Your message dated Thu, 29 Dec 2005 01:32:07 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#226139: fixed in amanda 1:2.4.5p1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Jan 2004 19:07:18 +0000
>From [EMAIL PROTECTED] Sun Jan 04 13:07:17 2004
Return-path: <[EMAIL PROTECTED]>
Received: from mta05-svc.ntlworld.com [62.253.162.45]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Ad9jX-0006fE-00; Sun, 04 Jan 2004 09:00:03 -0600
Received: from shadbolt.i.decadentplace.org.uk ([62.253.133.94])
by mta05-svc.ntlworld.com
(InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP
id <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>; Sun, 4 Jan 2004 14:59:46 +0000
Received: from womble by shadbolt.i.decadentplace.org.uk with local (Exim 3.35
#1 (Debian))
id 1Ad9jW-0004Nr-00; Sun, 04 Jan 2004 15:00:02 +0000
From: Ben Hutchings <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: amanda-server: chg-manual makes insecure use of /tmp
X-Mailer: reportbug 1.50
Date: Sun, 04 Jan 2004 15:00:01 +0000
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin
2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_3
(1.212-2003-09-23-exp) on master.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=HAS_PACKAGE autolearn=no
version=2.60-master.debian.org_2003_11_25-bugs.debian.org_2004_1_3
X-Spam-Level:
Package: amanda-server
Version: 1:2.4.4p1-2
Severity: normal
Tags: security
chg-manual logs to /tmp/amanda/changer.debug if there is a /tmp/amanda
directory. An attacker could carry out a denial of service by
creating this file as a link to some other file used by backup, or
could possibly obtain sensitive information.
I think that the file name should be changed to
/var/log/amanda/changer.debug and that it should be used iff this file
already exists (not the directory, since it should always exist).
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux shadbolt 2.4.20 #1 Sun Aug 10 23:19:12 BST 2003 i586
Locale: LANG=en_GB, LC_CTYPE=en_GB
Versions of packages amanda-server depends on:
ii amanda-common 1:2.4.4p1-2 Advanced Maryland Automatic Networ
ii libc6 2.3.2.ds1-10 GNU C Library: Shared libraries an
ii libncurses5 5.3.20030719-1 Shared libraries for terminal hand
ii libreadline4 4.3-5 GNU readline and history libraries
ii mailx 1:8.1.2-0.20020411cvs-1 A simple mail user agent.
---------------------------------------
Received: (at 226139-close) by bugs.debian.org; 29 Dec 2005 09:40:55 +0000
>From [EMAIL PROTECTED] Thu Dec 29 01:40:55 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Eru8l-0002Lm-IQ; Thu, 29 Dec 2005 01:32:07 -0800
From: Bdale Garbee <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#226139: fixed in amanda 1:2.4.5p1-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 29 Dec 2005 01:32:07 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 7
Source: amanda
Source-Version: 1:2.4.5p1-1
We believe that the bug you reported is fixed in the latest version of
amanda, which is due to be installed in the Debian FTP archive:
amanda-client_2.4.5p1-1_i386.deb
to pool/main/a/amanda/amanda-client_2.4.5p1-1_i386.deb
amanda-common_2.4.5p1-1_i386.deb
to pool/main/a/amanda/amanda-common_2.4.5p1-1_i386.deb
amanda-server_2.4.5p1-1_i386.deb
to pool/main/a/amanda/amanda-server_2.4.5p1-1_i386.deb
amanda_2.4.5p1-1.diff.gz
to pool/main/a/amanda/amanda_2.4.5p1-1.diff.gz
amanda_2.4.5p1-1.dsc
to pool/main/a/amanda/amanda_2.4.5p1-1.dsc
amanda_2.4.5p1.orig.tar.gz
to pool/main/a/amanda/amanda_2.4.5p1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <[EMAIL PROTECTED]> (supplier of updated amanda package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Dec 2005 01:36:23 -0700
Source: amanda
Binary: amanda-client amanda-server amanda-common
Architecture: source i386
Version: 1:2.4.5p1-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <[EMAIL PROTECTED]>
Changed-By: Bdale Garbee <[EMAIL PROTECTED]>
Description:
amanda-client - Advanced Maryland Automatic Network Disk Archiver (Client)
amanda-common - Advanced Maryland Automatic Network Disk Archiver (Libs)
amanda-server - Advanced Maryland Automatic Network Disk Archiver (Server)
Closes: 168229 185312 186285 219656 226139 234173 297690 339588
Changes:
amanda (1:2.4.5p1-1) unstable; urgency=low
.
* new upstream version
* add --with-debugging=/var/log/amanda to avoid potentially insecure use
of /tmp, closes: #226139
* fix typo in chg-null.sh.in causing it to not use AMANDA_DBGDIR definition
* patch chg-null.sh.in to use defined value of tapedev, closes: #219656
* patch from Jan Nordholz to fix off-by-one error, closes: #339588
* fix misleading usage example in amtoc man page, closes: #297690
* add a note to amanda-server's README.Debian about how to keep missing
exclude files from making tar not work, closes: #168229, #185312, #186285
* fix bogus reported sizes when using dump caused by assuming dump is
reporting 512 byte instead of 1k blocks, closes: #234173
Debian reports results in 1k, not 512-byte blocks,
* remove globbing example from amanda man page that is hopelessly broken
and generating man errors
Files:
cb2a642d735c2bbb7ea8e9079711958e 735 utils optional amanda_2.4.5p1-1.dsc
8fd967a6f63c4a91f0a38f56e2339ec8 1557400 utils optional
amanda_2.4.5p1.orig.tar.gz
a31c4452622da76b106f47f6de9c2cba 36479 utils optional amanda_2.4.5p1-1.diff.gz
dd43e7bb914fa00b8d18df49f10d0003 807396 utils optional
amanda-common_2.4.5p1-1_i386.deb
5c1d0301bedf2939b5dac0b8fe44f2ee 426700 utils optional
amanda-server_2.4.5p1-1_i386.deb
f8a7864bd6c707de2e1b824f60c31679 118530 utils optional
amanda-client_2.4.5p1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDs6cuZKfAp/LPAagRAjc+AJsEKQsbdZZ+f+/SWchFQDjsS4TUOgCePWyW
ureBJ0ZiAhfAH0N9BCEwp6I=
=kst7
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
