Your message dated Wed, 09 Feb 2005 18:17:14 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#293900: fixed in firehol 1.214-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 6 Feb 2005 18:43:26 +0000
>From [EMAIL PROTECTED] Sun Feb 06 10:43:26 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CxrNW-0007a8-00; Sun, 06 Feb 2005 10:43:26 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 3FF33181BF
for <[EMAIL PROTECTED]>; Sun, 6 Feb 2005 18:43:25 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 8DBA96E4EB; Sun, 6 Feb 2005 13:45:46 -0500 (EST)
Date: Sun, 6 Feb 2005 13:45:46 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: still contains unsafe temporary file usage
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh"
Content-Disposition: inline
X-Reportbug-Version: 3.7.1
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: firehol
Version: 1.214-3
Severity: grave
Tags: security
I'm afraid that recent fixes still missed some unsafe temporary
directory uses in firehol. In firehol-lib.sh I see:
${CAT_CMD} /proc/config >/tmp/kcfg.$$
Upstream patched this here:
http://cvs.sourceforge.net/viewcvs.py/firehol/firehol/firehol.sh?r1=3D1.224=
&r2=3D1.225&diff_format=3Du
The other parts of that patch, which add ${RANDOM} to filenames, do not
seem to actually add security.
This may or may not still be part of CAN-2005-0225, the CAN is not
sufficiently clear to tell.
--=20
see shy jo
--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCBmXZd8HHehbQuO8RAvUHAKDmFh6D42rw8hlsMnIr3fWiuFiMgwCgyDwc
Ugxso9dqTkFPYhPuGnO+pdA=
=DJqx
-----END PGP SIGNATURE-----
--jI8keyz6grp/JLjh--
---------------------------------------
Received: (at 293900-close) by bugs.debian.org; 9 Feb 2005 23:23:03 +0000
>From [EMAIL PROTECTED] Wed Feb 09 15:23:03 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cz1Al-0003X2-00; Wed, 09 Feb 2005 15:23:03 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Cz158-0003c4-00; Wed, 09 Feb 2005 18:17:14 -0500
From: Alexander Wirt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#293900: fixed in firehol 1.214-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 09 Feb 2005 18:17:14 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: firehol
Source-Version: 1.214-4
We believe that the bug you reported is fixed in the latest version of
firehol, which is due to be installed in the Debian FTP archive:
firehol_1.214-4.diff.gz
to pool/main/f/firehol/firehol_1.214-4.diff.gz
firehol_1.214-4.dsc
to pool/main/f/firehol/firehol_1.214-4.dsc
firehol_1.214-4_all.deb
to pool/main/f/firehol/firehol_1.214-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Wirt <[EMAIL PROTECTED]> (supplier of updated firehol package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Feb 2005 22:25:31 +0100
Source: firehol
Binary: firehol
Architecture: source all
Version: 1.214-4
Distribution: unstable
Urgency: low
Maintainer: Alexander Wirt <[EMAIL PROTECTED]>
Changed-By: Alexander Wirt <[EMAIL PROTECTED]>
Description:
firehol - An easy to use but powerful iptables stateful firewall
Closes: 293900
Changes:
firehol (1.214-4) unstable; urgency=low
.
* Fixed another securityhole until I have finished the next version
of the firehol package (sometime at the weekend).
(Closes: #293900)
Files:
e59406718ef5aa4b2fce45757902d2a9 578 net optional firehol_1.214-4.dsc
4dd14f5a0957b16333630c8875ad228c 4705 net optional firehol_1.214-4.diff.gz
a04417f6fa62343891b09e8d3d379803 156368 net optional firehol_1.214-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCCoA101u8mbx9AgoRArT3AKCboRHFQVUKmNHeKPKpo8m55ahm/QCePmOR
L4vo9WY34yH9TOoRb2+hcpY=
=tGbL
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
