Debian Bug report logs -
#439392
backup-manager: password disclosure in backup uploads
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Micha Lenk <micha@lenk.info>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: backup-manager
Version: 0.7.5-3
Severity: critical
Tags: security
Justification: root security hole
Hi,
I just discovered that backup-manager disclosures the FTP password
during a running FTP upload in the process list.
A user which has shell access on the computer simply needs to run the command
ps wax | grep backup-manager
to get the FTP username, hostname and password. The output is something
like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS):
3796 pts/1 SN+ 0:00 /bin/bash /usr/sbin/backup-manager -v
12647 pts/1 RN+ 0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v --ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ...
With these data the attacking user is able to login into the same FTP
space where the archives created by backup-manager are uploaded to. So
the attacking user is also able to simply download these archive and
extract them as a normal user -- with full access on all included files,
even on those originally accessible by root only. :-(
Have a nice day
Micha
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages backup-manager depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii findutils 4.2.28-1 utilities for finding files--find,
ii gzip 1.3.5-15 The GNU compression utility
ii ucf 2.0020 Update Configuration File: preserv
backup-manager recommends no packages.
-- debconf information excluded
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #12 received at 439392@bugs.debian.org (full text, mbox, reply):
Hello,
A fix has been proposed and is waiting for approval by the development
team upstream. We welcome very much the Debian's point of view of the
solution submited here.
patch:
http://bugzilla.backup-manager.org/cgi-bin/attachment.cgi?id=64
use private temp file for passing the password to b-m-u
This way we hide the password in a file which is readable only by the
user who launched backup-manager, and saved in his home directory.
backup-manager-upload is passed the path to that file instead of the
password itself.
Feel free to comment on.
Regards,
--
Alexis Sukrieh
Message sent on to Micha Lenk <micha@lenk.info>
:
Bug#439392.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #20 received at 439392@bugs.debian.org (full text, mbox, reply):
Alexis Sukrieh wrote:
> Hello,
>
> A fix has been proposed and is waiting for approval by the development
> team upstream. We welcome very much the Debian's point of view of the
> solution submited here.
Please, ignore that patch. There is cleaner solution which is using the
environement variable already exported by the first script.
Sorry for the noise.
The patch that will be procvided upstream will be about reading
$ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.
Regards.
--
Alexis Sukrieh
Message sent on to Micha Lenk <micha@lenk.info>
:
Bug#439392.
(full text, mbox, link).
Reply sent to Alexis Sukrieh <sukria@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #28 received at 439392-close@bugs.debian.org (full text, mbox, reply):
Source: backup-manager
Source-Version: 0.7.6-3
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager-doc_0.7.6-3_all.deb
to pool/main/b/backup-manager/backup-manager-doc_0.7.6-3_all.deb
backup-manager_0.7.6-3.diff.gz
to pool/main/b/backup-manager/backup-manager_0.7.6-3.diff.gz
backup-manager_0.7.6-3.dsc
to pool/main/b/backup-manager/backup-manager_0.7.6-3.dsc
backup-manager_0.7.6-3_all.deb
to pool/main/b/backup-manager/backup-manager_0.7.6-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <sukria@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 30 Aug 2007 18:24:14 +0200
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.6-3
Distribution: unstable
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Alexis Sukrieh <sukria@debian.org>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes:
backup-manager (0.7.6-3) unstable; urgency=high
.
* Backport from the stable upstream branch for closing a security issue
(password disclosure during FTP uploads).
(closes: #439392)
Files:
a0a7141e7f973718eb493d9896521dc3 744 admin optional backup-manager_0.7.6-3.dsc
a0f986c3b4a015b63786f4ab124efb8e 82039 admin optional backup-manager_0.7.6-3.diff.gz
6d1c683b8896acad01d013e31259b118 114594 admin optional backup-manager_0.7.6-3_all.deb
31f731a074c1e0bd69725ca1aaf69a14 212468 doc optional backup-manager-doc_0.7.6-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1vDzRg1L1x7l3TQRAnZuAJ4nZwKDjX9AXoYw8G7tBh6Jc8rq3QCfYELY
Tn9lEJjQRXB9DugMoNbza/I=
=6aXp
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #33 received at 439392@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Alexis Sukrieh wrote:
> The patch that will be procvided upstream will be about reading
> $ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.
Hi,
I've just uploaded a patched version to sid (0.7.6-4) and have prepared
a fix for the stable package.
Find attached a patch to apply to the stable package (0.7.5-3).
I also attached the .dsc and .diff.gz resulting of the build for stable.
Feel free to tell me if you need anything else for closing the bug in
stable.
PS: I did as it's documented in the developer's reference and did not
upload anything to stable-proposed-update as this is about security:
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
I hope I did right.
Regards,
--
Alexis Sukrieh
[backup-manager-patch.439392.diff (text/plain, inline)]
diff -ubBrN backup-manager-0.7.5-3/debian/changelog backup-manager-0.7.5-4/debian/changelog
--- backup-manager-0.7.5-3/debian/changelog 2007-08-30 18:51:51.000000000 +0200
+++ backup-manager-0.7.5-4/debian/changelog 2007-08-30 18:51:38.000000000 +0200
@@ -1,3 +1,10 @@
+backup-manager (0.7.5-4) stable; urgency=low
+
+ * Backport from unstable (version 0.7.6-4) for closing a security issue: FTP
+ password disclosure during FTP uploads.
+
+ -- Alexis Sukrieh <sukria@debian.org> Thu, 30 Aug 2007 18:44:17 +0200
+
backup-manager (0.7.5-3) unstable; urgency=low
* Fixed typo in the spanish debconf translation (thanks to David Gil).
diff -ubBrN backup-manager-0.7.5-3/debian/patches/00list backup-manager-0.7.5-4/debian/patches/00list
--- backup-manager-0.7.5-3/debian/patches/00list 2007-08-30 18:51:51.000000000 +0200
+++ backup-manager-0.7.5-4/debian/patches/00list 2007-08-30 18:51:38.000000000 +0200
@@ -3,3 +3,4 @@
04_backup-manager.conf.tpl.dpatch
05_cdrecord_to_wodim.dpatch
06_VERSION.dpatch
+07_security_439392.dpatch
diff -ubBrN backup-manager-0.7.5-3/debian/patches/07_security_439392.dpatch backup-manager-0.7.5-4/debian/patches/07_security_439392.dpatch
--- backup-manager-0.7.5-3/debian/patches/07_security_439392.dpatch 1970-01-01 01:00:00.000000000 +0100
+++ backup-manager-0.7.5-4/debian/patches/07_security_439392.dpatch 2007-08-30 18:51:38.000000000 +0200
@@ -0,0 +1,58 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 07_security_439392.dpatch by Alexis Sukrieh <sukria@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Backport from unstable for closing the security issue (bug #439392)
+
+@DPATCH@
+diff -urNad backup-manager-0.7.5~/backup-manager-upload backup-manager-0.7.5/backup-manager-upload
+--- backup-manager-0.7.5~/backup-manager-upload 2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/backup-manager-upload 2007-08-30 18:43:03.000000000 +0200
+@@ -904,13 +904,24 @@
+ }
+
+ if ($g_protocol eq 'ftp' and not defined $g_pass) {
+- print $BackupManager::Config::usage, "\n";
+- exit E_INVALID;
++ # try to read the password from the environment
++ if (defined $ENV{BM_UPLOAD_FTP_PASSWORD}) {
++ $g_pass = $ENV{BM_UPLOAD_FTP_PASSWORD};
++ }
++ else {
++ print $BackupManager::Config::usage, "\n";
++ exit E_INVALID;
++ }
+ }
+
+ if ($g_protocol eq 's3' and (not defined $g_bucket or not defined $g_pass)) {
+- print $BackupManager::Config::usage, "\n";
+- exit E_INVALID;
++ if (! defined $g_pass && defined $ENV{BM_UPLOAD_S3_SECRET_KEY}) {
++ $g_pass = $ENV{BM_UPLOAD_S3_SECRET_KEY};
++ }
++ else {
++ print $BackupManager::Config::usage, "\n";
++ exit E_INVALID;
++ }
+ }
+
+ if ($g_protocol eq 'ssh-gpg' and (not defined $g_gpg_recipient)) {
+diff -urNad backup-manager-0.7.5~/lib/upload-methods.sh backup-manager-0.7.5/lib/upload-methods.sh
+--- backup-manager-0.7.5~/lib/upload-methods.sh 2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/lib/upload-methods.sh 2007-08-30 18:42:16.000000000 +0200
+@@ -133,7 +133,6 @@
+ -m="ftp" \
+ -h="$bm_upload_hosts" \
+ -u="$BM_UPLOAD_FTP_USER" \
+- -p="$BM_UPLOAD_FTP_PASSWORD" \
+ -d="$BM_UPLOAD_FTP_DESTINATION" \
+ -r="$BM_REPOSITORY_ROOT" today 2>$logfile||
+ error "Error reported by backup-manager-upload for method \"ftp\", check \"\$logfile\"."
+@@ -164,7 +163,6 @@
+ -m="s3" \
+ -h="$bm_upload_hosts" \
+ -u="$BM_UPLOAD_S3_ACCESS_KEY" \
+- -p="$BM_UPLOAD_S3_SECRET_KEY" \
+ -b="$BM_UPLOAD_S3_DESTINATION" \
+ -r="$BM_REPOSITORY_ROOT" today 2>$logfile ||
+ error "Error reported by backup-manager-upload for method \"s3\", check \"\$logfile\"."
[backup-manager_0.7.5-4.diff.gz (application/x-gzip, inline)]
[backup-manager_0.7.5-4.dsc (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.0
Source: backup-manager
Binary: backup-manager, backup-manager-doc
Architecture: all
Version: 0.7.5-4
Maintainer: Alexis Sukrieh <sukria@debian.org>
Standards-Version: 3.7.2
Build-Depends: po-debconf, debhelper (>= 5), dpatch
Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra
Files:
76e1c9cea0b8fb210d3862fd89e09c08 159855 backup-manager_0.7.5.orig.tar.gz
1a5a05204716f704b1cc92b7c774bcdd 97176 backup-manager_0.7.5-4.diff.gz
Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1vTVRg1L1x7l3TQRAnoyAJ90FuOqC3YwUBOPyRoiHmnJelMLNwCfa6lm
LUkBcKEjme4WVQhdlSWXg5w=
=e1b6
-----END PGP SIGNATURE-----
[backup-manager_0.7.5-4_i386.changes (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 30 Aug 2007 18:44:17 +0200
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable
Urgency: low
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Alexis Sukrieh <sukria@debian.org>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Changes:
backup-manager (0.7.5-4) stable; urgency=low
.
* Backport from unstable (version 0.7.6-4) for closing a security issue: FTP
password disclosure during FTP uploads.
Files:
e54f240d0f2f6d5883be06564ce607e4 744 admin optional backup-manager_0.7.5-4.dsc
1a5a05204716f704b1cc92b7c774bcdd 97176 admin optional backup-manager_0.7.5-4.diff.gz
901d1a4754e836a965378b87fd7073c3 109546 admin optional backup-manager_0.7.5-4_all.deb
6345abaf592fcb35e4594d31677010dd 206202 doc optional backup-manager-doc_0.7.5-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1vTaRg1L1x7l3TQRAoRnAJsHZ8b3A0tmNzy7qcv0aHNH4HewFQCeL3ki
c/vZixlGSSL3FD+eVTZ+VcQ=
=jRl3
-----END PGP SIGNATURE-----
Information forwarded to Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Micha Lenk <micha@lenk.info>
:
Extra info received and forwarded to maintainer. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #38 received at 439392-maintonly@bugs.debian.org (full text, mbox, reply):
Hi Alexis,
when will there be a security update available for Debian Etch?
Thanks for your support
Micha
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #43 received at 439392@bugs.debian.org (full text, mbox, reply):
Micha Lenk wrote:
> Hi Alexis,
>
> when will there be a security update available for Debian Etch?
>
> Thanks for your support
Hi,
I've submitted a patch for the etch package to the security team. It's
in their hands and is waiting for approval.
I'm waiting to see it going into the security updates as well ;)
Regards,
--
Alexis Sukrieh
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #48 received at 439392@bugs.debian.org (full text, mbox, reply):
Hi,
Thanks for fixing this promptly. Do you intend to supply fixed packages for
etch and sarge, or are they not vulnerable?
Thanks
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>
:
Bug#439392
; Package backup-manager
.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>
:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>
.
(full text, mbox, link).
Message #53 received at 439392@bugs.debian.org (full text, mbox, reply):
Thijs Kinkhorst wrote:
> Hi,
>
> Thanks for fixing this promptly. Do you intend to supply fixed packages for
> etch and sarge, or are they not vulnerable?
Hi,
The stable package has been submitted to the Security Team. It's
wqaiting for approval.
Regards,
--
Alexis Sukrieh
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #58 received at 439392-close@bugs.debian.org (full text, mbox, reply):
Source: backup-manager
Source-Version: 0.5.7-1sarge2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.7-1sarge2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes:
backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix FTP password disclosure during FTP uploads, based on
maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files:
fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh4U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih4NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #63 received at 439392-close@bugs.debian.org (full text, mbox, reply):
Source: backup-manager
Source-Version: 0.7.5-4
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager-doc_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager-doc_0.7.5-4_all.deb
backup-manager_0.7.5-4.diff.gz
to pool/main/b/backup-manager/backup-manager_0.7.5-4.diff.gz
backup-manager_0.7.5-4.dsc
to pool/main/b/backup-manager/backup-manager_0.7.5-4.dsc
backup-manager_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager_0.7.5-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:34:06 +0100
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes:
backup-manager (0.7.5-4) stable-security; urgency=high
.
* Backport from unstable (version 0.7.6-4) for closing a security issue:
FTP password disclosure during FTP uploads. Uses maintainer-supplied
patch. Closes: #439392. CVE-2007-4656.
Files:
e63192d8ad7753a47baaae9c9df26f25 1036 admin optional backup-manager_0.7.5-4.dsc
76e1c9cea0b8fb210d3862fd89e09c08 159855 admin optional backup-manager_0.7.5.orig.tar.gz
4c4e6282b938b98e9488d44243d7bb96 98048 admin optional backup-manager_0.7.5-4.diff.gz
bcb8c5d8902e36ac0348c94a84cf04cb 109278 admin optional backup-manager_0.7.5-4_all.deb
d97a5222cf45f9feb451ffb9c0c66164 219546 doc optional backup-manager-doc_0.7.5-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xBVmz0hbPcukPfAQJeUwf8Cxh8WlsiwpC4NvECul6ExmFbaID+UDS+
JF2tENyO9r9TnZAlzTKlHCQK8FdFHndO+/bFM3nzhTGD/2EX9uRSetWPtlzn/eXB
fmP7AtkYoq+pb0ihGYNLhN89z2EeRitVW7OQxr9aZh6un6IGWiwSSpqaV1VTs3mn
h4GB+mIlLbA3FA03uVgN56rHMjsP6oeOJiLA/HyBYpP94w6TtkQyH89wggcH6wvg
SQG9Nqwet8ELq/D9KmYAZevtQE5OTNXSUaJaADhc7JSoGgrHcIA9HchoJklI2VWf
M93gQpSa23CPlquwsvFTaqqY5FX5pgFWrUZ0pch8A7SvDbLK4Xi6Cw==
=1W4A
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #68 received at 439392-close@bugs.debian.org (full text, mbox, reply):
Source: backup-manager
Source-Version: 0.5.7-1sarge2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.7-1sarge2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes:
backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix FTP password disclosure during FTP uploads, based on
maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files:
fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh4U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih4NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 10:32:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:25:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.