Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
One more pull request added, thanks to Pavel! From: Amanda Trusted Date: Friday, February 24, 2023 at 6:00 PM To: Jose M Calhariz , 1029...@bugs.debian.org <1029...@bugs.debian.org> Subject: Re: Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705 Thank you Jose! We added another fix for CVE-2022-37705. So, here is the updated list. [0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37704=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=OnXiYjIsnfZHML9A8T7j6p6E9R0NKHlFqy4ha0rIzuU%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37704<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37704=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=HuLgtJis12Fg3jUnOcCsBOZuHqtzOWFb62rYCqWudG4%3D=0> Fixes - https://github.com/zmanda/amanda/pull/197<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F197=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=LXN1YwmD6QWGrxPjAG4CE9dllzOSQRgbE1OJIIG0clM%3D=0>, https://github.com/zmanda/amanda/pull/202, https://github.com/zmanda/amanda/pull/203, https://github.com/zmanda/amanda/pull/205/ [1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37705=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=LdhfejDU8lULn67WPWpude539ROea6SoR%2FRZrO9D8d8%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37705<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37705=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=WQ9mD6lysfDI5Jp0Y%2FQrfzJgCAp1F8XQ3d8mVnGIlwA%3D=0> Fixes - https://github.com/zmanda/amanda/pull/196<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F196=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=boVYnd5HPBVoOmtmOiEoJIv%2FgRyUscbrMHUoiRD89jY%3D=0> https://github.com/zmanda/amanda/pull/204/ [2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37703=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=rkxpVnJnV3CG64FzS57NX8F2K3OA24VS6w2EAENdHaE%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37703<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37703=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=GEsZtdf%2BkpTe1g9lw6f7Ktc9hMzPJa7ZhdR2lVMU%2B78%3D=0> Fix - https://github.com/zmanda/amanda/pull/198<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F198=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=kju2XMgfXsEVL0W9DQSCtprVXoNvVNmhyHP8mXkWSeo%3D=0> Thank you, AmandaTrusted. From: Jose M Calhariz Date: Friday, February 24, 2023 at 9:43 AM To: Amanda Trusted , 1029...@bugs.debian.org <1029...@bugs.debian.org> Subject: Re: Bug#
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
Thank you Jose! We added another fix for CVE-2022-37705. So, here is the updated list. [0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37704=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=OnXiYjIsnfZHML9A8T7j6p6E9R0NKHlFqy4ha0rIzuU%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37704<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37704=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=HuLgtJis12Fg3jUnOcCsBOZuHqtzOWFb62rYCqWudG4%3D=0> Fixes - https://github.com/zmanda/amanda/pull/197<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F197=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=LXN1YwmD6QWGrxPjAG4CE9dllzOSQRgbE1OJIIG0clM%3D=0>, https://github.com/zmanda/amanda/pull/202, https://github.com/zmanda/amanda/pull/203, [1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37705=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=LdhfejDU8lULn67WPWpude539ROea6SoR%2FRZrO9D8d8%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37705<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37705=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860239744%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=WQ9mD6lysfDI5Jp0Y%2FQrfzJgCAp1F8XQ3d8mVnGIlwA%3D=0> Fixes - https://github.com/zmanda/amanda/pull/196<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F196=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=boVYnd5HPBVoOmtmOiEoJIv%2FgRyUscbrMHUoiRD89jY%3D=0> https://github.com/zmanda/amanda/pull/204/ [2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2022-37703=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=rkxpVnJnV3CG64FzS57NX8F2K3OA24VS6w2EAENdHaE%3D=0> https://www.cve.org/CVERecord?id=CVE-2022-37703<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.org%2FCVERecord%3Fid%3DCVE-2022-37703=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=GEsZtdf%2BkpTe1g9lw6f7Ktc9hMzPJa7ZhdR2lVMU%2B78%3D=0> Fix - https://github.com/zmanda/amanda/pull/198<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmanda%2Famanda%2Fpull%2F198=05%7C01%7Camanda.trusted%40Zmanda.com%7C71717d0addea417d1e0b08db167dafaf%7Cb0fb22a6306043889a97cdfc342994d8%7C0%7C0%7C638128501860395966%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000%7C%7C%7C=kju2XMgfXsEVL0W9DQSCtprVXoNvVNmhyHP8mXkWSeo%3D=0> Thank you, AmandaTrusted. From: Jose M Calhariz Date: Friday, February 24, 2023 at 9:43 AM To: Amanda Trusted , 1029...@bugs.debian.org <1029...@bugs.debian.org> Subject: Re: Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705 WARNING: This email originated from outside of BETSOL. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi, just to tell that I am working on CVE-2022-37705, currently checking if the fix work on my workbench. Ki
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
Hi, just to tell that I am working on CVE-2022-37705, currently checking if the fix work on my workbench. Kind regards Jose M Calhariz On February 15, 2023 11:10:25 PM GMT+00:00, Amanda Trusted wrote: >Hi Jose, > >Here are the relevant bug fixes - >[0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704 >https://www.cve.org/CVERecord?id=CVE-2022-37704 >Fix - https://github.com/zmanda/amanda/pull/197 > >[1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705 >https://www.cve.org/CVERecord?id=CVE-2022-37705 >Fix - https://github.com/zmanda/amanda/pull/196 > > >[2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703 >https://www.cve.org/CVERecord?id=CVE-2022-37703 >Fix - https://github.com/zmanda/amanda/pull/198 > >These 3 fixes are due for release as part of Amanda 3.5.3 within a week. > >Let us know if there are any other action items for us. > >Regards, > >AmandaTrusted > >Confidentiality Notice | The information transmitted by this email is intended >only for the person or entity to which it is addressed. This email may contain >proprietary, business-confidential and/or privileged material. If you are not >the intended recipient of this message, be aware that any use, review, >re-transmission, distribution, reproduction or any action taken in reliance >upon this message is strictly prohibited. If you received this in error, >please contact the sender and delete the material from all computers.
