Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-9274

Source

Debian Bug report logs - #887391
CVE-2017-9274

Package: osc; Maintainer for osc is RPM packaging team <team+pkg-rpm@tracker.debian.org>; Source for osc is src:osc (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 15 Jan 2018 20:15:01 UTC

Severity: grave

Tags: security

Found in versions osc/0.156.0-1, osc/0.161.1-1

Fixed in version osc/0.162.1-1

Done: Michal Čihař <nijel@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887391; Package osc. (Mon, 15 Jan 2018 20:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>. (Mon, 15 Jan 2018 20:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: osc
Severity: grave
Tags: security

Please see https://bugzilla.novell.com/show_bug.cgi?id=938556

Cheers,
        Moritz

Marked as found in versions osc/0.161.1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 15 Jan 2018 20:21:10 GMT) (full text, mbox, link).

Marked as found in versions osc/0.156.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 15 Jan 2018 20:21:13 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887391; Package osc. (Mon, 15 Jan 2018 20:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>. (Mon, 15 Jan 2018 20:27:06 GMT) (full text, mbox, link).

Message #14 received at 887391@bugs.debian.org (full text, mbox, reply):

Hey,

Just for reference, we track some "details" in the security-tracker
entry for CVE-2017-9274. SUSE did not only fix the
obs-service-source_validate part, but in osc added a validation (in
version 0.162.0) when using OBS 2.9 which is via commit: 

https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7eb864378a1

apparently.

Hope this additionally helps,

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>:
Bug#887391; Package osc. (Tue, 16 Jan 2018 08:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Michal Čihař <michal@cihar.com>:
Extra info received and forwarded to list. Copy sent to RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>. (Tue, 16 Jan 2018 08:51:06 GMT) (full text, mbox, link).

Message #19 received at 887391@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi

On Mon, 2018-01-15 at 21:24 +0100, Salvatore Bonaccorso wrote:
> Just for reference, we track some "details" in the security-tracker
> entry for CVE-2017-9274. SUSE did not only fix the
> obs-service-source_validate part, 

We don't ship obs-service-source_validate (it's separate upstream
package).

> but in osc added a validation (in
> version 0.162.0) when using OBS 2.9 which is via commit: 
> 
> https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7
> eb864378a1
> 
> apparently.

IMHO it doesn't make much sense to include on it's own, but maybe I'm
missing something.

-- 
	Michal Čihař | https://cihar.com/ | https://weblate.org/

[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Michal Čihař <nijel@debian.org> to control@bugs.debian.org. (Tue, 23 Jan 2018 08:51:06 GMT) (full text, mbox, link).

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#887391. (Tue, 23 Jan 2018 08:51:09 GMT) (full text, mbox, link).

Message #24 received at 887391-submitter@bugs.debian.org (full text, mbox, reply):

tag 887391 pending
thanks

Hello,

Bug #887391 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-rpm/osc.git/commit/?id=4606463

---
commit 4606463a7fffb5eeaa04982900cdf07f630985f0
Author: Michal Čihař <nijel@debian.org>
Date:   Tue Jan 23 09:46:10 2018 +0100

    New upstream release.
    
    * New upstream release.
      - Contains osc part of hardening for CVE-2017-9274 (Closes: #887391).

diff --git a/debian/changelog b/debian/changelog
index d5ee0ae..6cc59e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+osc (0.162.1-1) UNRELEASED; urgency=medium
+
+  * New upstream release.
+    - Contains osc part of hardening for CVE-2017-9274 (Closes: #887391).
+
+ -- Michal Čihař <nijel@debian.org>  Tue, 23 Jan 2018 09:42:40 +0100
+
 osc (0.161.1-1) unstable; urgency=medium
 
   * New upstream release.

Reply sent to Michal Čihař <nijel@debian.org>:
You have taken responsibility. (Tue, 23 Jan 2018 09:24:36 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Tue, 23 Jan 2018 09:24:36 GMT) (full text, mbox, link).

