Your message dated Thu, 06 Mar 2008 14:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#440950: fixed in qgit 1.5.8-1
has caused the Debian Bug report #440950,
regarding CVE-2007-4631 insecure handling of temporary files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
440950: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440950
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: qgit
Version: 1.5.5-1
Severity: grave
Tags: security

Hi,
A CVE has been issued against qgit:
CVE-2007-4631[0]:
The DataLoader::doStart function in dataloader.cpp in QGit 1.5.6 and other
versions up to 2pre1 allows local users to overwrite arbtirary files and
execute arbitrary code via a symlink attack on temporary files with predictable
filenames.

If you fix this please include the CVE id in your changelog.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4631

Kind regards
Nico


-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgplnTE2AeD0Q.pgp
Description: PGP signature


--- End Message ---
--- Begin Message ---
Source: qgit
Source-Version: 1.5.8-1

We believe that the bug you reported is fixed in the latest version of
qgit, which is due to be installed in the Debian FTP archive:

qgit_1.5.8-1.diff.gz
  to pool/main/q/qgit/qgit_1.5.8-1.diff.gz
qgit_1.5.8-1.dsc
  to pool/main/q/qgit/qgit_1.5.8-1.dsc
qgit_1.5.8-1_i386.deb
  to pool/main/q/qgit/qgit_1.5.8-1_i386.deb
qgit_1.5.8.orig.tar.gz
  to pool/main/q/qgit/qgit_1.5.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Wartan Hachaturow <[EMAIL PROTECTED]> (supplier of updated qgit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 06 Mar 2008 11:51:48 +0300
Source: qgit
Binary: qgit
Architecture: source i386
Version: 1.5.8-1
Distribution: unstable
Urgency: low
Maintainer: Wartan Hachaturow <[EMAIL PROTECTED]>
Changed-By: Wartan Hachaturow <[EMAIL PROTECTED]>
Description: 
 qgit       - Qt application for viewing GIT trees
Closes: 440950
Changes: 
 qgit (1.5.8-1) unstable; urgency=low
 .
   * New upstream release, aka "Fix the BTS cruft I made".
   * Merge changelog from 1.5.5-1.1 NMU (I wonder if BTS eats that)
   * Closes: #440950 (die, die!)
Files: 
 d9aad3373785cb5075b9f881b71047cc 599 x11 optional qgit_1.5.8-1.dsc
 054b8a3a5e3add79a8e99b0dbdb17c45 272831 x11 optional qgit_1.5.8.orig.tar.gz
 c024ba8a1030ac46cd8db41a14e835a9 3695 x11 optional qgit_1.5.8-1.diff.gz
 036b2569c13f9abd58f4a0c3fb56eaab 379804 x11 optional qgit_1.5.8-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH0ABRuMozHxByYXERAgPHAKC+Vds4UQs+VvLwjTlCHHrqaZ3IAgCeNnNa
qtDvu7PecDImqOXqYV+pSZ8=
=VcZx
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to