Your message dated Sat, 02 Dec 2017 19:47:24 +0000
with message-id <e1eldky-000elm...@fasolo.debian.org>
and subject line Bug#874429: fixed in bzr 2.6.0+bzr6595-6+deb8u1
has caused the Debian Bug report #874429,
regarding bzr: CVE-2017-14176: bzr+ssh URLs don't strip SSH options
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
874429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: bzr
Version: 2.6.0+bzr6595-6
Severity: grave
Tags: upstream security
Justification: user security hole
Control: fixed -1 2.7.0+bzr6622-7
Hi
This is handled already in unstable with 2.7.0+bzr6622-7, this bug is
to track the issue until the CVE is assigned and properly identified
via a CVE. A CVE was apparently requested, reading LP #1710979.
bzr (2.7.0+bzr6622-7) unstable; urgency=high
* Add patch 27_fix_sec_ssh: Strip out hostnames starting with dash in
bzr+ssh URLs, as they might allow an attacker to provide SSH command-
line flags. LP: #1710979
https://bugs.launchpad.net/bzr/+bug/1710979
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: bzr
Source-Version: 2.6.0+bzr6595-6+deb8u1
We believe that the bug you reported is fixed in the latest version of
bzr, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated bzr package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Nov 2017 21:44:25 +0100
Source: bzr
Binary: bzr python-bzrlib python-bzrlib-dbg python-bzrlib.tests bzr-doc
Architecture: all source
Version: 2.6.0+bzr6595-6+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Bazaar Maintainers <pkg-bazaar-ma...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 868966 874429
Description:
bzr - easy to use distributed version control system
bzr-doc - easy to use distributed version control system (documentation)
python-bzrlib - distributed version control system - python library
python-bzrlib-dbg - distributed version control system - debug extension
python-bzrlib.tests - distributed version control system - testsuite
Changes:
bzr (2.6.0+bzr6595-6+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Use 'localhost' rather than '127.0.0.1' in SSL certificates, as the latter
trips up pycurl (Closes: #868966)
* Ship a refreshed copy of the ssl certs used in testsuite
* Prevent SSH command line options from being specified in bzr+ssh:// URLs
(CVE-2017-14176) (Closes: #874429)
Checksums-Sha1:
5bc34d5ab52dd87767efeac37c7b495c909fdc33 2914 bzr_2.6.0+bzr6595-6+deb8u1.dsc
8eb8643bb5af86044ffd5535f6f876476085f641 10944820 bzr_2.6.0+bzr6595.orig.tar.gz
478e98979ca4fa232590c9989ce0cfdfb1f54d75 64608
bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
963e48bd61916018de1dbe920fab054a4cfa31c2 54118
bzr_2.6.0+bzr6595-6+deb8u1_all.deb
6a8314e5acf99d59fead6e28ac3eea1d0cf625cb 1029498
python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
51096d0973aaed6b4c971b2cdd0e554c37846320 3837242
bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb
Checksums-Sha256:
ebe83be4c7036e4f90f0a8ebeab997768fa47f835db5fa8f4de9d880b5c5f251 2914
bzr_2.6.0+bzr6595-6+deb8u1.dsc
0016ae484fa08afad9c13ba83871ab424ff0151dee30064af9dd355ec65bdcec 10944820
bzr_2.6.0+bzr6595.orig.tar.gz
58861deceaa2c9c6e3046b2a705b8150b217dc719e1aaa3e5e26113e291957f3 64608
bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
f8c74a2f21bbe81f10ae82a03fb47ee9ad57015ea7664025df278e95ee1227ee 54118
bzr_2.6.0+bzr6595-6+deb8u1_all.deb
95f7e2a58c731ccf2b9762bb88ab7e41806d8fbaaa76c0bf7f5bfd4ade307338 1029498
python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
93c8bd9a394a8039ee968f723441dda9bd33eeeae3fe43364ee553518d1317ff 3837242
bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb
Files:
6f24cbb959a797e9b6e7b914bb75940b 2914 vcs optional
bzr_2.6.0+bzr6595-6+deb8u1.dsc
ec16d5e0dcb262515c7348c99f6a6891 10944820 vcs optional
bzr_2.6.0+bzr6595.orig.tar.gz
66a3127d0dfcbe8944492b39f75dad5d 64608 vcs optional
bzr_2.6.0+bzr6595-6+deb8u1.debian.tar.xz
b4dc2da9ae5681200bc89a85d83784ee 54118 vcs optional
bzr_2.6.0+bzr6595-6+deb8u1_all.deb
23ac871931ad76e15d392abb2b31ffcb 1029498 python optional
python-bzrlib.tests_2.6.0+bzr6595-6+deb8u1_all.deb
dee68949632a1fde379fbb6314aad2b7 3837242 doc optional
bzr-doc_2.6.0+bzr6595-6+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlodzRlfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1EYP/2JO2DbZscnKPaeKzD5ZsrB9lrVv59VF
6ZADheQ+IWwA2l5Qy1dF8M4DWzcIX5kdZtDsK7pRRbtLOmwbVDvOZID+cs9NOZsP
+KqHCFoQWfFhC17xCJTi9mtvRtrVBqqz4Tch5uj3phpuPYd3R1vZ6rhilrnFRE50
wJwE3FfZ1HzVxbBs73n27/eLL1oFjYdymSsEPndnX9195Iglf5aNr+0rDq6BCQwJ
+sBr4Qu3+db/BGq3CCOIfiqAr+ZqWu6dWFlnnr8sV3FCxtyJoJQFpnXQdzz3YklS
5tfsY4FKbzdzvv5WHa91dAzwlcdwmgJxTfYHNzfcjxJmK1vnKo/Xhzv8XsBLYiDx
MobIr4QKMz108Kn8Nw34nHJeSTuB3xCMvORSHVrAxVf1HT0CM7AtQp906aB3a8kb
xsEfZ168KciBUz3gdJkGqMs6EABGrnpUxPB0WR/a2P+xPQ8V4d2fzpMalgtBqcMC
28hEb02xVwRZ6t7hnpA755F+la10GPx3wLbPcjsSGfiyc6urDXAnB9+iVg+WdRoR
8pcab7w6/5b1rbsSSnK1N7HlmIDN9R6PYoH+ZZlvk/TpC/1iKY3Fh1L+ue2ph7v+
rlOo7ksH4qbtHhxD5w+1N087WAXXvCnX/U6QdysMDIu0uVqojUDMMamQeR6+thbS
jrUCWCU3eFYD
=oXJ9
-----END PGP SIGNATURE-----
--- End Message ---
