Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)

2017-08-22 Thread Debian Bug Tracking System 
Your message dated Tue, 22 Aug 2017 21:48:25 +
with message-id 
and subject line Bug#871810: fixed in cvs 2:1.12.13+real-15+deb8u1
has caused the Debian Bug report #871810,
regarding cvs: CVE-2017-12836: CVS and ssh command injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cvs
Version: 2:1.12.13+real-9
Severity: grave
Tags: upstream security
Justification: user security hole

Hi,

the following vulnerability was published for cvs.

CVE-2017-12836[0]:
CVS and ssh command injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cvs
Source-Version: 2:1.12.13+real-15+deb8u1

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser  (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 19:22:05 +0200
Source: cvs
Binary: cvs
Architecture: source i386
Version: 2:1.12.13+real-15+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian QA Group 
Changed-By: Thorsten Glaser 
Description:
 cvs- Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-15+deb8u1) jessie-security; urgency=high
 .
   * Fix CVE-2017-12836 (Closes: #871810)
Checksums-Sha1:
 6273e61f2eb17e6aad42f295aa4bbcc0f1736f29 2094 cvs_1.12.13+real-15+deb8u1.dsc
 4035e96f084517c7d6a71d35420876d508b00376 105645 
cvs_1.12.13+real-15+deb8u1.diff.gz
 d13bb504d101e3f64926fed63fff5d7c409fe98c 2638090 
cvs_1.12.13+real-15+deb8u1_i386.deb
Checksums-Sha256:
 5315f661fd8f8a5978106835aea6b7c33e7fef4a87a6564be986844bb17f6bb9 2094 
cvs_1.12.13+real-15+deb8u1.dsc
 c39ca3d80b13265d3d8d7370148835b3f5892e0af8ae9c32d2cc34a945ec7585 105645 
cvs_1.12.13+real-15+deb8u1.diff.gz
 7b8d16b8c93e6425a38d09454e69c69c50039a71f35311abea568e5a50a793e5 2638090 
cvs_1.12.13+real-15+deb8u1_i386.deb
Files:
 451b3557f24de1b5160998e82dab44eb 2094 vcs optional 
cvs_1.12.13+real-15+deb8u1.dsc
 e20d975ba3aaf6b72e22bf7b55ff6292 105645 vcs optional 
cvs_1.12.13+real-15+deb8u1.diff.gz
 c9fd2d0366dca5aff0eb60cd1f7c05f1 2638090 vcs optional 
cvs_1.12.13+real-15+deb8u1_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJZj0KgAAoJEHa1NLLpkAfgPfcP+wQgWA/30xYSbaMZpKv2GSCt
AyzwZiHDvHar7BBxzAcS2FKwAROFl9zSOwPpfAAUZ0NHXanSzIIjcGzbXJMFLuPB
AbBJGC2bRQLEUbQbw/9G55mrTmpoRiyIdb1PNlyiVKVjzMvUD3U19X4e67BAt5xV
MBEkjuyePg6CvxKrNFVXlqBH331Ss+XMaVwWk96UhQ1i3YgWnTsVTtCqI1GfkWfI
asnEGor3sYvYoCZWC4S8zNC5J/7KmSqDbUSgOad5h2xE/1dtwVd1ytvw1CNgeVzu
/LQoukZFjS2SPzY9k52VROtid1SZb7CAoaMuuuZCsr1Tv4BO963X0tEv28oT2SsW
XUhToM4pMvTFG2QgtZNpuXxhALY2/qLZJHesS4eA+rdvAG/6Sihe5Qxkat7BnFbH
8rF+6PnT8sqLEJk+I10mV0wGAsvA45WQs+r7njyO7K/phWD57rlgfxeX+tzBY39G
J073o5B3+qJhk+xmepotiRXn6EWxyIN6yJY10dLwRrCTGd7hTZNVVJSVo2ZfV6if
jJggSye+srY1SR2xiRWMyDpVofVqW8G0wSIz3tBdryqAcSqcQfpVbQxcldi0BZ8Q
KgbqGOJFY8cFlFg08XwViY/A1f6RHM0eK/gft+LMMAsfrQcJJNLE8MGxZ5TWaWqr
KnxoPIPuoqlGgSFyl2rJ
=sU5L
-END PGP SIGNATURE End Message ---

Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)

2017-08-22 Thread Debian Bug Tracking System 
Your message dated Tue, 22 Aug 2017 21:32:15 +
with message-id 
and subject line Bug#871810: fixed in cvs 2:1.12.13+real-22+deb9u1
has caused the Debian Bug report #871810,
regarding cvs: CVE-2017-12836: CVS and ssh command injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cvs
Version: 2:1.12.13+real-9
Severity: grave
Tags: upstream security
Justification: user security hole

Hi,

the following vulnerability was published for cvs.

