Your message dated Mon, 18 Jul 2005 17:17:10 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#318287: fixed in heartbeat 1.2.3-12
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 14 Jul 2005 14:41:18 +0000
>From [EMAIL PROTECTED] Thu Jul 14 07:41:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Dt4tq-0005ic-00; Thu, 14 Jul 2005 07:41:18 -0700
Received: from dragon.kitenet.net (kitenet.net [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 38A1417DD1
for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 14:41:17 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id B3BB06E134; Thu, 14 Jul 2005 17:41:58 +0300 (EEST)
Date: Thu, 14 Jul 2005 17:41:57 +0300
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: CAN-2005-2231 temporary file vulnerabilities
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/"
Content-Disposition: inline
X-Reportbug-Version: 3.15
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: heartbeat
Severity: serious
Tags: security
According to http://secunia.com/advisories/16039:
> Eric Romang has reported a vulnerability in heartbeat, which can be explo=
ited
> by malicious, local users to perform certain actions on a vulnerable syst=
em
> with escalated privileges.
> The vulnerability is caused due to several temporary files being created
> insecurely in "/tmp" by "cts/CTStests.py.in",
> "heartbeat/lib/BasicSanityCheck.in" and "lib/stonith/meatclient.c". This =
can be
> exploited via symlink attacks to create or overwrite arbitrary files with=
the
> privileges of the user running the affected application.
> The vulnerability has been reported in versions 1.2.3 and prior.
This has been assigned CAN-2005-2231. I have not verified the holes.
--=20
see shy jo
--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC1nm1d8HHehbQuO8RAvPnAKDFcCLNCswAPdb+zrKBJ2qj8pW9YwCfWLQX
TteszKw6MDDZvRJdBBrnpz4=
=bz19
-----END PGP SIGNATURE-----
--pWyiEgJYm5f9v55/--
---------------------------------------
Received: (at 318287-close) by bugs.debian.org; 18 Jul 2005 21:24:18 +0000
>From [EMAIL PROTECTED] Mon Jul 18 14:24:18 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1Dud62-00024N-00; Mon, 18 Jul 2005 14:24:18 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Ducz8-0003pS-00; Mon, 18 Jul 2005 17:17:10 -0400
From: Simon Horman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#318287: fixed in heartbeat 1.2.3-12
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 18 Jul 2005 17:17:10 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: heartbeat
Source-Version: 1.2.3-12
We believe that the bug you reported is fixed in the latest version of
heartbeat, which is due to be installed in the Debian FTP archive:
heartbeat-dev_1.2.3-12_i386.deb
to pool/main/h/heartbeat/heartbeat-dev_1.2.3-12_i386.deb
heartbeat_1.2.3-12.diff.gz
to pool/main/h/heartbeat/heartbeat_1.2.3-12.diff.gz
heartbeat_1.2.3-12.dsc
to pool/main/h/heartbeat/heartbeat_1.2.3-12.dsc
heartbeat_1.2.3-12_i386.deb
to pool/main/h/heartbeat/heartbeat_1.2.3-12_i386.deb
ldirectord_1.2.3-12_all.deb
to pool/main/h/heartbeat/ldirectord_1.2.3-12_all.deb
libpils-dev_1.2.3-12_i386.deb
to pool/main/h/heartbeat/libpils-dev_1.2.3-12_i386.deb
libpils0_1.2.3-12_i386.deb
to pool/main/h/heartbeat/libpils0_1.2.3-12_i386.deb
libstonith-dev_1.2.3-12_i386.deb
to pool/main/h/heartbeat/libstonith-dev_1.2.3-12_i386.deb
libstonith0_1.2.3-12_i386.deb
to pool/main/h/heartbeat/libstonith0_1.2.3-12_i386.deb
stonith_1.2.3-12_i386.deb
to pool/main/h/heartbeat/stonith_1.2.3-12_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon Horman <[EMAIL PROTECTED]> (supplier of updated heartbeat package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 18 Jul 2005 22:27:29 +0200
Source: heartbeat
Binary: libstonith-dev ldirectord libstonith0 heartbeat libpils-dev libpils0
stonith heartbeat-dev
Architecture: source i386 all
Version: 1.2.3-12
Distribution: unstable
Urgency: high
Maintainer: Simon Horman <[EMAIL PROTECTED]>
Changed-By: Simon Horman <[EMAIL PROTECTED]>
Description:
heartbeat - Subsystem for High-Availability Linux
heartbeat-dev - Subsystem for High-Availability Linux - development files
ldirectord - Monitors virtual services provided by LVS
libpils-dev - Plugin and Interface Loading System - development files
libpils0 - Plugin and Interface Loading System
libstonith-dev - Interface for remotely powering down a node in the cluster
libstonith0 - Interface for remotely powering down a node in the cluster
stonith - Interface for remotely powering down a node in the cluster
Closes: 309906 318266 318287
Changes:
heartbeat (1.2.3-12) unstable; urgency=high
.
