Your message dated Wed, 01 Mar 2017 13:49:16 +0000 with message-id <[email protected]> and subject line Bug#856479: fixed in srst2 0.2.0-4 has caused the Debian Bug report #856479, regarding srst2: insecure handling of system calls to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 856479: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856479 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: srst2 Version: 0.2.0-3 Severity: grave Tags: patch security Justification: user security hole Hi, srst2 uses os.popen with unquotet strings allowing users to inject system calls by preparing specifically designed fasta sequence names containing '(', ')', ';' characters and others. A patch fixing this is just in packaging SVN and will be uploaded right after the bug is published. Kind regards Andreas. -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: srst2 Source-Version: 0.2.0-4 We believe that the bug you reported is fixed in the latest version of srst2, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Tille <[email protected]> (supplier of updated srst2 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 01 Mar 2017 14:23:12 +0100 Source: srst2 Binary: srst2 Architecture: source amd64 Version: 0.2.0-4 Distribution: unstable Urgency: medium Maintainer: Debian Med Packaging Team <[email protected]> Changed-By: Andreas Tille <[email protected]> Description: srst2 - Short Read Sequence Typing for Bacterial Pathogens Closes: 856479 Changes: srst2 (0.2.0-4) unstable; urgency=medium . * Do not fail if search string contains special shell characters Closes: #856479 Checksums-Sha1: dabf6e186d872ffe98ddcdb18f74e253dfb3288e 2120 srst2_0.2.0-4.dsc 473534c01dc07936861f9a6ed3340b393e466fc6 9144 srst2_0.2.0-4.debian.tar.xz a39dd678252580fff8057aa394dd1951901bbf01 6109 srst2_0.2.0-4_amd64.buildinfo b25f62ae9e29dc7119ac76ee6c0c977e2189eaeb 60526 srst2_0.2.0-4_amd64.deb Checksums-Sha256: b931e6031f6cae834d583a424fa237ff71568b1b2788905238dced8618911676 2120 srst2_0.2.0-4.dsc 8bf33c24c87d94e36d337e422009a41a3def007ae780484e424865f3892667bd 9144 srst2_0.2.0-4.debian.tar.xz e156155b64a80db9e467e787c9ca53fc1fbf83f84c77709674f0d3d0d5ccc689 6109 srst2_0.2.0-4_amd64.buildinfo a7657978a2094676ddfe144a020eb7d5c5f008058f66a7fcb2551f0165b0d207 60526 srst2_0.2.0-4_amd64.deb Files: 083bfd8f0f0130c842983e8b745a5595 2120 science optional srst2_0.2.0-4.dsc 3b67b50c9df03e6666ec43afef3713fd 9144 science optional srst2_0.2.0-4.debian.tar.xz a1dce05680da41a578ec2f4f1b06f525 6109 science optional srst2_0.2.0-4_amd64.buildinfo ef52463297650aeafd64ca4a8e6f3373 60526 science optional srst2_0.2.0-4_amd64.deb -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAli2zHQRHHRpbGxlQGRl Ymlhbi5vcmcACgkQV4oElNHGRtHUrw/8C4g94Ws8dd7XM1l8uJQgkgloW3FPow/h lk1tXxu2AIlxrnKjICXG4BuzatXsvzr/9JvJdPaXh8PyAxswnmZo363E8xypm2qx 0DMuAxoUrH7x8wJ8T8yC/lxggbJoqY+eCFuseTiVh2+juFOtkowlPfOb4ei3jkJU 2442dwoySX0wSmo9yWE7WvqP6uAJldcQCYSr+c0t7rHTDMKP8Jh+pSFeejV4T5vJ WsMIA0oVPknLWnS/OyIDnyhlmexjQxD/ZjoLeOV1tJ0EIe85K5/ziQbrVqLWeD1K DJs3xO0kmlnNnIB/cDGIyJMddiBFW7y1hMqbEhqT+p+miT+vx8bcS7jZ04huJG/x UW8Vd6YwASGtF3MprzoBRIWSzlfg/ihiuxtLh39ig8yoCDSHMbW1L7pfLkRjo/FH A9/2FNQKXtxcKlv659x1IaY5EGvtZ3mU93cFlvx5LoYta8TX9euB7iWt9DTr2pbH ktcS6jeyweXp1Movmi9DfPLe2iPHj6GPHBotM+INPeVrEeM51xnrY4ufkjh1D+QI 6JeK5RCXRzTjz9boiq7qGD2IfvhwoYB2zb1ZkyEzp9ijleeIEubGN7207PCsR23F BxFi+Ll4Y4Ij/1cC1IPmRjHPZr7KtyVmnhCIyrOU+a1mzUFoduPRsml/oIVLufYs Pz8pd2fVfgg= =IhGV -----END PGP SIGNATURE-----
--- End Message ---
