Your message dated Mon, 25 Aug 2008 10:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#495769: fixed in nufw 2.2.15-2
has caused the Debian Bug report #495769,
regarding libpam-nufw has rpath to insecure location
(/home/pollux/DEBIAN/NUFW/nufw-2.2.15/src/clients/lib/.libs)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
495769: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495769
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-nufw
Version: 2.2.15-1
Severity: serious
Tags: security
Hello Pierre,
libpam-nufw includes a binary /lib/security/pam_nufw.so with a rpath pointing
to /home/pollux/DEBIAN/NUFW/nufw-2.2.15/src/clients/lib/.libs.
This allows an attacker with write access to that directory to
add modified libraries which will be loaded when someone
else run libpam-nufw.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
--- End Message ---
--- Begin Message ---
Source: nufw
Source-Version: 2.2.15-2
We believe that the bug you reported is fixed in the latest version of
nufw, which is due to be installed in the Debian FTP archive:
libnuclient-dev_2.2.15-2_amd64.deb
to pool/main/n/nufw/libnuclient-dev_2.2.15-2_amd64.deb
libnuclient3_2.2.15-2_amd64.deb
to pool/main/n/nufw/libnuclient3_2.2.15-2_amd64.deb
libpam-nufw_2.2.15-2_amd64.deb
to pool/main/n/nufw/libpam-nufw_2.2.15-2_amd64.deb
nuauth-extra_2.2.15-2_amd64.deb
to pool/main/n/nufw/nuauth-extra_2.2.15-2_amd64.deb
nuauth-log-mysql_2.2.15-2_amd64.deb
to pool/main/n/nufw/nuauth-log-mysql_2.2.15-2_amd64.deb
nuauth-log-pgsql_2.2.15-2_amd64.deb
to pool/main/n/nufw/nuauth-log-pgsql_2.2.15-2_amd64.deb
nuauth-utils_2.2.15-2_all.deb
to pool/main/n/nufw/nuauth-utils_2.2.15-2_all.deb
nuauth_2.2.15-2_amd64.deb
to pool/main/n/nufw/nuauth_2.2.15-2_amd64.deb
nufw_2.2.15-2.diff.gz
to pool/main/n/nufw/nufw_2.2.15-2.diff.gz
nufw_2.2.15-2.dsc
to pool/main/n/nufw/nufw_2.2.15-2.dsc
nufw_2.2.15-2_amd64.deb
to pool/main/n/nufw/nufw_2.2.15-2_amd64.deb
nutcpc_2.2.15-2_amd64.deb
to pool/main/n/nufw/nutcpc_2.2.15-2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Chifflier <[EMAIL PROTECTED]> (supplier of updated nufw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 25 Aug 2008 11:42:20 +0200
Source: nufw
Binary: nufw nuauth nuauth-extra nuauth-log-mysql nuauth-log-pgsql nutcpc
nuauth-utils libnuclient3 libnuclient-dev libpam-nufw
Architecture: source amd64 all
Version: 2.2.15-2
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier <[EMAIL PROTECTED]>
Changed-By: Pierre Chifflier <[EMAIL PROTECTED]>
Description:
libnuclient-dev - Development files for nufw client library
libnuclient3 - client library for nufw authentication
libpam-nufw - Pluggable Authentication module for nufw authentication
nuauth - The authentication daemon from the nufw package
nuauth-extra - The authentication daemon from the nufw package
nuauth-log-mysql - Module for nuauth logging into MySQL databases
nuauth-log-pgsql - Module for nuauth logging into PostgreSQL databases
nuauth-utils - Set of tools useful to nuauth admin
nufw - a per-user firewalling daemon that interferes with libipq
nutcpc - a Linux client for the nufw authentication gateway system
Closes: 495769
Changes:
nufw (2.2.15-2) unstable; urgency=high
.
* Remove rpath to insecure location (Closes: #495769)
* urgency=high because of RC bug
* Add dependency on rpath
* Bump standards version (no changes)
Checksums-Sha1:
efb78d86b1137103e1fd8ad2375d977b27cbe0a1 1398 nufw_2.2.15-2.dsc
056f157b6178cb25db93d3bb7e068c6c958e6ca0 14724 nufw_2.2.15-2.diff.gz
d179702ab1739d711a54d6f8edf5002aebe5db11 41434 nufw_2.2.15-2_amd64.deb
071477dd062501d3e395cb08a70a9fc9a170d8b2 173360 nuauth_2.2.15-2_amd64.deb
623c60490293a0ac928b8cd50882622a6a657ab9 38016 libnuclient3_2.2.15-2_amd64.deb
55bb86a691c4a9044cf56cbdb5cf49a30801a0bf 20688
libnuclient-dev_2.2.15-2_amd64.deb
6485266b027c95e4a6bb4a2dbcdd58032ca8f35a 28232 nutcpc_2.2.15-2_amd64.deb
0cb12c7b0261927d7b8f89d3a55cb6009d40bb4a 20292 nuauth-extra_2.2.15-2_amd64.deb
222f1852c0ab2a87a3ecc3f7285bf316fea131dd 35396
nuauth-log-mysql_2.2.15-2_amd64.deb
f9813e5f7cdf1ffb4ac50698016074da32bcab99 29298
nuauth-log-pgsql_2.2.15-2_amd64.deb
b74d85f99a44cf99d339346b1959610f80ff1a4f 23834 libpam-nufw_2.2.15-2_amd64.deb
c2e6955c9b0b5722f71c3c97b01722437b2f058e 33320 nuauth-utils_2.2.15-2_all.deb
Checksums-Sha256:
d1664683334e652f3cf1f1a939cd9febdfa6d47bdc10801a371324dbe51048ae 1398
nufw_2.2.15-2.dsc
2f60033a0c0531ca271255b878da77cf1b0471316a9d52550d766727fd1aa2da 14724
nufw_2.2.15-2.diff.gz
7be53bf5cbc20980810aa63532114a2dfb37d15cd7d3f8cc9d73ce0359df62db 41434
nufw_2.2.15-2_amd64.deb
579cce39bba4c8f030fc53ecc9645e0a1cf28bcceba77cc239663922a5e8b5b8 173360
nuauth_2.2.15-2_amd64.deb
5c73114e8e77c283596f40e42b3a8fe0a369bdc27e4f7da31e4cb976b1ed3c80 38016
libnuclient3_2.2.15-2_amd64.deb
7aa2567572a549680599549af085d98e61b51453ecef1601100243444a25559d 20688
libnuclient-dev_2.2.15-2_amd64.deb
245cb3801735be4bb325b69f1ecfc31200773f4a6fd61dc326c1aab058c96659 28232
nutcpc_2.2.15-2_amd64.deb
8475289f912c9b0198070407b67dc121c22ff80dc0e96bff045e2b8b239e86ea 20292
nuauth-extra_2.2.15-2_amd64.deb
54a73b4f3ca40683065a1d690541c08753ed0701a15c9c3a9af46c777d7ab8d0 35396
nuauth-log-mysql_2.2.15-2_amd64.deb
1627845c19c9e782958d4e63fc1d46f4738a78d0b1fda028aa17d1b3d6877312 29298
nuauth-log-pgsql_2.2.15-2_amd64.deb
63f2c56091089817df1fc148d25e8bec06f54c2eeaafd6c81f57119dfe342681 23834
libpam-nufw_2.2.15-2_amd64.deb
98c19876482b33293821f1be3ace97bf0a1aa191234fc3cb38bd1f6ae575ea7a 33320
nuauth-utils_2.2.15-2_all.deb
Files:
6045c04a74be27c726be8528d0e6ddde 1398 net optional nufw_2.2.15-2.dsc
b09011909ffb6393886c174a6941f514 14724 net optional nufw_2.2.15-2.diff.gz
5cfaeed1591d947df738cf9fbf69d2b2 41434 net optional nufw_2.2.15-2_amd64.deb
9f4a9b6e42f3714aea0ae23b1134d73a 173360 net optional nuauth_2.2.15-2_amd64.deb
2039ae32c174e570422fcac0eed18c2e 38016 net optional
libnuclient3_2.2.15-2_amd64.deb
afffcac0e31807455772f4a4713d7270 20688 libdevel optional
libnuclient-dev_2.2.15-2_amd64.deb
e949765089ebbee295026e0b74b0676a 28232 net optional nutcpc_2.2.15-2_amd64.deb
43b2b6aee6d6612ad556d4d0152835c7 20292 net optional
nuauth-extra_2.2.15-2_amd64.deb
7bc2396f8c4cbd29a86cb8f7d495d859 35396 net optional
nuauth-log-mysql_2.2.15-2_amd64.deb
720a479b388b12ff8499c6f09269b492 29298 net optional
nuauth-log-pgsql_2.2.15-2_amd64.deb
a60db933c60bf210bc2b7c71f426dfc3 23834 net optional
libpam-nufw_2.2.15-2_amd64.deb
daaa69e278c91ad8ea9c7884f79b232d 33320 net optional
nuauth-utils_2.2.15-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIsoCYtwVrWo1fQMsRAvQLAKDE2DonllntzB13yGA15xw2yZqWhACfWXEQ
jMHWQW5sLRDwmap7lvLVyEQ=
=nsDi
-----END PGP SIGNATURE-----
--- End Message ---