* 11-tmpfile-problems.patch, 12-tmpfile-problems-2.patch
Don't use predictable temp files
[heartbeat/lib/BasicSanityCheck.in, heartbeat/resource.d/WAS.in
lib/plugins/stonith/meatware.c, lib/stonith/meatclient.c,
cts/CM_hb.py.in, cts/CTStests.py.in CAN-2005-2231] (closes: #318287)
* debian/apply
Apply patches in the correct order.
* 12-tmpfile-problems-2.patch
Added CTS back in with security fix
[usr/lib/heartbeat/cts/CM_fs.py, usr/lib/heartbeat/cts/CM_hb.py,
usr/lib/heartbeat/cts/CTS.py, usr/lib/heartbeat/cts/CTSaudits.py,
usr/lib/heartbeat/cts/CTSlab.py, usr/lib/heartbeat/cts/CTStests.py
CAN-2005-2231]
* 13-confdir.patch
Change CONF_D defined (and missing) in some resources
to HA_CONFDIR in shelfuncs, allowing arp_config to function
correctly in IPaddr2 and SendArp. (closes: #318266)
* debian/rules
Include cts documentation
* 14-ipadd2_no_loopback_delete.patch
Fix IPaddr2 so it doesn't remove loopback interfaces on stop
* 15-LVM2.patch
Allow the LVM resource to work with LVM2 as well as LVM1
(closes: #309906)
* Upgrade Standards-Version from 3.6.1 to 3.6.2
Files:
b1ef966b8f32a838440062179debac9a 871 admin optional heartbeat_1.2.3-12.dsc
d38b1e8a63ac2e62bd4a07eca0bbcad2 261370 admin optional
heartbeat_1.2.3-12.diff.gz
098e0fe127e68bc88b5dd000f23596c4 45518 admin optional
ldirectord_1.2.3-12_all.deb
59070057c55296c53e523ad019a99dc3 36714 admin optional stonith_1.2.3-12_i386.deb
cb53ca0af80aacdc7537f4a3e345b3b5 75906 libs optional
libstonith0_1.2.3-12_i386.deb
2604d5c02a442ecea0283159ad5b6f56 29760 libdevel optional
libstonith-dev_1.2.3-12_i386.deb
ffe819824f30676caaca4e91a1782cc3 46546 libs optional libpils0_1.2.3-12_i386.deb
f1cf4805fce5fd32d0da6fd5a3657c6c 57626 devel optional
libpils-dev_1.2.3-12_i386.deb
6fdde8d76b60cfc85971a6f9a70ea3e0 501446 admin optional
heartbeat_1.2.3-12_i386.deb
00d1faa929d88ec5f03085fb62cb47f2 117296 devel optional
heartbeat-dev_1.2.3-12_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC3Bdcdu+M6Iexz7URAlBoAJsHLjkvdSvCVC1Ddxjl8bwleAev9QCgjdaW
K983RHYmzsYVORl3uZRmmIM=
=I/rj
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
