Your message dated Thu, 28 Sep 2017 05:47:09 +0000 with message-id <e1dxrfb-0002hk...@fasolo.debian.org> and subject line Bug#872436: fixed in db5.3 5.3.28-12+deb9u1 has caused the Debian Bug report #872436, regarding db5.3: CVE-2017-10140: Berkeley DB reads DB_CONFIG from cwd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 872436: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872436 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: db5.3 Version: 5.3.28-9 Severity: grave Tags: upstream security Hi, the following vulnerability was published for db5.3. CVE-2017-10140[0]: Berkeley DB reads DB_CONFIG from cwd Fedora used the patch in [3], and according to [1], comment #9 this has been acknowledged by upstream to be fine solution. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-10140 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10140 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1464032 [2] https://bugzilla.novell.com/show_bug.cgi?id=1043886 [3] https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: db5.3 Source-Version: 5.3.28-12+deb9u1 We believe that the bug you reported is fixed in the latest version of db5.3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 872...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated db5.3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 24 Sep 2017 09:14:53 +0200 Source: db5.3 Binary: db5.3-doc libdb5.3-dev libdb5.3 db5.3-util db5.3-sql-util libdb5.3++ libdb5.3++-dev libdb5.3-tcl libdb5.3-dbg libdb5.3-java-jni libdb5.3-java libdb5.3-java-gcj libdb5.3-java-dev libdb5.3-sql-dev libdb5.3-sql libdb5.3-stl-dev libdb5.3-stl Architecture: source Version: 5.3.28-12+deb9u1 Distribution: stretch Urgency: medium Maintainer: Debian Berkeley DB Group <pkg-db-de...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 872436 Description: db5.3-doc - Berkeley v5.3 Database Documentation [html] db5.3-sql-util - Berkeley v5.3 SQL Database Utilities db5.3-util - Berkeley v5.3 Database Utilities libdb5.3 - Berkeley v5.3 Database Libraries [runtime] libdb5.3++ - Berkeley v5.3 Database Libraries for C++ [runtime] libdb5.3++-dev - Berkeley v5.3 Database Libraries for C++ [development] libdb5.3-dbg - Berkeley v5.3 Database Libraries [debug] libdb5.3-dev - Berkeley v5.3 Database Libraries [development] libdb5.3-java - Berkeley v5.3 Database Libraries for Java libdb5.3-java-dev - Berkeley v5.3 Database Libraries for Java [development] libdb5.3-java-gcj - Berkeley v5.3 Database Libraries for Java (native code) libdb5.3-java-jni - Berkeley v5.3 Database Libraries for Java libdb5.3-sql - Berkeley v5.3 Database Libraries [SQL runtime] libdb5.3-sql-dev - Berkeley v5.3 Database Libraries [SQL development] libdb5.3-stl - Berkeley v5.3 Database Libraries [STL runtime] libdb5.3-stl-dev - Berkeley v5.3 Database Libraries [STL development] libdb5.3-tcl - Berkeley v5.3 Database Libraries for Tcl [module] Changes: db5.3 (5.3.28-12+deb9u1) stretch; urgency=medium . * Non-maintainer upload. * CVE-2017-10140: Reads DB_CONFIG from the current working directory. Do not access DB_CONFIG when db_home is not set. (Closes: #872436) Checksums-Sha1: 4bf3caaeb98ab4d145203ca78404b59809b4d529 3266 db5.3_5.3.28-12+deb9u1.dsc ce82aa53fa4fef02672e96d382217ae54a98caa6 28348 db5.3_5.3.28-12+deb9u1.debian.tar.xz Checksums-Sha256: 22284095ad8d13f640736d3a3d2b05598497f4ce1a5b370f174217b497d8ccc7 3266 db5.3_5.3.28-12+deb9u1.dsc 66b31f416940b48f3c09e8c1780feabe8e928742e5e819dde4ee1004ad828f3e 28348 db5.3_5.3.28-12+deb9u1.debian.tar.xz Files: 51b50c97c747bf352bcd1eaaab1314c1 3266 libs standard db5.3_5.3.28-12+deb9u1.dsc 1c91288ae4ba9d6f890c2668578c40fe 28348 libs standard db5.3_5.3.28-12+deb9u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlnHYg5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EU7gP/3rR6N18pCPEXA9cAc2oZbukyb5QkGCT ZH9Aw4rh05EJmhJMUfhsjHS0Wx3rfvaZm+3IZYuUNMTZQM0YswJiW8z2daDG7jiQ zsOb5y4yHKPE/Esl9vKpwd9Tj0oxLHVFBLmH5PgpxkUMP+nqGoXPH/QTXPFMofop sUknfw4VEynryhd71OipgkA6HrPpyLVI23iYX+ES7BjFwHAMfhDbkmWTAaUa+1Y9 R0fbiVh/iaMbDjmgbtwVRkd88HSxWL5rSFhkXwRbIaq5ci0G2fuYF0zpkxk44c+t pOUfO6U9+OJM2C5R/59XnoseJ2s6+iaU4bU87L+n0UFQt9cYRJxoMPykn/5zKG/w kRRgFMcN/R0GgH4g+SqdTglWNH7GVQD0YJtEHDsJmZYLvBJniU9idGpS2Pflzmkl +yS1zMQWPxuYPo+UFqE5IjXSwE7z8MXJHPCiweKJOGQ133olLCjwwv9hoDm/tEiW XQ5W76KwhEJRIx9KLKbDPcUEKDxytQJy/kl2iYVz6VbtV4ez9WcjJRO2OJV92pf4 XOrb2r6ePp+DkRMXG324B59el3SS4APmmAbY5MpDmPMPqaoWfNIK6gIZSqnePNd2 8FMzjrMRi3N4zcS+R3YbSK33yBezKYSCAW5+1Khho4wmfL9G4n5O8HMZG59iWYua yZ3aoNYHvR1m =pqB8 -----END PGP SIGNATURE-----
--- End Message ---
