Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)
Your message dated Tue, 22 Aug 2017 21:48:25 + with message-id and subject line Bug#871810: fixed in cvs 2:1.12.13+real-15+deb8u1 has caused the Debian Bug report #871810, regarding cvs: CVE-2017-12836: CVS and ssh command injection to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: cvs Version: 2:1.12.13+real-9 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for cvs. CVE-2017-12836[0]: CVS and ssh command injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 [1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Regards, Salvatore --- End Message --- --- Begin Message --- Source: cvs Source-Version: 2:1.12.13+real-15+deb8u1 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA384 Format: 1.8 Date: Sat, 12 Aug 2017 19:22:05 +0200 Source: cvs Binary: cvs Architecture: source i386 Version: 2:1.12.13+real-15+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian QA Group Changed-By: Thorsten Glaser Description: cvs- Concurrent Versions System Closes: 871810 Changes: cvs (2:1.12.13+real-15+deb8u1) jessie-security; urgency=high . * Fix CVE-2017-12836 (Closes: #871810) Checksums-Sha1: 6273e61f2eb17e6aad42f295aa4bbcc0f1736f29 2094 cvs_1.12.13+real-15+deb8u1.dsc 4035e96f084517c7d6a71d35420876d508b00376 105645 cvs_1.12.13+real-15+deb8u1.diff.gz d13bb504d101e3f64926fed63fff5d7c409fe98c 2638090 cvs_1.12.13+real-15+deb8u1_i386.deb Checksums-Sha256: 5315f661fd8f8a5978106835aea6b7c33e7fef4a87a6564be986844bb17f6bb9 2094 cvs_1.12.13+real-15+deb8u1.dsc c39ca3d80b13265d3d8d7370148835b3f5892e0af8ae9c32d2cc34a945ec7585 105645 cvs_1.12.13+real-15+deb8u1.diff.gz 7b8d16b8c93e6425a38d09454e69c69c50039a71f35311abea568e5a50a793e5 2638090 cvs_1.12.13+real-15+deb8u1_i386.deb Files: 451b3557f24de1b5160998e82dab44eb 2094 vcs optional cvs_1.12.13+real-15+deb8u1.dsc e20d975ba3aaf6b72e22bf7b55ff6292 105645 vcs optional cvs_1.12.13+real-15+deb8u1.diff.gz c9fd2d0366dca5aff0eb60cd1f7c05f1 2638090 vcs optional cvs_1.12.13+real-15+deb8u1_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJZj0KgAAoJEHa1NLLpkAfgPfcP+wQgWA/30xYSbaMZpKv2GSCt AyzwZiHDvHar7BBxzAcS2FKwAROFl9zSOwPpfAAUZ0NHXanSzIIjcGzbXJMFLuPB AbBJGC2bRQLEUbQbw/9G55mrTmpoRiyIdb1PNlyiVKVjzMvUD3U19X4e67BAt5xV MBEkjuyePg6CvxKrNFVXlqBH331Ss+XMaVwWk96UhQ1i3YgWnTsVTtCqI1GfkWfI asnEGor3sYvYoCZWC4S8zNC5J/7KmSqDbUSgOad5h2xE/1dtwVd1ytvw1CNgeVzu /LQoukZFjS2SPzY9k52VROtid1SZb7CAoaMuuuZCsr1Tv4BO963X0tEv28oT2SsW XUhToM4pMvTFG2QgtZNpuXxhALY2/qLZJHesS4eA+rdvAG/6Sihe5Qxkat7BnFbH 8rF+6PnT8sqLEJk+I10mV0wGAsvA45WQs+r7njyO7K/phWD57rlgfxeX+tzBY39G J073o5B3+qJhk+xmepotiRXn6EWxyIN6yJY10dLwRrCTGd7hTZNVVJSVo2ZfV6if jJggSye+srY1SR2xiRWMyDpVofVqW8G0wSIz3tBdryqAcSqcQfpVbQxcldi0BZ8Q KgbqGOJFY8cFlFg08XwViY/A1f6RHM0eK/gft+LMMAsfrQcJJNLE8MGxZ5TWaWqr KnxoPIPuoqlGgSFyl2rJ =sU5L -END PGP SIGNATURE End Message ---
Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)
