Your message dated Sun, 20 Jun 2010 20:32:09 +0000
with message-id <e1oqrbz-0006sn...@ries.debian.org>
and subject line Bug#585773: fixed in pyftpd 0.8.4.6+lenny1
has caused the Debian Bug report #585773,
regarding pyftpd: Insecure usage of temporary directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
585773: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pyftpd
Version: 0.8.4.6
Severity: critical
Justification: causes serious data loss
*** Please type your report below this line ***
Pyftpd creates log-file to a temporary directory using predictable
name. This allows a local attacker to create a denial of service
condition and discloses sensitive information to unprivileged users.
For example accounts of other users connecting to server and paths they
visit.
One should use tempfile.mkstemp
<http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or
use /var/log/ -directory instead of /tmp/ and use proper file system
modes for the log-file.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash
Versions of packages pyftpd depends on:
ii python 2.5.2-3 An interactive high-level
object-o ii python-central 0.6.8 register and
build utility for Pyt
Versions of packages pyftpd recommends:
ii python-tk 2.5.2-1 Tkinter - Writing Tk
applications
pyftpd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: pyftpd
Source-Version: 0.8.4.6+lenny1
We believe that the bug you reported is fixed in the latest version of
pyftpd, which is due to be installed in the Debian FTP archive:
pyftpd_0.8.4.6+lenny1.dsc
to main/p/pyftpd/pyftpd_0.8.4.6+lenny1.dsc
pyftpd_0.8.4.6+lenny1.tar.gz
to main/p/pyftpd/pyftpd_0.8.4.6+lenny1.tar.gz
pyftpd_0.8.4.6+lenny1_all.deb
to main/p/pyftpd/pyftpd_0.8.4.6+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 585...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Radovan Garabík <gara...@kassiopeia.juls.savba.sk> (supplier of updated pyftpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Jun 2010 19:42:14 +0200
Source: pyftpd
Binary: pyftpd
Architecture: source all
Version: 0.8.4.6+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Radovan Garabík <gara...@kassiopeia.juls.savba.sk>
Changed-By: Radovan Garabík <gara...@kassiopeia.juls.savba.sk>
Description:
pyftpd - ftp daemon with advanced features
Closes: 585773 585776
Changes:
pyftpd (0.8.4.6+lenny1) stable-security; urgency=high
.
* SECURITY: change default configuration - do not include any
default users, disable anonymous access - CVE-2010-2073
(closes: #585776)
* SECURITY: change default logging file to /dev/null -
CVE-2010-2072 (closes: #585773)
Checksums-Sha1:
e3ef1ed9fb1c8c487291be126f6d14022ca30d8a 793 pyftpd_0.8.4.6+lenny1.dsc
d8d08a695681a938edf0f91929f9fb5c2cc4fd06 46210 pyftpd_0.8.4.6+lenny1.tar.gz
c9d59b1b0594ce99f8990cc7d7288c0ac9aa9bc5 36220 pyftpd_0.8.4.6+lenny1_all.deb
Checksums-Sha256:
eb02689aa045a8b38fe49dff49057d0a583e5ce1cb8ea4bde2ac0a0591c874a5 793
pyftpd_0.8.4.6+lenny1.dsc
5511abf28f6c5be2d335a4da20ae3dbc259210ee9528ddce209bab8c931627f5 46210
pyftpd_0.8.4.6+lenny1.tar.gz
02c724a6fe5fb30048ea629c26985f4548c327c7b7ad18a89ce41321a0f30db9 36220
pyftpd_0.8.4.6+lenny1_all.deb
Files:
a8c2ae90972e71fd69c616ca24267720 793 net extra pyftpd_0.8.4.6+lenny1.dsc
bd4d7f31fcf370478d30c963ecde307c 46210 net extra pyftpd_0.8.4.6+lenny1.tar.gz
b81756d6451187fa4583bfe335c9ab4c 36220 net extra pyftpd_0.8.4.6+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkwaKR0ACgkQUBQJxqD+WLiOvgCcDm5UNPpYCdgcrmT63aQoAhNw
NYoAn2p5aw4tl3uPkvV7mkAmwQUmdMna
=bZqg
-----END PGP SIGNATURE-----
--- End Message ---
