Your message dated Mon, 13 Oct 2008 21:32:43 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475221: fixed in mondo 1:2.2.7-1
has caused the Debian Bug report #475221,
regarding mondo: CVE-2008-1633
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
475221: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475221
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: mondo
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mondo.
CVE-2008-1633[0]:
| Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown
| impact and attack vectors, related to the use of (1) /tmp and (2)
| MINDI_CACHE.
Since you (as co-upstream maintainer) didn't specify any
useful description or parts of source code when you fixed
this, you get this poor description ;)
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
BTW, grepping the source code for /tmp does show a lot of
hardcoded tmp paths in the source code an shipped scripts
(ide-opt e.g). Are you sure all of these are secure and not
possible to exploit via symlinks? I did not check this in
detail because I have no idea how mondo is really used and
if this would apply in mondo usage scenarios but it's bad
coding style anyway.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1633
http://security-tracker.debian.net/tracker/CVE-2008-1633
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpfNTiuCjpXX.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: mondo
Source-Version: 1:2.2.7-1
We believe that the bug you reported is fixed in the latest version of
mondo, which is due to be installed in the Debian FTP archive:
mondo-doc_2.2.7-1_all.deb
to pool/main/m/mondo/mondo-doc_2.2.7-1_all.deb
mondo_2.2.7-1.diff.gz
to pool/main/m/mondo/mondo_2.2.7-1.diff.gz
mondo_2.2.7-1.dsc
to pool/main/m/mondo/mondo_2.2.7-1.dsc
mondo_2.2.7-1_amd64.deb
to pool/main/m/mondo/mondo_2.2.7-1_amd64.deb
mondo_2.2.7.orig.tar.gz
to pool/main/m/mondo/mondo_2.2.7.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andree Leidenfrost <[EMAIL PROTECTED]> (supplier of updated mondo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 13 Oct 2008 21:24:05 +1100
Source: mondo
Binary: mondo mondo-doc
Architecture: source amd64 all
Version: 1:2.2.7-1
Distribution: unstable
Urgency: high
Maintainer: Andree Leidenfrost <[EMAIL PROTECTED]>
Changed-By: Andree Leidenfrost <[EMAIL PROTECTED]>
Description:
mondo - powerful disaster recovery suite
mondo-doc - manual for Mondo, a powerful disaster recovery suite
Closes: 355751 409291 414948 431685 440463 441784 450893 475221
Changes:
mondo (1:2.2.7-1) unstable; urgency=high
.
* New upstream release:
- closes: #355751 (cf. upstream bug 63);
- closes: #409291, #414948, #440463, #441784 (floppy creation and
the -F option have been removed upstream);
- closes: #450893, #475221.
* Changes and additions to upstream source:
- replaced all occurrences of mkisofs with genisoimage because this
is what Debian contains - following files are affected:
my-stuff.h, libmondo-tools.c, libmondo-fork.c, libmondo-archive.c;
- replaced all occurrences of cdrecord with wodim because this is
what Debian contains - following files are affected:
libmondo-stream.c, libmondo-fork.c, libmondo-cli.c,
libmondo-archive.c, libmondo-devices.c;
- call ntfsresize with --bad-sectors option to get a size for NTFS
volumes that have bad hardware sectors;
- call ntfsclone with --rescue option to save as much of an NTFS
volume as possible in case data is actually stored in bad sectors.
* Packaging changes:
- introduced epoch and reverted to upstream versioning;
- adjusted rules and mondo-doc.docs files to reflect change in
upstream documentation structure;
- new proper copyright line with years and names in copyright file;
- make use of new Homepage field in control file;
- replaced invalid Section 'utils' with 'File Management' to be in
line with doc-base manul 0.8.16;
- replaced dependency on obsolete package cdrecord with wodim
(closes: #431685 - mkisofs dependency changed in mindi, library
dependencies updated via rebuilt);
- changed standards version to 3.8.0 without further changes;
- depend on mindi 1:2.0.4 or higher;
- removed superfluous space character from mondo-doc.doc-base (fixes
lintian warning);
- replace /var/cache/mondo-archive with /var/cache/mondo in
mondo.docs because this is what upstream (now) uses;
- the howto is now just a single html file called
mondorescue-howto.html so we use this as Index in
mondo-doc.doc-base (fixes lintian warning).
Checksums-Sha1:
4a1409c3fadb10706d36b4c40319eb43e8745c7d 1039 mondo_2.2.7-1.dsc
c2f0db047652e53ad852823856e9c9e39ed85f1a 2085950 mondo_2.2.7.orig.tar.gz
c245d6833e052d58d964ad1e34b0c3542ed3a25a 23083 mondo_2.2.7-1.diff.gz
205f9d4ddeb87b1b8b9d4d71389f747aa1403492 476666 mondo_2.2.7-1_amd64.deb
69a99990beb76d152c88c589b6c1e625ad4caa58 2100758 mondo-doc_2.2.7-1_all.deb
Checksums-Sha256:
e60c32d073b75941e2ace093478c3b6547921923364fa2ec1dcb8c389a2f462f 1039
mondo_2.2.7-1.dsc
748f5adb99afff39cb46e73ca7ce229cfc88e088f3b9574d88ae6f7856caad4b 2085950
mondo_2.2.7.orig.tar.gz
625494824e22779bc09a77c8085e7e35df2fdfc0680d3d547805cbc8558c8b94 23083
mondo_2.2.7-1.diff.gz
8274e466ee4b2299ef97e7ba1c1bbe26caa3c4e20eb01b712dd57631d77c5d3f 476666
mondo_2.2.7-1_amd64.deb
993ffcd3ce6ee7acda13fd17fd568b1ab9436b6f8fd78ea77355d02ded885b87 2100758
mondo-doc_2.2.7-1_all.deb
Files:
f82116ec52723f8300df82e6f574988e 1039 utils optional mondo_2.2.7-1.dsc
6c45f2c8d00d09ded33a6742e6489844 2085950 utils optional mondo_2.2.7.orig.tar.gz
374e153e945f4fe9e545489cfe1ce2a1 23083 utils optional mondo_2.2.7-1.diff.gz
d0cbf729596712957c77cfd7de1d7316 476666 utils optional mondo_2.2.7-1_amd64.deb
c5369b2c295e4815e4e483e78f8989e6 2100758 doc optional mondo-doc_2.2.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjzI/QACgkQiLvX3b2IzayG0ACeI7tQ+7wQufx8HbmcakvYVjG8
by8AoJy/sYyMrGdFVpnpm4VkCe8VWLVm
=ENAE
-----END PGP SIGNATURE-----
--- End Message ---
