Debian Bug report logs -
#737495
fwsnort: CVE-2014-0039: configuration file can be loaded from cwd when run as a non-root user
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 3 Feb 2014 05:48:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Fixed in version fwsnort/1.6.4-1
Done: Franck Joncourt <franck@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Franck Joncourt <franck@debian.org>:
Bug#737495; Package fwsnort.
(Mon, 03 Feb 2014 05:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Franck Joncourt <franck@debian.org>.
(Mon, 03 Feb 2014 05:48:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: fwsnort
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for fwsnort.
CVE-2014-0039[0]:
configuration file can be loaded from cwd when run as a non-root user
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0039
http://security-tracker.debian.org/tracker/CVE-2014-0039
[1] https://github.com/mrash/fwsnort/commit/fa977453120cc48e1654f373311f9cac468d3348
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1060602
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) pending.
Request was from Franck Joncourt <franck@debian.org>
to control@bugs.debian.org.
(Mon, 18 Aug 2014 16:09:05 GMT) (full text, mbox, link).
Reply sent
to Franck Joncourt <franck@debian.org>:
You have taken responsibility.
(Tue, 19 Aug 2014 06:06:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 19 Aug 2014 06:06:05 GMT) (full text, mbox, link).
Message #12 received at 737495-close@bugs.debian.org (full text, mbox, reply):
Source: fwsnort
Source-Version: 1.6.4-1
We believe that the bug you reported is fixed in the latest version of
fwsnort, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737495@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Franck Joncourt <franck@debian.org> (supplier of updated fwsnort package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 19 Aug 2014 07:41:40 +0200
Source: fwsnort
Binary: fwsnort
Architecture: source all
Version: 1.6.4-1
Distribution: unstable
Urgency: low
Maintainer: Franck Joncourt <franck@debian.org>
Changed-By: Franck Joncourt <franck@debian.org>
Description:
fwsnort - Snort-to-iptables rule translator
Closes: 737495 754736
Changes:
fwsnort (1.6.4-1) unstable; urgency=low
.
* Imported Upstream version 1.6.4
+ Fixed CVE-2014-0039: Untrusted search path vulnerability.
(Closes: #737495)
* Updated package dependencies in d.control (Closes: #754736):
+ New libnet-rawip-perl dependency added.
+ Replaced libnet-ip-perl by libnetaddr-ip-perl dependency.
* Fixed VCS-* filed in d.control. Canonical URIs are now used.
* Updated debian compatibility to 8.
* Bumped up Standards-Version to 3.9.5 (no changes) in d.control.
Checksums-Sha1:
660780dde6c87a2176bf6f48da52bf1265bf6523 1219 fwsnort_1.6.4-1.dsc
c208f571f2d4027b1ad337017cb86fdff7155659 93836 fwsnort_1.6.4.orig.tar.gz
93469daa8e627beefb56d90bdceb41cc8d0c5cf3 7136 fwsnort_1.6.4-1.debian.tar.xz
4bd1fae8a67dd65492d8f87a2720ccdcdf1931cb 61774 fwsnort_1.6.4-1_all.deb
Checksums-Sha256:
d08c9936ab2ce5ba5d0a50a0de0760e9065215a947a21143b64033b5e7bde084 1219 fwsnort_1.6.4-1.dsc
87518061b29e1bafe36d26abd9cf6283515a3237b63e722f6727c5435cacddf4 93836 fwsnort_1.6.4.orig.tar.gz
1f035f81e3ee2f2926b84f72fbe1cb48e0a86e0282bf7adfb15d29bf69aa880a 7136 fwsnort_1.6.4-1.debian.tar.xz
bff3579545fd58094f1be08394fe7afa992a8867c6fed8a4ab3264b2ff280d22 61774 fwsnort_1.6.4-1_all.deb
Files:
4e2f252bbd5c6a7676c66bd1dd2538f4 61774 admin optional fwsnort_1.6.4-1_all.deb
98c248d033501ed2981690d1767d830d 1219 admin optional fwsnort_1.6.4-1.dsc
22c8108cdcd65bff692cb0761710f9b7 93836 admin optional fwsnort_1.6.4.orig.tar.gz
5e289f14fc9e6aec56f18f5df5953672 7136 admin optional fwsnort_1.6.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlPy5VkACgkQxJBTTnXAif4i6ACgucopKRgKw1GoTgJTy4m9tT01
/14An3Wx93EBe6HIq3QWypb0suEDOtHb
=PeDW
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 26 Sep 2014 07:37:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:43:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon