Your message dated Sun, 22 Jan 2012 07:48:21 +0000
with message-id <e1rosa1-0003e1...@franck.debian.org>
and subject line Bug#559827: fixed in siproxd 1:0.8.1-1
has caused the Debian Bug report #559827,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559827: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559827
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: siproxd
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: siproxd
Source-Version: 1:0.8.1-1
We believe that the bug you reported is fixed in the latest version of
siproxd, which is due to be installed in the Debian FTP archive:
siproxd_0.8.1-1.diff.gz
to main/s/siproxd/siproxd_0.8.1-1.diff.gz
siproxd_0.8.1-1.dsc
to main/s/siproxd/siproxd_0.8.1-1.dsc
siproxd_0.8.1-1_amd64.deb
to main/s/siproxd/siproxd_0.8.1-1_amd64.deb
siproxd_0.8.1.orig.tar.gz
to main/s/siproxd/siproxd_0.8.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <m...@debian.org> (supplier of updated siproxd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Jan 2012 18:18:21 +1100
Source: siproxd
Binary: siproxd
Architecture: source amd64
Version: 1:0.8.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Mark Purcell <m...@debian.org>
Description:
siproxd - SIP proxy/redirect/registrar
Closes: 537272 559827
Changes:
siproxd (1:0.8.1-1) unstable; urgency=low
.
* New upstream release
- fixes CVE-2009-3736 local privilege esclation (Closes: #559827)
- fixed embedded libltdl convenience copy
- Updated libtool (Closes: #537272)
.
* Add init.d-script-missing-dependency-on-remote_fs
* Fix package-lacks-versioned-build-depends-on-debhelper
.
* BUG: FTBFS with system provided libltdl-dev
- Better to ship with libltdl convenience copy - addressing CVE-2009-3736
- lintian error embedded-library
- Build-Conflcits libltdl-dev
- TODO: Fix plugins.c:65: undefined reference to
`lt__PROGRAM__LTX_preloaded_symbols'
- Added debian/siproxd.lintian-overrides
Checksums-Sha1:
a3d2832dd7b8131eecee43e90e7dca4e427113f0 1451 siproxd_0.8.1-1.dsc
6226ee04b6f0080bb323cb7364ed758d1cbcbba1 833170 siproxd_0.8.1.orig.tar.gz
04ec1ba233314965d12622ace6bb88788bc38116 8315 siproxd_0.8.1-1.diff.gz
b2acbef3204f9662cafd5ea59a66588c4364398a 567106 siproxd_0.8.1-1_amd64.deb
Checksums-Sha256:
7482f359e25a1bdaad93d512072b44982d2a9ef66fc7becba4de54609c1da5ab 1451
siproxd_0.8.1-1.dsc
df2df04faf5bdb4980cbdfd5516a47898fc47ca1ebc2c628aa48305b20a09dad 833170
siproxd_0.8.1.orig.tar.gz
3b0f5b7ebf9979742ecd085b45c8aba35fa2c491b9fb1e9f7ee572328506a2bc 8315
siproxd_0.8.1-1.diff.gz
c6fac193370a99a3f6d45efe6772962fc581a0f04225bab4cc5261062a7972d9 567106
siproxd_0.8.1-1_amd64.deb
Files:
bcab50a4d31d4bd19ccc4bb5e37c5fcb 1451 net optional siproxd_0.8.1-1.dsc
1a6f9d13aeb2d650375c9a346ac6cbaf 833170 net optional siproxd_0.8.1.orig.tar.gz
10a856ec336afc63defdc55c5878735e 8315 net optional siproxd_0.8.1-1.diff.gz
fd320e991997c7c791ba7c53dd6a3c2f 567106 net optional siproxd_0.8.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk8bui8ACgkQoCzanz0IthKwcwCgiKi9bQNjqwyyUdrfyKfncOE6
KK4An3c0BvwrMUuYZGz0EgfCGks4jUZY
=5Hgy
-----END PGP SIGNATURE-----
--- End Message ---