Bug#1029829: Re: Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
During our security testing of the fixes, we found another attack vector for the issue similar to the one mentioned in CVE-2022-37704<https://github.com/MaherAzzouzi/CVE-2022-37704>. Dump can be manipulated by an attacker through the RSH environment variable, which is used to specify the shell binary to be used for remote backups. By manipulating this variable and invoking Dump via rundump, an attacker can execute arbitrary code with root privileges. We now filter out RSH environment variable to prevent this exploit. The fix for this issue is available at - https://github.com/zmanda/amanda/pull/202. Is there anything else we can help you with to avert the March 2nd auto removal? We also recommend pointing to the github repository (https://github.com/zmanda/amanda.git) instead of pointing to svn as future development will continue on github and we would like to phase out svn. Best Regards, AmandaTrusted From: Amanda Trusted Date: Wednesday, February 15, 2023 at 5:10 PM To: 1029...@bugs.debian.org <1029...@bugs.debian.org> Cc: j...@calhariz.com Subject: Re: Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705 Hi Jose, Here are the relevant bug fixes - [0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704 https://www.cve.org/CVERecord?id=CVE-2022-37704 Fix - https://github.com/zmanda/amanda/pull/197 [1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705 https://www.cve.org/CVERecord?id=CVE-2022-37705 Fix - https://github.com/zmanda/amanda/pull/196 [2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703 https://www.cve.org/CVERecord?id=CVE-2022-37703 Fix - https://github.com/zmanda/amanda/pull/198 These 3 fixes are due for release as part of Amanda 3.5.3 within a week. Let us know if there are any other action items for us. Regards, AmandaTrusted Confidentiality Notice | The information transmitted by this email is intended only for the person or entity to which it is addressed. This email may contain proprietary, business-confidential and/or privileged material. If you are not the intended recipient of this message, be aware that any use, review, re-transmission, distribution, reproduction or any action taken in reliance upon this message is strictly prohibited. If you received this in error, please contact the sender and delete the material from all computers.
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
Hi Jose, Here are the relevant bug fixes - [0] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37704 https://www.cve.org/CVERecord?id=CVE-2022-37704 Fix - https://github.com/zmanda/amanda/pull/197 [1] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37705 https://www.cve.org/CVERecord?id=CVE-2022-37705 Fix - https://github.com/zmanda/amanda/pull/196 [2] CVE - https://security-tracker.debian.org/tracker/CVE-2022-37703 https://www.cve.org/CVERecord?id=CVE-2022-37703 Fix - https://github.com/zmanda/amanda/pull/198 These 3 fixes are due for release as part of Amanda 3.5.3 within a week. Let us know if there are any other action items for us. Regards, AmandaTrusted Confidentiality Notice | The information transmitted by this email is intended only for the person or entity to which it is addressed. This email may contain proprietary, business-confidential and/or privileged material. If you are not the intended recipient of this message, be aware that any use, review, re-transmission, distribution, reproduction or any action taken in reliance upon this message is strictly prohibited. If you received this in error, please contact the sender and delete the material from all computers.
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
-=| Jose M Calhariz, 02.02.2023 19:20:23 + |=- > This is my first security update, can I ask what is the procedure or > where is documented? https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security-building https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#bug-security -- Damyan > On January 28, 2023 12:59:09 PM GMT+00:00, Salvatore Bonaccorso > wrote: > > Source: amanda > Version: 1:3.5.1-9 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > Hi, > > The following vulnerabilities were published for amanda. > > CVE-2022-37704[0], CVE-2022-37705[1]. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-37704 > https://www.cve.org/CVERecord?id=CVE-2022-37704 > [1] https://security-tracker.debian.org/tracker/CVE-2022-37705 > https://www.cve.org/CVERecord?id=CVE-2022-37705 > [2] https://github.com/zmanda/amanda/issues/192 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
Hi, This is my first security update, can I ask what is the procedure or where is documented? Kind regards Jose M Calhariz On January 28, 2023 12:59:09 PM GMT+00:00, Salvatore Bonaccorso wrote: >Source: amanda >Version: 1:3.5.1-9 >Severity: grave >Tags: security upstream >Justification: user security hole >X-Debbugs-Cc: car...@debian.org, Debian Security Team > > >Hi, > >The following vulnerabilities were published for amanda. > >CVE-2022-37704[0], CVE-2022-37705[1]. > >If you fix the vulnerabilities please also make sure to include the >CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > >For further information see: > >[0] https://security-tracker.debian.org/tracker/CVE-2022-37704 >https://www.cve.org/CVERecord?id=CVE-2022-37704 >[1] https://security-tracker.debian.org/tracker/CVE-2022-37705 >https://www.cve.org/CVERecord?id=CVE-2022-37705 >[2] https://github.com/zmanda/amanda/issues/192 > >Please adjust the affected versions in the BTS as needed. > >Regards, >Salvatore
Bug#1029829: amanda: CVE-2022-37704 CVE-2022-37705
Source: amanda Version: 1:3.5.1-9 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for amanda. CVE-2022-37704[0], CVE-2022-37705[1]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37704 https://www.cve.org/CVERecord?id=CVE-2022-37704 [1] https://security-tracker.debian.org/tracker/CVE-2022-37705 https://www.cve.org/CVERecord?id=CVE-2022-37705 [2] https://github.com/zmanda/amanda/issues/192 Please adjust the affected versions in the BTS as needed. Regards, Salvatore