Bug#904255: marked as done (network-manager-vpnc: CVE-2018-10900: privilege escalation)

Thu, 26 Jul 2018 14:21:33 -0700 

Your message dated Thu, 26 Jul 2018 21:17:09 +0000
with message-id <[email protected]>
and subject line Bug#904255: fixed in network-manager-vpnc 1.2.4-4+deb9u1
has caused the Debian Bug report #904255,
regarding network-manager-vpnc: CVE-2018-10900: privilege escalation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
904255: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904255
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: network-manager-vpnc
Version: 1.2.4-1
Severity: grave
Tags: patch security upstream

Hi,

The following vulnerability was published for network-manager-vpnc.

CVE-2018-10900[0]:
local privilege escalation

A user with enough privileges to create the vpnc connection entry
(group netdev for instance), can use the flaw in network-manager-vpnc
to escalate privileges.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10900
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10900
[1] https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc

Update for stretch is already in preparation.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: network-manager-vpnc
Source-Version: 1.2.4-4+deb9u1

We believe that the bug you reported is fixed in the latest version of
network-manager-vpnc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated 
network-manager-vpnc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 22 Jul 2018 14:23:44 +0200
Source: network-manager-vpnc
Binary: network-manager-vpnc network-manager-vpnc-gnome
Architecture: source
Version: 1.2.4-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Utopia Maintenance Team 
<[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 904255
Description: 
 network-manager-vpnc - network management framework (VPNC plugin core)
 network-manager-vpnc-gnome - network management framework (VPNC plugin GNOME 
GUI)
Changes:
 network-manager-vpnc (1.2.4-4+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * service: disallow newlinies in configuration values (CVE-2018-10900)
     (Closes: #904255)
Checksums-Sha1: 
 30529f0f4f6c34da0fd90eb12d48122f279c5547 2620 
network-manager-vpnc_1.2.4-4+deb9u1.dsc
 fca590f78467ce120afb02536d944ecde6a62d2e 402428 
network-manager-vpnc_1.2.4.orig.tar.xz
 841670ce8489d7633a4e1d614f8d9576a2947422 6860 
network-manager-vpnc_1.2.4-4+deb9u1.debian.tar.xz
Checksums-Sha256: 
 3d29ca9a4fd23e095e1a32072bd5727bfec421c92e92e426be0912c169555cbb 2620 
network-manager-vpnc_1.2.4-4+deb9u1.dsc
 39c7516418e90208cb534c19628ce40fd50eba0a08b2ebaef8da85720b10fb05 402428 
network-manager-vpnc_1.2.4.orig.tar.xz
 5997fe35142380ce76f38a7ec33c850d0173f82444d8252157093e801249d57b 6860 
network-manager-vpnc_1.2.4-4+deb9u1.debian.tar.xz
Files: 
 c03f7a2b800f42b1c0245d1524361f3c 2620 net optional 
network-manager-vpnc_1.2.4-4+deb9u1.dsc
 b482a231f25d3857fd320d7c0b25c785 402428 net optional 
network-manager-vpnc_1.2.4.orig.tar.xz
 f70c6ecb92cb950c65f3cdb4b79601cd 6860 net optional 
network-manager-vpnc_1.2.4-4+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltUelNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EYSkP/3v/dCBfdTev2sVmGo8HY0geOJ5L0MbE
aKxxgIR7o+VwjmfQaVYilTJcbhNvdIh4MSBjgbRc7FNLntLEhov0O0k1+p/V4j4s
TV9y5i/jjKloQtC5mSnifD+xIc6ZGDptWFNzVmg54M7Jf8nmITwg8YVl/CxxMdvL
9ytg5vvmgRSfCVbo1DNkEW+bUDu2Moz0ljQmgCVhbPnTGtmNsTxdlNiLxcaXWd3O
zXhn/FpMj7K/Kw5uYcd96sr/NGvJKHu1NhcOyo7iUI4DtWZCweXGUce5tMZyU359
j9eImJelNUqjAQrnTBZXZDH1wrYNQ34VmP1xJIogCWIdKl3RoClXCnpqVeXdSayI
w2HSP9fv2KMSauqmDzUvFrPbNNiSrkdZgJaKBqTt6JO2ndpVL24W+3KwUM1AoboS
0gxB25m9O5j37EdDQmx+1rzsQUKsOwKAThAdnTlD3Nu5e12WhW0Pkx0EzYlTTUNZ
aUwPqSylGbTJU5RNycVTgUOHrRCO2ZBWwud0CZrfbvcqS87AvFujSf6n+ZPais4R
aFt96wKBJYxAabltDwE1un+dVysaQBSeLE3tJB9J4TLmmQzi+bIrbq6vF35g6A20
rHUvQ09Cvx6/JkYRK4zY4lwsF6CvqWXVvqb7YeRq27ULmKNnnGgr0qPCRhIyTmxF
e0akPRr3YjPa
=v0f9
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to