CVE-2017-12836[0]:
CVS and ssh command injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cvs
Source-Version: 2:1.12.13+real-22+deb9u1

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser  (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 19:19:53 +0200
Source: cvs
Binary: cvs
Architecture: source i386
Version: 2:1.12.13+real-22+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Thorsten Glaser 
Changed-By: Thorsten Glaser 
Description:
 cvs- Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-22+deb9u1) stretch-security; urgency=high
 .
   * Fix CVE-2017-12836 (Closes: #871810)
Checksums-Sha1:
 83f20b8d0e613d15af92c838210d7a399470927a 2054 cvs_1.12.13+real-22+deb9u1.dsc
 a868aaad46c54cb1f7510b79c8cb0b38534483ce 4737137 cvs_1.12.13+real.orig.tar.gz
 d2c68eab48de7fe0d3a41329051072967f1f484d 114637 
cvs_1.12.13+real-22+deb9u1.diff.gz
 ecf7938cf6312024287ca8696b6062389775afbe 792316 
cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 63478ddb25a555092a217becaf3a72212a4ea950 7987 
cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 87e764065d003867d354a88e409c7f7295ff83f6 2809120 
cvs_1.12.13+real-22+deb9u1_i386.deb
Checksums-Sha256:
 6b949a1dfc77e523971a1607524718f6f5fe92c92fdc9fb022e34ed82e13dd96 2054 
cvs_1.12.13+real-22+deb9u1.dsc
 4734971a59471744e4ad8665c1dca54cb3ebf9fc66ce9c2dff3d04670d3f7312 4737137 
cvs_1.12.13+real.orig.tar.gz
 d7baf701538a9e5b6f97d5248ef1b61867113622ebe4250f6bdd3772e2012596 114637 
cvs_1.12.13+real-22+deb9u1.diff.gz
 a250e9cffb04c20e97216da12f467155bb3b191ea5559192bbc0dd0fd49b1994 792316 
cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 9599fa632bd5769b382145a08185ea9040ed0d1e2c236828d26e53366b75d394 7987 
cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 1650978a8f75d8ce32872280acb76418fe82fc37e202277cc4518393ba4aa7ce 2809120 
cvs_1.12.13+real-22+deb9u1_i386.deb
Files:
 5bfca3ba05f848def66403bc880a7b60 2054 vcs optional 
cvs_1.12.13+real-22+deb9u1.dsc
 7a71a2e7a64973ecf255965956a1d338 4737137 vcs optional 
cvs_1.12.13+real.orig.tar.gz
 f579edf186184c3eff3a774f93952f82 114637 vcs optional 
cvs_1.12.13+real-22+deb9u1.diff.gz
 c4c796327a128a77b042ccc14610ac8b 792316 debug extra 
cvs-dbgsym_1.12.13+real-22+deb9u1_i386.deb
 dcbdd1b226477098017dc92958c6bb27 7987 vcs optional 
cvs_1.12.13+real-22+deb9u1_i386.buildinfo
 b6a30c12490dd29b6209b2ca85deb412 2809120 vcs optional 
cvs_1.12.13+real-22+deb9u1_i386.deb

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJZjz0oAAoJEHa1NLLpkAfgx0oP/3T2uiXTI2yz28h+PJvqgSwM
PLAiPUFu2Fez3a7NlIsePPPbGKO1nv6otTOyNS+QrjJKlSD3ZcXRKzrDO/9hRCN0
zrBpwNAUzgPJlutpX5aJrE67EYpeQ8iskMvaBEJqRA0gEcpHgkoAuDf/P71eTOqr
XtQqo0uZLsuSP9pdpQf4YJ7oTak5q9+8yW4Dzq5jneuPHiMv2stt515tWYhPgpJ0
35N04u+rOfJcimoz5iFkYa7dLBLPfHlWoZqipmPuGEn4z8yOoV7Cuh+xYaeM0UFd

Bug#871810: marked as done (cvs: CVE-2017-12836: CVS and ssh command injection)

2017-08-12 Thread Debian Bug Tracking System 
Your message dated Sat, 12 Aug 2017 21:19:02 +
with message-id 
and subject line Bug#871810: fixed in cvs 2:1.12.13+real-24
has caused the Debian Bug report #871810,
regarding cvs: CVE-2017-12836: CVS and ssh command injection
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871810
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cvs
Version: 2:1.12.13+real-9
Severity: grave
Tags: upstream security
Justification: user security hole

Hi,

the following vulnerability was published for cvs.

