Bug#651917: marked as done (ipmitool: insecure file permission when creating PID files)

[Debian Bug Tracking System]

Your message dated Sat, 31 Dec 2011 13:57:06 +0000
with message-id <e1rgzqo-0006my...@franck.debian.org>
and subject line Bug#651917: fixed in ipmitool 1.8.11-2+squeeze2
has caused the Debian Bug report #651917,
regarding ipmitool: insecure file permission when creating PID files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
651917: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651917
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ipmitool
Severity: grave
Tags: security
Justification: user security hole

Hi,

an insecure file permission flaw was found in the way ipmitool handled
the PID files creation.

There's more info in the Red Hat bug, along with a patch, see
https://bugzilla.redhat.com/show_bug.cgi?id=742837

This has been assigned CVE-2011-4339, when you update a fix, could
you add it to the changelog entry?

Could you prepare updated packages for Squeeze and Lenny too?

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

Source: ipmitool
Source-Version: 1.8.11-2+squeeze2

We believe that the bug you reported is fixed in the latest version of
ipmitool, which is due to be installed in the Debian FTP archive:

ipmitool_1.8.11-2+squeeze2.diff.gz
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2.diff.gz
ipmitool_1.8.11-2+squeeze2.dsc
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2.dsc
ipmitool_1.8.11-2+squeeze2_i386.deb
  to main/i/ipmitool/ipmitool_1.8.11-2+squeeze2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 651...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luk Claes <l...@debian.org> (supplier of updated ipmitool package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 28 Dec 2011 13:53:15 +0100
Source: ipmitool
Binary: ipmitool
Architecture: source i386
Version: 1.8.11-2+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Matthew Johnson <mj...@debian.org>
Changed-By: Luk Claes <l...@debian.org>
Description: 
 ipmitool   - utility for IPMI control with kernel driver or LAN interface
Closes: 651917
Changes: 
 ipmitool (1.8.11-2+squeeze2) stable-security; urgency=high
 .
   * Don't set umask to fix CVE-2011-4339 (Closes: #651917).
Checksums-Sha1: 
 32243c35d62e337482111084d54691dd331bee79 1107 ipmitool_1.8.11-2+squeeze2.dsc
 4cb6ff3736fd3e166abc5303d6373672327a5db1 769964 ipmitool_1.8.11.orig.tar.gz
 d5c5173428b733ab996b841300886da567b01624 8108 
ipmitool_1.8.11-2+squeeze2.diff.gz
 8573f69c2a9c46cfdb6ed3d3a068b6429bf03a30 378430 
ipmitool_1.8.11-2+squeeze2_i386.deb
Checksums-Sha256: 
 e1999e756bd05d6111c57c1d251255fc359577b9925b7f2ad58a1772503b3867 1107 
ipmitool_1.8.11-2+squeeze2.dsc
 5612f4835d89a6f2cede588eef978a05d63435cf2646256300d9785d8020a13e 769964 
ipmitool_1.8.11.orig.tar.gz
 012f690d799ac360beaa6aff86d286ab7b47193a7726f2bbbffcdb6cdae67895 8108 
ipmitool_1.8.11-2+squeeze2.diff.gz
 6a709b8a65a8904854cc8232e3ab757abaa6be7a9b1834759ac9e001e84041f6 378430 
ipmitool_1.8.11-2+squeeze2_i386.deb
Files: 
 09af621016c76a71e2b1f4d670bcac11 1107 utils optional 
ipmitool_1.8.11-2+squeeze2.dsc
 0f9b4758c2b7e8a7bafc2ead113b4bc6 769964 utils optional 
ipmitool_1.8.11.orig.tar.gz
 69dd12f09c086e91c9fb4f6f905da9b8 8108 utils optional 
ipmitool_1.8.11-2+squeeze2.diff.gz
 e3971e3536e05b685b470ac6869c965c 378430 utils optional 
ipmitool_1.8.11-2+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk77E1MACgkQ5UTeB5t8Mo31+ACfc+ZHxkxs2WdqNKWposXTD7PX
8DEAoMGQnqVSbh2hcMWEhrMe8z3Jrt6Z
=wGYR
-----END PGP SIGNATURE-----

--- End Message ---