netcraft.com/w/b0d11ab53944/
https://incident.netcraft.com/w/ffb6f95e5301/

To fix this you will need to strip the account-password.zip attachment
from t/corpus/virus-caused-multiple-weird-reports.msg and if possible
strip the phishing/spam content from the other files, while ensuring
that the tests still pass despite changes to the corpus but that the
new files in the corpus do not trip any anti-virus checkers:

https://www.virustotal.com/

$ clamdscan --fdpass --infected | sed "s|`pwd`/||"
t/corpus/virus-caused-multiple-weird-reports.msg: Win.Worm.Mytob-331 FOUND
t/corpus/spam-with-badly-parsed-email.msg: 
Sanesecurity.Phishing.Ivt.6456.UNOFFICIAL FOUND
t/corpus/spam-lots-of-bogus-addresses.msg: Sanesecurity.Spam.8684.UNOFFICIAL 
FOUND

----------- SCAN SUMMARY -----------
Infected files: 3
Time: 0.087 sec (0 m 0 s)

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message ---

Source: libmail-deliverystatus-bounceparser-perl
Source-Version: 1.542+repacked-1

We believe that the bug you reported is fixed in the latest version of
libmail-deliverystatus-bounceparser-perl, which is due to be installed in the 
Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 864...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <y...@debian.org> (supplier of updated 
libmail-deliverystatus-bounceparser-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 28 Sep 2018 13:48:12 +0200
Source: libmail-deliverystatus-bounceparser-perl
Binary: libmail-deliverystatus-bounceparser-perl
Architecture: source
Version: 1.542+repacked-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: Xavier Guimard <y...@debian.org>
Closes: 864800
Description: 
 libmail-deliverystatus-bounceparser-perl - module for analyzing bounce messages
Changes:
 libmail-deliverystatus-bounceparser-perl (1.542+repacked-1) unstable; 
urgency=medium
 .
   * Team upload
 .
   [ gregor herrmann ]
   * debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
   * Remove Nathan Handler from Uploaders. Thanks for your work!
 .
   [ Salvatore Bonaccorso ]
   * Update Vcs-* headers for switch to salsa.debian.org
 .
   [ Xavier Guimard ]
   * Repack excluding viruses found by uscan (Closes: #864800)
   * Declare compliance with policy 4.2.1
   * Remove dependency to libtest-simple-perl (>= 0.94)
   * Bump debhelper compatibility to 10
Checksums-Sha1: 
 f81396c650f0f8a3dcb9a81c1b3b1c96df652880 2497 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.dsc
 51a846124bd138510f11c05b493625c100db7f57 134689 
libmail-deliverystatus-bounceparser-perl_1.542+repacked.orig.tar.gz
 e8a6bc7ceb6fb3c30854d5e9ae25b072b55060c0 2996 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.debian.tar.xz
Checksums-Sha256: 
 ac14d1ca76264543bbd06bc6660e7782042e15aff3470693314d396169d5ea88 2497 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.dsc
 d24c5032ca6caf9fdd42b93747280e02f8bb2b212b9be32e54e2e6d2d2fb2b90 134689 
libmail-deliverystatus-bounceparser-perl_1.542+repacked.orig.tar.gz
 fe97bd91c079fac1c59e31fc1887ea4f61dd1d6d60a6dc123c0a544791681b27 2996 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.debian.tar.xz
Files: 
 781d10e615223c7ed29e2775974ed2b6 2497 perl optional 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.dsc
 cda9de7ffe9c3fde0b558c3bf1c2354a 134689 perl optional 
libmail-deliverystatus-bounceparser-perl_1.542+repacked.orig.tar.gz
 78c0c463bb802bd4304e1be9f6dd54eb 2996 perl optional 
libmail-deliverystatus-bounceparser-perl_1.542+repacked-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAluuWmEQHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6Q4HEACTyFkFUian/MJBLhwtUAPsHQ3wJhFxNAjB
TybnzeeaXLg9C8PkdmPdhtlmzub5AfO09J2SCZUuJ6JaRv04uHyQtHyDTTmzKune
6pnnxFIjOYEEkBG0bJYwdABptwEFE/cuy1+sAAPgotKQU4ptS7DCVq970goxY52b
a2SuuFr1QqxAqptBQZblKl4llwlKyU7kg2/e4zYp3PF4Z208Y0Nh6n8M74QuKzsI
321DA52E6PoBdaIaREe7Jum2cwR5t06ipzt4vsLm81pbWPoNJbz9PcANYWTPwV/X
gJ0O+7nV1Db5bvPpd4E3AuRNJAmXlxnPp9EAMMH7UhRTcVaN0RXRN1itejjJbUon
k0twpoz9OlnL+s4bApmMbOObH2Z0ghbsyVFWD0OHJdzBVkbs7ROR2iie/I4EFsBp
PeyGsw6vJIL0PnwqJJTF6QYiyrmOfrRS7tarVHh4GNSwdqoHPxGDsohPOU+Kzp4e
RJ+7l2ydYQRhy1TpOqXriis4jLj+tqndaT+Ety0eKAypayS97Q16RMU1zOZloBY8
U7RvoLs6I+ZmGfFg86Ig4kWxFGuKMpA1I9y5zDN8k6kYcEM7H8juEzczcKsU+PCs
BHnAi4jVtwKiGepm1UCDHoOVGPXEv9zvvtAAlOUGb+QFxWiWx5h1kjQjfYlftKKj
T8/PxeAagg==
=GUCp
-----END PGP SIGNATURE-----

--- End Message ---