CVE-2017-12836[0]:
CVS and ssh command injection

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12836
[1] http://www.openwall.com/lists/oss-security/2017/08/11/1

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cvs
Source-Version: 2:1.12.13+real-24

We believe that the bug you reported is fixed in the latest version of
cvs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser  (supplier of updated cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA384

Format: 1.8
Date: Sat, 12 Aug 2017 22:18:41 +0200
Source: cvs
Binary: cvs
Architecture: source
Version: 2:1.12.13+real-24
Distribution: unstable
Urgency: high
Maintainer: Thorsten Glaser 
Changed-By: Thorsten Glaser 
Description:
 cvs- Concurrent Versions System
Closes: 871810
Changes:
 cvs (2:1.12.13+real-24) unstable; urgency=high
 .
   * Update from MirBSD
 - fix for CVE-2017-12836 (Closes: #871810)
 - more robust $CVSROOT parsing
   * Policy 4.0.1
 - add nodoc build option
   ‣ I’m unclear on how this mixes with build profiles and/or
 Build-Depends exclusion; should I exclude ghostscript,
 groff, texinfo, texlive-* with  now, or are
 DEB_BUILD_OPTIONS=nodoc and the profile independent of
 each other? Info and patches welcome.
   * Drop explicit (thus redundant) autotools-dev B-D (lintian)
   * Update lintian overrides
Checksums-Sha1:
 85f024f04c53d4290658ff1a4e6baab8b1e512f2 2011 cvs_1.12.13+real-24.dsc
 d8c087ff4d0b61056d58719d37bad9cdc3a265cb 138310 cvs_1.12.13+real-24.diff.gz
Checksums-Sha256:
 cad964354a526ec9b5da0d1711def6f6ca54ab640fee0599b8410312f6ab9ec8 2011 
cvs_1.12.13+real-24.dsc
 77f9e0c2921b180829cce3bfd15a709ab59efdf4c4fa619510c3a12700df3c25 138310 
cvs_1.12.13+real-24.diff.gz
Files:
 1e8dc16f9c7aa0f81666537d630a92c8 2011 vcs optional cvs_1.12.13+real-24.dsc
 e4c6162b1d97edc7a0b806ea1f4da9e6 138310 vcs optional 
cvs_1.12.13+real-24.diff.gz

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (MirBSD)
Comment: ☃ ЦΤℱ—8 ☕☂☄

iQIcBAEBCQAGBQJZj2b0AAoJEHa1NLLpkAfgJssP/jd1qbNAGcF60MiUXqLA7nXo
uz2lmRfesxWynpaqWpt5HdLN3wmGTx8U94wOFdvGubkbPJ1YPqSmgfRqIODKQc+Y
eYWRCnnZexTKRtoyuClVgAj3PJyWGsGdw0aFXBYBjFpvpn6BS/6ziX8Kn9oiu1/f
NHrQEWutfute7Vp7b9nhmulg//0dhOkjH21o1t0PaJRIwesEU1JnxeyiAEvM63IZ
IQ1pfcU+r9nWt+xN/n13Itsbx3zUcZEs50mg2OJ4ubx87I9XEJaBAMGNbPG/q5mQ
fHuG/3D1FroGZRVMLfDZA7PEI4tT2YfpxstfSemlLJUFdloU8TDcqZCzdj+c1rwB
TB+2Qrqid7v3AOeUsWtmRANPULPr0PWbUmayaQaM6Ub8a5kulxuUAh5S7xsFL65Z
iNng+q8GqHTgZyXryJHiUMELCR+7tVIOMlx2kI9l0JnKSHRul4sXhy7ahQSBF20h
sGeL2e64gUd/sGTKosDQoqyRp8uGaUQ1k3VpqPZp9BJ08RSfDK26FaQpz+XdAE0C
SEray97gc77NLikJZIogyeFfC7PRw0dTy5Hi39GaM3R/63+YXQ069rniHm6e9WQl
MLLSduIZagJq2KgGclTkDAM/4hayCjX6Yjpyy2uCwd5kpduccBrWKHhvKkxFsYxg
gg/vy6DsopATR4/nXOIE
=Pj7h
-END PGP SIGNATURE End Message ---