Message #29 received at 887391-close@bugs.debian.org (full text, mbox, reply):

Source: osc
Source-Version: 0.162.1-1

We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 887391@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michal Čihař <nijel@debian.org> (supplier of updated osc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 23 Jan 2018 09:47:02 +0100
Source: osc
Binary: osc
Architecture: source
Version: 0.162.1-1
Distribution: unstable
Urgency: medium
Maintainer: RPM packaging team <pkg-rpm-devel@lists.alioth.debian.org>
Changed-By: Michal Čihař <nijel@debian.org>
Description:
 osc        - Open Build Service commander
Closes: 887391
Changes:
 osc (0.162.1-1) unstable; urgency=medium
 .
   * New upstream release.
     - Contains osc part of hardening for CVE-2017-9274 (Closes: #887391).
   * Bump standards to 4.1.3.
Checksums-Sha1:
 71610053d3a1b161b5456f47ec35302a7c9113c1 2083 osc_0.162.1-1.dsc
 ad7629fe63be6f4add8a6c6aead6f3d7d4a0d63f 352488 osc_0.162.1.orig.tar.gz
 f00b2ac3a14febe1320fd9e13a86db3accdf89d3 5564 osc_0.162.1-1.debian.tar.xz
 f00200f405e44ca60efb49e74e0718282bfa8c1a 6921 osc_0.162.1-1_amd64.buildinfo
Checksums-Sha256:
 f69d00902d6b1b93aea2dd140a5c8c065af689bf07cecc367f8c3619053c6895 2083 osc_0.162.1-1.dsc
 f0464de4d4af19bb1c3522992c5015e3d0dbace5356a727818e591cc627dc5a7 352488 osc_0.162.1.orig.tar.gz
 edd8da5fcde5de17c52e6593ee322a17bfbaeb77a4b3c2521b92127ee8c2f40d 5564 osc_0.162.1-1.debian.tar.xz
 27c70e510752aada22eee909113ece56d787de2de0ac29a241b7ccc42e0f51e5 6921 osc_0.162.1-1_amd64.buildinfo
Files:
 eea3572b9ff2c8b7384e3756453f4c4d 2083 devel optional osc_0.162.1-1.dsc
 d8100719ba2c90b7df4d51d9c3376b42 352488 devel optional osc_0.162.1.orig.tar.gz
 4b74b3ee99c1007b07dbef1cee6ec147 5564 devel optional osc_0.162.1-1.debian.tar.xz
 cbce09bcf799b8fba9d2d2d7a412f752 6921 devel optional osc_0.162.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEh+Zzr4P2w6DDRMjD9KoinU1YwkUFAlpm9wMRHG5pamVsQGRl
Ymlhbi5vcmcACgkQ9KoinU1YwkUFTA/6A3gRqsMoQ0MrealZLJb/8RxmQFDRxzGP
CrJ3UHhY24vjjRl9tKppm2fyw75TRUCPxpyxxs8xOY0qCQRD0/9ISJx0+nAxg9P8
f2KCsqXFfUK7djSAb9LMhn1M1evxJkWr0JC09Pcs5xSaE7wV9B/MaWz04AuMyXcz
aGbycyEI6kQoa+8PBw1b6ah+iW7B6yi/RU5mmHKjIVawCQ7cI5bQAgX1FtvsTZm9
g2JZBWoz9eocTaw1+zCjTPyhXFyYYOhR7f+VcUPIEXHXSO2e7RmBuj0In/Xpq+I9
A5TYPU5QCITu7bYHPSwqEiG8Si9kZeNZWb/ZQCTdjCJBtr8YrZYhy1zwXc9cKs+x
mYQEvkqWdeYByq7W8q1Kj2hBNahg3b2Sp9xzh49Xm3pnRSTsdPsXorH4eFbOQnlL
1+Wm8+K59XM9BwHWeP21wfGXoQsm8iY1BC967L/hFU2oJIWv+00ZnGG8wycZJx+F
arNnRZja1ob/V1s3Fkoy1wbBPzojvqLqxlpGx4yv1Miu+PO9vxU+YkQpV9C54g7x
uDy3WpYSUuD7xDfFsjLxE011rXdLCQ3+LX/iXygBWK7OB2bKkOfd5gMnN5TcGDt4
UigJXdMsTlVZeA1dd05thsN/IlEinNONfR5DmEPQVMBcCWr4lLKg8pA342bUfpj5
SMDd0Vd2Wqg=
=UtCi
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:38:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-9274

Debian Bug report logs - #887391
CVE-2017-9274

Vulmon Search

About

Products

Connect

CVE-2017-9274

Debian Bug report logs - #887391 CVE-2017-9274

Vulmon Search

About

Products

Connect

Debian Bug report logs - #887391
CVE-2017-9274