Debian Bug report logs -
#662944
CVE-2012-1104 CVE-2012-1105
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Wed, 7 Mar 2012 13:33:02 UTC
Severity: important
Tags: security
Fixed in version glpi/0.80.7-2
Done: Pierre Chifflier <pollux@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#662944; Package glpi.
(Wed, 07 Mar 2012 13:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Pierre Chifflier <pollux@debian.org>.
(Wed, 07 Mar 2012 13:33:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: glpi
Severity: important
Tags: security
Two security issues have been reported in phpCAS, which is embedded in glpi.
Please contact upstream to verify, whether glpi is affected by these issues:
http://seclists.org/oss-sec/2012/q1/551
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#662944; Package glpi.
(Sat, 10 Mar 2012 09:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Chifflier <pollux@debian.org>:
Extra info received and forwarded to list.
(Sat, 10 Mar 2012 09:54:09 GMT) (full text, mbox, link).
Message #10 received at 662944@bugs.debian.org (full text, mbox, reply):
Hi,
Two security issues have been reported in phpCAS, which is embedded in
glpi:
http://seclists.org/oss-sec/2012/q1/551
I'm following this information so you can check if the embedded copy
needs an update, since you are also distributing it in the standard
tarball.
Note that in the Debian package I intend to remove it from the package,
since code copies are not something good, both for maintenance and
security. The best solution would be to create a separate package for
phpcas and maintain it, if someone volunteers that would be nice :)
Regards,
Pierre
Reply sent
to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility.
(Sat, 10 Mar 2012 12:24:21 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer.
(Sat, 10 Mar 2012 12:25:02 GMT) (full text, mbox, link).
Message #15 received at 662944-close@bugs.debian.org (full text, mbox, reply):
Source: glpi
Source-Version: 0.80.7-2
We believe that the bug you reported is fixed in the latest version of
glpi, which is due to be installed in the Debian FTP archive:
glpi_0.80.7-2.debian.tar.gz
to main/g/glpi/glpi_0.80.7-2.debian.tar.gz
glpi_0.80.7-2.dsc
to main/g/glpi/glpi_0.80.7-2.dsc
glpi_0.80.7-2_all.deb
to main/g/glpi/glpi_0.80.7-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 662944@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated glpi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 10 Mar 2012 11:41:05 +0100
Source: glpi
Binary: glpi
Architecture: source all
Version: 0.80.7-2
Distribution: unstable
Urgency: high
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description:
glpi - IT and Asset management software
Closes: 429344 505983 662944
Changes:
glpi (0.80.7-2) unstable; urgency=high
.
* Do not install embedded copy of phpCAS (Closes: #505983, #662944)
As phpCAS is not yet packaged, this removes the related functionality.
If you need phpCAS, see the README.Debian file for instructions.
This closes the following security problems: CVE-2012-1104 CVE-2012-1105
* Bump Standards Version to 3.9.3
* Remove embedded code copy of tinymce, and depend on the Debian package
* Remove embedded code copy of phpmailer, and replace it by the Debian
package (Closes: #429344)
Checksums-Sha1:
3dd748f6fa15a852e57faba4cb824ba7a2a4de98 1638 glpi_0.80.7-2.dsc
ba75b4b388eb5c2520124259eb64fdaa8c5ec434 16382 glpi_0.80.7-2.debian.tar.gz
a5339cd99209447859628cbea45eed23eef7d6e5 3466814 glpi_0.80.7-2_all.deb
Checksums-Sha256:
b1296bb1241b43310bae1cfa503b3b6caca178375f9b4fca5de551185be5dcde 1638 glpi_0.80.7-2.dsc
f31f33c583289cd4fed88a60761d5224186c0f36e71370dc417370d1e34314ab 16382 glpi_0.80.7-2.debian.tar.gz
a02e6fdb33dce7b5e1390afeaeb6d263d5b0f0399e062351945135f6e75e403e 3466814 glpi_0.80.7-2_all.deb
Files:
ad4c59b30030cb249ad60f360a0249f8 1638 web optional glpi_0.80.7-2.dsc
6321a8a4cedfa0f9a4fe8fd715240988 16382 web optional glpi_0.80.7-2.debian.tar.gz
ec33655d94ca4ee5e6a40e4a10870f21 3466814 web optional glpi_0.80.7-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPWzBmAAoJEMYaZNzxOTmY2UcP/3LjSyibjtbodgSAjjW87ozA
VgXgkfhI7l07OlsWnE5zmtEDRXvJA073M6US5W4jHaaV6COXlTk2TyvuDyuJUC/B
ihixgXBuofTvXBTJXFb6WkCa4r3xu+XQASoOfgofRMMnHxpuaktXB7VTudlfpyh/
YjLyx+dbMw/GqlU3m/pQFam2NyDhdqCcjhBVeIpxevDlHXbx7EpvIDALBA8E8gjn
LZmOQhndkwN6aDtqOB+nT5aBaU3hia+U21TyTxHqkzddqk4e1xpJ03H7dPbV25W6
3Cl5nuerf4bCoIGIlBfUfl7LF5VMsTHThOlAOjcMi4dLsOIIKQPfvqmk+ucNvgPE
WjXnIQMZT8l2T22BBUwVvvpQyoCnrJiUGiluuDndM9WI0vs7An/yoBCwxIVIvP67
u5DswvLn/GVm9AG9PbklihWPm1+/Q63tVi2m61TSuK84We0mAlnR9aTgsjIW248N
9j61F6ddIjKIXgDH/d3adAUF0mwPHRGjz8oPyt4D/6MvAajptkriT90nTQu5NPVr
0HoSSwepVMvvOpe5fuIphdQ/0xUsAmBrX0Y26+Fmva2tUoZAEIU+GE9QQl/A66f9
cbXf7xgyA6q3vB6LyKBXzIk9XAJsUVarHGJh5NBCB//+hH5+iKlu4VRVrpZaAJgs
dSnOpwGf4mfO7jJBYKfH
=ET7b
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#662944; Package glpi.
(Sat, 10 Mar 2012 21:03:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Pierre Chifflier <pollux@debian.org>:
Extra info received and forwarded to list.
(Sat, 10 Mar 2012 21:03:09 GMT) (full text, mbox, link).
Message #20 received at 662944@bugs.debian.org (full text, mbox, reply):
Salut,
J'ai essayé d'envoyer le mail qui suit, mais il a été refusé par le
serveur de ML (je ne suis pas inscrit avec la bonne adresse ..). Je le
transmet donc directement, en attendant de m'inscrire.
A+,
Pierre
Hi,
Two security issues have been reported in phpCAS, which is embedded in
glpi:
http://seclists.org/oss-sec/2012/q1/551
I'm following this information so you can check if the embedded copy
needs an update, since you are also distributing it in the standard
tarball.
Note that in the Debian package I intend to remove it from the package,
since code copies are not something good, both for maintenance and
security. The best solution would be to create a separate package for
phpcas and maintain it, if someone volunteers that would be nice :)
Regards,
Pierre
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 10 Apr 2012 07:37:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:07:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon