Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156
Hi Rogério, On Mon, Jun 08, 2015 at 12:44:58AM -0300, Rogério Brito wrote: On Jun 06 2015, Salvatore Bonaccorso wrote: Source: parallel Version: 20120422-1 Severity: normal Tags: security upstream fixed-upstream (...) Thanks for the report. How should I proceed to fix the non-sid versions of the package? Thanks for the quick reply already. I these issues do not warrant a DSA on it's own for stable and oldstable. But it would surely be nice to have them fixed as well there through a (old-)stable proposed update. Could you contact the release team for this? Fixing it in unstable is simple enough that I can essentially just upload a new version, but how should coordination with the other releases go, since I saw that the bug affects both stable and oldstable. Yes, just go ahead with the new upstream version for unstable which addresses both CVEs. Thanks a lot for your work! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156
Dear Salvatore. On Jun 06 2015, Salvatore Bonaccorso wrote: Source: parallel Version: 20120422-1 Severity: normal Tags: security upstream fixed-upstream (...) Thanks for the report. How should I proceed to fix the non-sid versions of the package? Fixing it in unstable is simple enough that I can essentially just upload a new version, but how should coordination with the other releases go, since I saw that the bug affects both stable and oldstable. Thanks for the pointers once again, -- Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFC http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#787954: parallel: CVE-2015-4155 CVE-2015-4156
Source: parallel Version: 20120422-1 Severity: normal Tags: security upstream fixed-upstream Hi, the following vulnerabilities were published for parallel. CVE-2015-4155[0]: | GNU Parallel before 20150422, when using (1) --pipe, (2) --tmux, (3) | --cat, (4) --fifo, or (5) --compress, allows local users to write to | arbitrary files via a symlink attack on a temporary file. CVE-2015-4156[1]: | GNU Parallel before 20150522 (Nepal), when using (1) --cat or (2) | --fifo with --sshlogin, allows local users to write to arbitrary files | via a symlink attack on a temporary file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-4155 [1] https://security-tracker.debian.org/tracker/CVE-2015-4156 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org