Your message dated Tue, 22 Aug 2017 21:32:15 + with message-id and subject line Bug#871810: fixed in cvs 2:1.12.13+real-22+deb9u1 has caused the Debian Bug report #871810, regarding cvs: CVE-2017-12836: CVS and ssh command injection to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: cvs Version: 2:1.12.13+real-9 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for cvs. CVE-2017-12836[0]: CVS and ssh command injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 [1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Regards, Salvatore --- End Message --- --- Begin Message --- Source: cvs Source-Version: 2:1.12.13+real-22+deb9u1 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA384 Format: 1.8 Date: Sat, 12 Aug 2017 19:19:53 +0200 Source: cvs Binary: cvs Architecture: source i386 Version: 2:1.12.13+real-22+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Thorsten Glaser Changed-By: Thorsten Glaser Description: cvs- Concurrent Versions System Closes: 871810 Changes: cvs (2:1.12.13+real-22+deb9u1) stretch-security; urgency=high . * Fix CVE-2017-12836 (Closes: #871810) Checksums-Sha1: 83f20b8d0e613d15af92c838210d7a399470927a 2054 cvs_1.12.13+real-22+deb9u1.dsc a868aaad46c54cb1f7510b79c8cb0b38534483ce 4737137 cvs_1.12.13+real.orig.tar.gz d2c68eab48de7fe0d3a41329051072967f1f484d 114637 cvs_1.12.13+real-22+deb9u1.diff.gz ecf7938cf6312024287ca8696b6062389775afbe 792316 cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb 63478ddb25a555092a217becaf3a72212a4ea950 7987 cvs_1.12.13+real-22+deb9u1_i386.buildinfo 87e764065d003867d354a88e409c7f7295ff83f6 2809120 cvs_1.12.13+real-22+deb9u1_i386.deb Checksums-Sha256: 6b949a1dfc77e523971a1607524718f6f5fe92c92fdc9fb022e34ed82e13dd96 2054 cvs_1.12.13+real-22+deb9u1.dsc 4734971a59471744e4ad8665c1dca54cb3ebf9fc66ce9c2dff3d04670d3f7312 4737137 cvs_1.12.13+real.orig.tar.gz d7baf701538a9e5b6f97d5248ef1b61867113622ebe4250f6bdd3772e2012596 114637 cvs_1.12.13+real-22+deb9u1.diff.gz a250e9cffb04c20e97216da12f467155bb3b191ea5559192bbc0dd0fd49b1994 792316 cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb 9599fa632bd5769b382145a08185ea9040ed0d1e2c236828d26e53366b75d394 7987 cvs_1.12.13+real-22+deb9u1_i386.buildinfo 1650978a8f75d8ce32872280acb76418fe82fc37e202277cc4518393ba4aa7ce 2809120 cvs_1.12.13+real-22+deb9u1_i386.deb Files: 5bfca3ba05f848def66403bc880a7b60 2054 vcs optional cvs_1.12.13+real-22+deb9u1.dsc 7a71a2e7a64973ecf255965956a1d338 4737137 vcs optional cvs_1.12.13+real.orig.tar.gz f579edf186184c3eff3a774f93952f82 114637 vcs optional cvs_1.12.13+real-22+deb9u1.diff.gz c4c796327a128a77b042ccc14610ac8b 792316 debug extra cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb dcbdd1b226477098017dc92958c6bb27 7987 vcs optional cvs_1.12.13+real-22+deb9u1_i386.buildinfo b6a30c12490dd29b6209b2ca85deb412 2809120 vcs optional cvs_1.12.13+real-22+deb9u1_i386.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJZjz0oAAoJEHa1NLLpkAfgx0oP/3T2uiXTI2yz28h+PJvqgSwM PLAiPUFu2Fez3a7NlIsePPPbGKO1nv6otTOyNS+QrjJKlSD3ZcXRKzrDO/9hRCN0 zrBpwNAUzgPJlutpX5aJrE67EYpeQ8iskMvaBEJqRA0gEcpHgkoAuDf/P71eTOqr XtQqo0uZLsuSP9pdpQf4YJ7oTak5q9+8yW4Dzq5jneuPHiMv2stt515tWYhPgpJ0 35N04u+rOfJcimoz5iFkYa7dLBLPfHlWoZqipmPuGEn4z8yOoV7Cuh+xYaeM0UFd Ym2v0KBO9aF4sx9sSFPg7jUgn/kICwHWWsXYXAMiePzB5Ux+vN6DI4OT6C1bnb6Q WwGRd/yIzc/jXxEypl6KepgOjcc1NeoYjJ1RFbHI56gPzL6T4PeHt1cpb/OsaWQk b/JCIdB/n
Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)
