Your message dated Sat, 02 Dec 2017 19:32:08 +0000
with message-id <e1eldwc-000ced...@fasolo.debian.org>
and subject line Bug#874429: fixed in bzr 2.7.0+bzr6619-7+deb9u1
has caused the Debian Bug report #874429,
regarding bzr: CVE-2017-14176: bzr+ssh URLs don't strip SSH options
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
874429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bzr
Version: 2.6.0+bzr6595-6
Severity: grave
Tags: upstream security
Justification: user security hole
Control: fixed -1 2.7.0+bzr6622-7
Hi
This is handled already in unstable with 2.7.0+bzr6622-7, this bug is
to track the issue until the CVE is assigned and properly identified
via a CVE. A CVE was apparently requested, reading LP #1710979.
bzr (2.7.0+bzr6622-7) unstable; urgency=high
* Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in
bzr+ssh URLs, as they might allow an attacker to provide SSH command-
line flags. LP: #1710979
https://bugs.launchpad.net/bzr/+bug/1710979
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bzr
Source-Version: 2.7.0+bzr6619-7+deb9u1
We believe that the bug you reported is fixed in the latest version of
bzr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated bzr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 27 Nov 2017 21:12:18 +0100
Source: bzr
Binary: bzr python-bzrlib python-bzrlib-dbg python-bzrlib.tests bzr-doc
Architecture: source
Version: 2.7.0+bzr6619-7+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Bazaar Maintainers <pkg-bazaar-ma...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
bzr - easy to use distributed version control system
bzr-doc - easy to use distributed version control system (documentation)
python-bzrlib - distributed version control system - python library
python-bzrlib-dbg - distributed version control system - debug extension
python-bzrlib.tests - distributed version control system - testsuite
Closes: 868966 874429
Changes:
bzr (2.7.0+bzr6619-7+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter
trips up pycurl (Closes: #868966)
* Ship a refreshed copy of the ssl certs used in testsuite
* Prevent SSH command line options from being specified in bzr+ssh:// URLs
(CVE-2017-14176) (Closes: #874429)
Checksums-Sha1:
8e1cf05b469efea80bc2ed260d8d3a43db88d463 3033 bzr_2.7.0+bzr6619-7+deb9u1.dsc
8bf0b1d7867528e078484cf53a2ab6b879f36b18 10945598 bzr_2.7.0+bzr6619.orig.tar.gz
be438b1b7afbd84b8af8bb6133cdbf99c375a0ce 92072
bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
8b5cced0416e11671925931d311fc5f52c6d0d7d 6745
bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo
Checksums-Sha256:
b13644e5d249743102646f3d01ae66b9ddb6d1911f3ee2d6fe0e5ac8b9bd6273 3033
bzr_2.7.0+bzr6619-7+deb9u1.dsc
a0192999245457fbd564702518bc96453ac0f9b38ea031a466679839b346fa14 10945598
bzr_2.7.0+bzr6619.orig.tar.gz
c59743abd33483852c1fdc0647a96599e8b7adccde266b32fc78f639e369584d 92072
bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
53df5b773ac3c3b5d695fa1d860f74cec24488eb0de70c81c55f0484e4dd0f6b 6745
bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo
Files:
e0e9ef57e855836d08d930e68be3d678 3033 vcs optional
bzr_2.7.0+bzr6619-7+deb9u1.dsc
a310bda70f391bbc299d0b9d38c1b41a 10945598 vcs optional
bzr_2.7.0+bzr6619.orig.tar.gz
8728b74bdea6ba958aca5c16b3a985b9 92072 vcs optional
bzr_2.7.0+bzr6619-7+deb9u1.debian.tar.xz
192dad00880dbf195c2e2a79e5dad46d 6745 vcs optional
bzr_2.7.0+bzr6619-7+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlocfv1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EchoP/Aqe3YQqkGlvlPLaIzuEbg3Q3w5Lc7l2
qlrQ74co71QKxTqRoFj8mYjH1/n1PKJSbNlv6xBb7I153T8uaDTmaLE2rIQfWRBB
qaYTRngNaBc2gUAoM2Zj7qgEObxbE5QaR4PgNurWwTJuA9WA27ROSvGqYTcrqYTU
UDmUnGnbfMMQiAEH4jLeB5mOVn5FvOc6nk3msQjbgsKm6qq7eKbsUijuZ2brkhXB
LH3/1n1lcY9NBBwg5czarUnZYzwIkiubVgLOYh3QX6SNM92hNuaxwNqEcMRD1tzy
e56HBEuAFGrTeQpTPtfvjxLSqCOOMq6VqSRVncGK8td0fooynxexDi5EmiEXn5gM
knsPevd64xOQoE1HeS6zMLwhZkQnprYv9XZ9f3L3ny78lXTwSyO/kJaNxv1HxWyI
rMQxCP8UH9syz5vztBBB+gWvNO7TuaI9JhD/ZOhEvx9Drh9M7y8hVL4s2JESDOmr
/Pcj2jatIP7W0/0OdGzVtLNgov1tKxAac1RYWjz/V1HFP+nQSU8zNaEL2YZC74U3
EK9WhRFKLbEw1lJaIBLd7OWUju4Gm+f/s1hCzSR3NOSMyjCB8eP2sq8369P1fKa4
nnj9YJT5D0hf6s83atp5T2aiS+rYqKLcypQV0fFmnn5bSmfUHqmaFM8uYqx92MRU
W675gJsY0N/a
=BMHi
-----END PGP SIGNATURE-----
--- End Message ---
