Julian, thanks for the patches! Hardy: ACK
With Lucid - Natty, there are a few problems though: * Lucid and Maverick have the same version, which is not allowed for upgrade reasons. Lucid should have 0.9.6-0ubuntu2.1.10.04.1 and Maverick should have 0.9.6-0ubuntu2.1.10.10.1 * Lucid and Maverick use the dpatch patch system, but your patches are inline. These need to be converted to dpatch. * Natty's patch is named 0004-Backported-unescaped-shell-command-fixes-from-master.patch but in the series file it comes after 0005-0007. It should be named 0008-Backported-unescaped-shell-command-fixes-from-master.patch * Natty's changelog should reference this git commit: https://github.com/fabaff/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53 * The natty patch does not remove 'self.AddEntry(hostkey)' and 'self.AddEntry(".".join([hostkey.split('.')[0]]+['pub', "H_%s" % client]))', but upstream's does. This seems harmless just looking at the patch, but I wonder why you did that. I verified the Lucid and Maverick patches against Debian's (ie and our Hardy version), but have not tested them. In the interest of time due to the severity of this vulnerability, I have made these changes and uploaded to the security PPA. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/844743 Title: Unescaped shell command vulnerabilities To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bcfg2/+bug/844743/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
