Debian Bug report logs -
#707776
kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#707776
; Package kde4libs
.
(Sat, 11 May 2013 08:33:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Sat, 11 May 2013 08:33:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: kde4libs
Version: 4:4.8.4-4
Severity: important
Tags: security patch
Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=319428
Hi,
the following vulnerability was published for kde4libs.
CVE-2013-2074[0]:
prints passwords contained in HTTP URLs in error messages
Upstream Bugreport is [1] containing a patch [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074
http://security-tracker.debian.org/tracker/CVE-2013-2074
[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
Please adjust the affected versions in the BTS as needed, the version
in wheezy, testing and unstable looks affected. (oldstable and
experimental are not checked).
Regards,
Salvatore
Marked as found in versions kde4libs/4:4.4.5-2+squeeze3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 11 May 2013 15:51:06 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 16 May 2013 16:45:14 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#707776
; Package kde4libs
.
(Sun, 25 Aug 2013 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Andrew Goodbody <ajg02@elfringham.co.uk>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Sun, 25 Aug 2013 21:51:04 GMT) (full text, mbox, link).
Message #16 received at 707776@bugs.debian.org (full text, mbox, reply):
The upstream fixes mentioned in [1] appear to have gone into 4.10.4.
Looking at the Debian source [2] for the package in Sid, ie 4.10.5 shows
the fixes included.
So why does CVE-2013-2074 [3] show sid as vulnerable?
[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] http://sources.debian.net/src/kde4libs/4:4.10.5-1/kioslave/http/http.cpp
[3] https://security-tracker.debian.org/tracker/CVE-2013-2074
Reply sent
to "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>
:
You have taken responsibility.
(Wed, 28 Aug 2013 02:12:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 28 Aug 2013 02:12:09 GMT) (full text, mbox, link).
Message #21 received at 707776-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4:4.10.5-1
On Sunday 25 August 2013 22:48:43 Andrew Goodbody wrote:
> The upstream fixes mentioned in [1] appear to have gone into 4.10.4.
> Looking at the Debian source [2] for the package in Sid, ie 4.10.5 shows
> the fixes included.
>
> So why does CVE-2013-2074 [3] show sid as vulnerable?
Simply because no one properly closed this bug, which I'm doing now. We have
lots of bugs and very few people for triaging them.
Thanks a lot for pointing this out. If you find more stuff like this, please
do not heasitate in communicationg with us as in this case.
Regards, Lisandro.
--
"If I have been able to see farther, it was only because I stood on the
shoulders of giants"
Sir Isaac Newton
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 25 Sep 2013 07:31:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:20:26 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.