Your message dated Sat, 03 Nov 2018 16:23:50 +0000 with message-id <e1giyie-000fvj...@fasolo.debian.org> and subject line Bug#910448: fixed in mgetty 1.2.1-1 has caused the Debian Bug report #910448, regarding mgetty: CVE-2018-16741 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 910448: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=910448 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: mgetty Version: 1.1.36-1 Severity: grave Tags: patch security upstream Control: fixed -1 1.1.36-3+deb9u1 Hi, The following vulnerability was published for mgetty. CVE-2018-16741[0]: | An issue was discovered in mgetty before 1.2.1. In fax/faxq-helper.c, | the function do_activate() does not properly sanitize shell | metacharacters to prevent command injection. It is possible to use the | ||, &&, or > characters within a file created by the "faxq-helper | activate <jobid>" command. The issue was fixed in DSA-4291-1 with 1.1.36-3+deb9u1 but not yet in unstable and for buster, thus filling an RC bug to avoid the regression for buster. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-16741 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16741 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: mgetty Source-Version: 1.2.1-1 We believe that the bug you reported is fixed in the latest version of mgetty, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 910...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Barth <a...@ayous.org> (supplier of updated mgetty package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 06 Oct 2018 22:17:07 +0200 Source: mgetty Binary: mgetty mgetty-fax mgetty-viewfax mgetty-voice mgetty-pvftools mgetty-docs Architecture: source all Version: 1.2.1-1 Distribution: unstable Urgency: medium Maintainer: Andreas Barth <a...@ayous.org> Changed-By: Andreas Barth <a...@ayous.org> Description: mgetty - Smart Modem getty replacement mgetty-docs - Documentation Package for mgetty mgetty-fax - Faxing tools for mgetty mgetty-pvftools - Programs for listening and manipulating pvf and rmd files mgetty-viewfax - Program for displaying Group-3 Fax files under X mgetty-voice - Voicemail handler for mgetty Closes: 910448 Changes: mgetty (1.2.1-1) unstable; urgency=medium . * Bump upstream version to 1.2.1, amongst others: Harden faxq and faxrunq and others, fixes CVE-2018-16745, CVE-2018-16744, CVE-2018-16741, CVE-2018-16743, CVE-2018-16742. Closes: #910448 Checksums-Sha1: 089ad42d3ce039bd8f0928943ad4e6a74c1773ec 1456 mgetty_1.2.1-1.dsc 0c10b1e47101bebefcf01505b4fd537a4f66a2a7 1236903 mgetty_1.2.1-1.tar.gz c583cf091f6199ebf99b3ab6ebf42f3930869d97 517244 mgetty-docs_1.2.1-1_all.deb Checksums-Sha256: c0daa01eb52ab56da8ca72dd0394434dac1e69d3d1c9e174adb9dc7305a314c0 1456 mgetty_1.2.1-1.dsc 72c3ba7671a6534ac67f710199d7a746c22bec60416c9d60583fd0bf7e6ca2fe 1236903 mgetty_1.2.1-1.tar.gz 49244dbfc7bccc9c512f6e78c8df69b6e096d2d43976d2adfe3a22726aeb81dd 517244 mgetty-docs_1.2.1-1_all.deb Files: 013c33bb14fe71846c2e8ff363b5e3a1 1456 comm optional mgetty_1.2.1-1.dsc a78bf8b2e264d68369fedb642ac3dd22 1236903 comm optional mgetty_1.2.1-1.tar.gz d8fd7bedd8f2f17afe595f2d061435f9 517244 doc optional mgetty-docs_1.2.1-1_all.deb -----BEGIN PGP SIGNATURE----- iQFDBAEBCAAtFiEEwDoy7x/3mxHvqB7o2u/AWm2EZI4FAlvdw8gPHGFiYUBkZWJp YW4ub3JnAAoJENrvwFpthGSO/d0H/1ATXFnm2vshasVpPY7fSuF1UTT42TK2SsJ6 PVBShw+scdQAOY+0qv3iCPRMHX3nB8Jx8fWZ1Jly1aInCMeyERtFoWES5Btyto+J uxlKS3YrbcFkFkNmOrI+r6GfZl1N5BXIQWwRGLZyEjFhpMMMQAIzBJjKEUHTVMoz JzTMgfRZ1+/yT206Z1SAxrCQoJK9f0cGCsjf6R1BVs7MZEoHKFmuxcuKLb+JRd4I 1mdghOQg5o7oy3u0No9xgNLF+IRFWDav+sx06o+wVHGBpC8wnFHpA1W8rzhok8ri jgjFm741Jz/u+NgkYGD7xcDB+BQheQjdAh4yeQmnKoJD10KGkNI= =7htZ -----END PGP SIGNATURE-----
--- End Message ---
