Your message dated Sun, 04 May 2014 21:32:13 +0000
with message-id <[email protected]>
and subject line Bug#746306: fixed in dpkg 1.16.14
has caused the Debian Bug report #746306,
regarding dpkg: CVE-2014-0471 fix introduces the vulnerability into squeeze
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
746306: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746306
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.15.9
Tags: security squeeze
As far as I see, escaping file names was added to diffutils in 2012. The
feature is not present in a squeeze environment. CVE-2014-0471 does not
apply.
Directory traversal during unpack is possible now. I will wait one day
before releasing an exploit package.
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
Source: dpkg
Source-Version: 1.16.14
We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated dpkg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 30 Apr 2014 08:14:16 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source amd64 all
Version: 1.16.14
Distribution: wheezy-security
Urgency: high
Maintainer: Dpkg Developers <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Description:
dpkg - Debian package management system
dpkg-dev - Debian package development tools
dselect - Debian package management front-end
libdpkg-dev - Debian package management static library
libdpkg-perl - Dpkg perl modules
Closes: 746306
Changes:
dpkg (1.16.14) wheezy-security; urgency=high
.
[ Guillem Jover ]
* Do not allow patch files with C-style encoded filenames. Closes: #746306
Unconditionally fixes CVE-2014-0471.
.
[ Updated scripts translations ]
* German (Helge Kreutzmann).
.
[ Updated man page translations ]
* German (Helge Kreutzmann).
Checksums-Sha1:
cb23376408e2551d7384a5b86c006f4fca8e0914 2016 dpkg_1.16.14.dsc
9f469aaef4083d1dabb278ccd4b2783d64bc8824 3790568 dpkg_1.16.14.tar.xz
36ce26ac0d8bf880e522d5656dd41dc798f7ab10 694282 libdpkg-dev_1.16.14_amd64.deb
002236bb0381d06878861946f11ad53fe185e49f 2651488 dpkg_1.16.14_amd64.deb
a533517abc2515ef24bf4a1bdfdab40539622751 1157222 dselect_1.16.14_amd64.deb
0329ddab5cd92f2dd71d814dd272a30b86b5a029 1352280 dpkg-dev_1.16.14_all.deb
80bd4641fbe28f7e7ffc7d9f87d09b2f5bbac85b 955608 libdpkg-perl_1.16.14_all.deb
Checksums-Sha256:
e0f7fbc2e28da300993bd04b2462ccf9bcfe07ff8146a1ca21dfdee732be6f05 2016
dpkg_1.16.14.dsc
3cdaf40cfdaed20000e440a984c9237c780539e1131a5d8a9c11bacbda34473f 3790568
dpkg_1.16.14.tar.xz
347dae3f2ffd688fa4189bb8e8af61e5924099f314f082f2c9c760c7a6c01095 694282
libdpkg-dev_1.16.14_amd64.deb
ad91edf0c742e8b813e4a6150bf51b7be8060d773f9da31947b984aed7e7e129 2651488
dpkg_1.16.14_amd64.deb
7b509901a0b69ab642db2410cdfd527098f2bf37cfb78bce95d370d4f7d75027 1157222
dselect_1.16.14_amd64.deb
1ee6dc0511611ea3e07095adf139acc102bfbf934bfc9dfd69f99957afdce5cd 1352280
dpkg-dev_1.16.14_all.deb
3709bfe1856711a45364133e03a41fe4ac00a48f9491a63da09dd2ac1aee7a93 955608
libdpkg-perl_1.16.14_all.deb
Files:
a58d05b4f9eca505a06ae167ad156801 2016 admin required dpkg_1.16.14.dsc
235f4368451a8e696fc7d92007ff9125 3790568 admin required dpkg_1.16.14.tar.xz
d04c04ffc6a22a3a4efd8e9cc120ad00 694282 libdevel optional
libdpkg-dev_1.16.14_amd64.deb
8de5c017fa40d82a7195645f85e6fb13 2651488 admin required dpkg_1.16.14_amd64.deb
f19c74bd266c5ab6729b33d75310335a 1157222 admin optional
dselect_1.16.14_amd64.deb
4341983ef7669a0e040873e8da642953 1352280 utils optional
dpkg-dev_1.16.14_all.deb
2d3da3565c2baa45c0069434c8516cb2 955608 perl optional
libdpkg-perl_1.16.14_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJTYP5pAAoJELlyvz6krlej+Z4P/AjGVOFLf25nzKSG8ZCCMQnm
6CvzGiBadpS6RYcWyZs7wXYq7KfzqWBLSWAWk+0XylRVD3bCTu89j7wRf+RyvE3b
UoaMueEmxBGH/TmLLMIyaDsExZb9p7fw2/pu9ZiSmNMV4oGg1WNuUTPKNeshT/4B
G9kDC/+5C9/5sNh0cZrlSti73QqVw22DMlXA7vw2ZFYgnwarKrP83vHQZXSovLej
FkEKDSyQiEBM9SQ5t5lO5o2lycSIjxsnmwqc6xj7jKmh1WZ+x+/0kJqDWCGag6F7
Gok5Zyn55lqx6bPM+V9NvUCMKWJta2efNSAunBKhWGoH1k5nUNWximN6M5veEMd/
psWg+yiyH3C+E3FywuN6I24n4KGSalyEmQEsLmCZho7ky1oAgOxKRXAVExoilz1H
FwTgLiXv6dj1TkBe1Njx9kwVg7tW7JQCeO3N2Zy8Mewy8HFVvGZdimRrLOE9hZab
1GH0otAWIYcrYxFfw7lIHucsptr78qsu6DurGYkuFWv0MsoCp6f9GVdfkv2JZMvD
d0Lpt06W47kLauQrOjZIz6OcKE+3wEHNFYttKYQa8146o5/cAW0tnLWNGKSRWesD
AmJaLQkn1YnmnjtGznDXf9oLdjoQ67+w9NPQR3GSvz4CbX9ZFCWfZrUvLIhrGncA
KEPGfTqS2An/Qng8u9qY
=JPzK
-----END PGP SIGNATURE-----
--- End Message ---
