Your message dated Wed, 09 Dec 2009 04:17:50 +0000
with message-id <[email protected]>
and subject line Bug#559831: fixed in xmlsec1 1.2.14-1
has caused the Debian Bug report #559831,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559831: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559831
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: xmlsec1
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: xmlsec1
Source-Version: 1.2.14-1
We believe that the bug you reported is fixed in the latest version of
xmlsec1, which is due to be installed in the Debian FTP archive:
libxmlsec1-dev_1.2.14-1_amd64.deb
to main/x/xmlsec1/libxmlsec1-dev_1.2.14-1_amd64.deb
libxmlsec1-gnutls_1.2.14-1_amd64.deb
to main/x/xmlsec1/libxmlsec1-gnutls_1.2.14-1_amd64.deb
libxmlsec1-nss_1.2.14-1_amd64.deb
to main/x/xmlsec1/libxmlsec1-nss_1.2.14-1_amd64.deb
libxmlsec1-openssl_1.2.14-1_amd64.deb
to main/x/xmlsec1/libxmlsec1-openssl_1.2.14-1_amd64.deb
libxmlsec1_1.2.14-1_amd64.deb
to main/x/xmlsec1/libxmlsec1_1.2.14-1_amd64.deb
xmlsec1_1.2.14-1.diff.gz
to main/x/xmlsec1/xmlsec1_1.2.14-1.diff.gz
xmlsec1_1.2.14-1.dsc
to main/x/xmlsec1/xmlsec1_1.2.14-1.dsc
xmlsec1_1.2.14-1_amd64.deb
to main/x/xmlsec1/xmlsec1_1.2.14-1_amd64.deb
xmlsec1_1.2.14.orig.tar.gz
to main/x/xmlsec1/xmlsec1_1.2.14.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
John V. Belmonte <[email protected]> (supplier of updated xmlsec1 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 08 Dec 2009 21:47:36 -0500
Source: xmlsec1
Binary: libxmlsec1-dev libxmlsec1 libxmlsec1-openssl libxmlsec1-gnutls
libxmlsec1-nss xmlsec1
Architecture: source amd64
Version: 1.2.14-1
Distribution: unstable
Urgency: low
Maintainer: John V. Belmonte <[email protected]>
Changed-By: John V. Belmonte <[email protected]>
Description:
libxmlsec1 - XML security library
libxmlsec1-dev - Development files for the XML security library
libxmlsec1-gnutls - Gnutls engine for the XML security library
libxmlsec1-nss - Nss engine for the XML security library
libxmlsec1-openssl - Openssl engine for the XML security library
xmlsec1 - XML security command line processor
Closes: 559831
Changes:
xmlsec1 (1.2.14-1) unstable; urgency=low
.
* New upstream release, fixes CVE-2009-3736 (Closes: #559831)
* debian/rules: dh_prep instead of dh_clean
Checksums-Sha1:
e6e534ee42489a98b301de0621642dee76b4a000 1234 xmlsec1_1.2.14-1.dsc
8f949ae74a6d66278a595bd063f13e0ad196d14a 1652670 xmlsec1_1.2.14.orig.tar.gz
ca344f03e41afbc4b3a5fd832636257fcda8b1df 5189 xmlsec1_1.2.14-1.diff.gz
9654360e10345a9af081df418da339dcd5206528 912584
libxmlsec1-dev_1.2.14-1_amd64.deb
e5bd4c57eec608ec1b6e1e9a265245cc4e030930 163458 libxmlsec1_1.2.14-1_amd64.deb
5be5518d51cb3b8ac74c985f13bca4d8b89e597f 100336
libxmlsec1-openssl_1.2.14-1_amd64.deb
6185407b00719c0a5969f281bfefc942a08b5b68 41520
libxmlsec1-gnutls_1.2.14-1_amd64.deb
f2bf8c7a37764dce31a2a015328a84a5c5612482 93062
libxmlsec1-nss_1.2.14-1_amd64.deb
4ed42ff3679a1b710ac2d01c8018152a711d8d16 45302 xmlsec1_1.2.14-1_amd64.deb
Checksums-Sha256:
6a1ffed16146ffd4d8cd14bbf5012ad91f7f707c7caf9f98d5f70fa3afe8dcc1 1234
xmlsec1_1.2.14-1.dsc
390a5085651828b8fe12aa978b200f59b9155eedbb91a4be89bf7cf39eefdd4a 1652670
xmlsec1_1.2.14.orig.tar.gz
0090b19f825e60628999628b5cb79326228df51c22341092b672f2c25a9a62af 5189
xmlsec1_1.2.14-1.diff.gz
bcfb58ae171dc1ffa2885ef4d6bf945f8121630ae9870daff10b271bd7a1f690 912584
libxmlsec1-dev_1.2.14-1_amd64.deb
ee365adb67c22a24873d5e508af04200c617c289c1f9c96acb69b548cadc2920 163458
libxmlsec1_1.2.14-1_amd64.deb
542dfe9ae92d104ffe84b544e6e7ad29cc0e4ed9624e584f04bd48afaca334cc 100336
libxmlsec1-openssl_1.2.14-1_amd64.deb
dfba72eaafab0ad534919e834afd3313289cdc39f974abd884ef1c1cc86e14b7 41520
libxmlsec1-gnutls_1.2.14-1_amd64.deb
ca956cf607043c8b1cfa88f62c15c1368bbac4a193bdca6010b2db93f7fa1384 93062
libxmlsec1-nss_1.2.14-1_amd64.deb
f0f4c2b9ece4c31fe15ac75e3ab770b729ff0d237ba2a33fe2563852498ec515 45302
xmlsec1_1.2.14-1_amd64.deb
Files:
bd2086e3a4454c89bb5767115dcf90f7 1234 text optional xmlsec1_1.2.14-1.dsc
1f24ab1d39f4a51faf22244c94a6203f 1652670 text optional
xmlsec1_1.2.14.orig.tar.gz
afbe9bba8e4b38261b5b4664b6dcb7ac 5189 text optional xmlsec1_1.2.14-1.diff.gz
f29339ce0a2fe7d8086a151a292e63b8 912584 libdevel optional
libxmlsec1-dev_1.2.14-1_amd64.deb
30fd8e023d98b199e97a4495b6bf92ef 163458 libs optional
libxmlsec1_1.2.14-1_amd64.deb
5194f953f313b60cf6fdd37a8f5ea340 100336 libs optional
libxmlsec1-openssl_1.2.14-1_amd64.deb
db2b938e7a79bc1307082c927c6ee793 41520 libs optional
libxmlsec1-gnutls_1.2.14-1_amd64.deb
be5ec74518be63622a82b5d4ca54dd50 93062 libs optional
libxmlsec1-nss_1.2.14-1_amd64.deb
3f9c49788f52cd8780a9496628c89418 45302 text optional xmlsec1_1.2.14-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksfH9cACgkQ5Nfg6kxAQQoHggCghRa73W+3rDvF9D+ZfaDUi0TV
hxQAoIdv19+npGDzQaIcTf5enSJScrEM
=IV/p
-----END PGP SIGNATURE-----
--- End Message ---