Your message dated Sat, 12 Aug 2017 21:19:02 + with message-id and subject line Bug#871810: fixed in cvs 2:1.12.13+real-24 has caused the Debian Bug report #871810, regarding cvs: CVE-2017-12836: CVS and ssh command injection to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: cvs Version: 2:1.12.13+real-9 Severity: grave Tags: upstream security Justification: user security hole Hi, the following vulnerability was published for cvs. CVE-2017-12836[0]: CVS and ssh command injection If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12836 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836 [1] http://www.openwall.com/lists/oss-security/2017/08/11/1 Regards, Salvatore --- End Message --- --- Begin Message --- Source: cvs Source-Version: 2:1.12.13+real-24 We believe that the bug you reported is fixed in the latest version of cvs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 871...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Glaser (supplier of updated cvs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA384 Format: 1.8 Date: Sat, 12 Aug 2017 22:18:41 +0200 Source: cvs Binary: cvs Architecture: source Version: 2:1.12.13+real-24 Distribution: unstable Urgency: high Maintainer: Thorsten Glaser Changed-By: Thorsten Glaser Description: cvs- Concurrent Versions System Closes: 871810 Changes: cvs (2:1.12.13+real-24) unstable; urgency=high . * Update from MirBSD - fix for CVE-2017-12836 (Closes: #871810) - more robust $CVSROOT parsing * Policy 4.0.1 - add nodoc build option ‣ I’m unclear on how this mixes with build profiles and/or Build-Depends exclusion; should I exclude ghostscript, groff, texinfo, texlive-* with now, or are DEB_BUILD_OPTIONS=nodoc and the profile independent of each other? Info and patches welcome. * Drop explicit (thus redundant) autotools-dev B-D (lintian) * Update lintian overrides Checksums-Sha1: 85f024f04c53d4290658ff1a4e6baab8b1e512f2 2011 cvs_1.12.13+real-24.dsc d8c087ff4d0b61056d58719d37bad9cdc3a265cb 138310 cvs_1.12.13+real-24.diff.gz Checksums-Sha256: cad964354a526ec9b5da0d1711def6f6ca54ab640fee0599b8410312f6ab9ec8 2011 cvs_1.12.13+real-24.dsc 77f9e0c2921b180829cce3bfd15a709ab59efdf4c4fa619510c3a12700df3c25 138310 cvs_1.12.13+real-24.diff.gz Files: 1e8dc16f9c7aa0f81666537d630a92c8 2011 vcs optional cvs_1.12.13+real-24.dsc e4c6162b1d97edc7a0b806ea1f4da9e6 138310 vcs optional cvs_1.12.13+real-24.diff.gz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (MirBSD) Comment: ☃ ЦΤℱ—8 ☕☂☄ iQIcBAEBCQAGBQJZj2b0AAoJEHa1NLLpkAfgJssP/jd1qbNAGcF60MiUXqLA7nXo uz2lmRfesxWynpaqWpt5HdLN3wmGTx8U94wOFdvGubkbPJ1YPqSmgfRqIODKQc+Y eYWRCnnZexTKRtoyuClVgAj3PJyWGsGdw0aFXBYBjFpvpn6BS/6ziX8Kn9oiu1/f NHrQEWutfute7Vp7b9nhmulg//0dhOkjH21o1t0PaJRIwesEU1JnxeyiAEvM63IZ IQ1pfcU+r9nWt+xN/n13Itsbx3zUcZEs50mg2OJ4ubx87I9XEJaBAMGNbPG/q5mQ fHuG/3D1FroGZRVMLfDZA7PEI4tT2YfpxstfSemlLJUFdloU8TDcqZCzdj+c1rwB TB+2Qrqid7v3AOeUsWtmRANPULPr0PWbUmayaQaM6Ub8a5kulxuUAh5S7xsFL65Z iNng+q8GqHTgZyXryJHiUMELCR+7tVIOMlx2kI9l0JnKSHRul4sXhy7ahQSBF20h sGeL2e64gUd/sGTKosDQoqyRp8uGaUQ1k3VpqPZp9BJ08RSfDK26FaQpz+XdAE0C SEray97gc77NLikJZIogyeFfC7PRw0dTy5Hi39GaM3R/63+YXQ069rniHm6e9WQl MLLSduIZagJq2KgGclTkDAM/4hayCjX6Yjpyy2uCwd5kpduccBrWKHhvKkxFsYxg gg/vy6DsopATR4/nXOIE =Pj7h -END PGP SIGNATURE End Message ---