Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156

2015-06-07 Thread Salvatore Bonaccorso 
Hi Rogério,

On Mon, Jun 08, 2015 at 12:44:58AM -0300, Rogério Brito wrote:
 On Jun 06 2015, Salvatore Bonaccorso wrote:
  Source: parallel
  Version: 20120422-1
  Severity: normal
  Tags: security upstream fixed-upstream
 (...)
 
 Thanks for the report.
 
 How should I proceed to fix the non-sid versions of the package?

Thanks for the quick reply already. I these issues do not warrant a
DSA on it's own for stable and oldstable. But it would surely be nice
to have them fixed as well there through a (old-)stable proposed
update. Could you contact the release team for this?
 
 Fixing it in unstable is simple enough that I can essentially just upload a
 new version, but how should coordination with the other releases go, since I
 saw that the bug affects both stable and oldstable.

Yes, just go ahead with the new upstream version for unstable which
addresses both CVEs.

Thanks a lot for your work!

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156

2015-06-07 Thread Rogério Brito 
Dear Salvatore.

On Jun 06 2015, Salvatore Bonaccorso wrote:
 Source: parallel
 Version: 20120422-1
 Severity: normal
 Tags: security upstream fixed-upstream
(...)

Thanks for the report.

How should I proceed to fix the non-sid versions of the package?

Fixing it in unstable is simple enough that I can essentially just upload a
new version, but how should coordination with the other releases go, since I
saw that the bug affects both stable and oldstable.


Thanks for the pointers once again,

-- 
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFC
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156

2015-06-06 Thread Salvatore Bonaccorso 
Source: parallel
Version: 20120422-1
Severity: normal
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for parallel.

CVE-2015-4155[0]:
| GNU Parallel before 20150422, when using (1) --pipe, (2) --tmux, (3)
| --cat, (4) --fifo, or (5) --compress, allows local users to write to
| arbitrary files via a symlink attack on a temporary file.

CVE-2015-4156[1]:
| GNU Parallel before 20150522 (Nepal), when using (1) --cat or (2)
| --fifo with --sshlogin, allows local users to write to arbitrary files
| via a symlink attack on a temporary file.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities  Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-4155
[1] https://security-tracker.debian.org/tracker/CVE-2015-4156

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org