Debian Bug report logs -
#585162
CVE-2010-2060
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 9 Jun 2010 17:03:08 UTC
Severity: normal
Fixed in version beanstalkd/1.4.6-1
Done: Serafeim Zanikolas <sez@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Serafeim Zanikolas <sez@debian.org>:
Bug#585162; Package beanstalkd.
(Wed, 09 Jun 2010 17:03:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to Serafeim Zanikolas <sez@debian.org>.
(Wed, 09 Jun 2010 17:03:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: beanstalkd
Severity: normal
Hi,
please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2060
for a reported security issue in beanstalkd. However, since the
description states
.
| Beanstalkd is meant to be ran in a trusted network, as it has no
| authorisation/authentication mechanisms.
this is likely a non-issue?
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#585162; Package beanstalkd.
(Wed, 09 Jun 2010 21:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Serafeim Zanikolas <sez@debian.org>:
Extra info received and forwarded to list.
(Wed, 09 Jun 2010 21:21:07 GMT) (full text, mbox, link).
Message #10 received at 585162@bugs.debian.org (full text, mbox, reply):
fixed 585162 1.4.6-1
thanks
Thanks for the notice Moritz. I'm already aware of the issue, and I've
uploaded over a week ago the new upstream that fixes it.
On Wed, Jun 09, 2010 at 07:01:44PM +0200, Moritz Muehlenhoff wrote [edited]:
> please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2060
That page is wrong in stating that 1.4.6-1 is vulnerable.
> | Beanstalkd is meant to be ran in a trusted network, as it has no
> | authorisation/authentication mechanisms.
>
> this is likely a non-issue?
Indeed, it's no big deal, but nevertheless should be fixed for squeeze. I did
the upload with urgency=medium, but it got stuck due to a random
(unreproducible) build error in a mips host. I'll give them yet another ping
to retry the build (not sure whether they missed my request, or they just have
a long backlog).
I'll close the bug as soon as 1.4.5 is gone from testing.
Cheers,
Serafeim
Bug Marked as fixed in versions beanstalkd/1.4.6-1.
Request was from Serafeim Zanikolas <sez@debian.org>
to control@bugs.debian.org.
(Wed, 09 Jun 2010 21:21:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#585162; Package beanstalkd.
(Wed, 09 Jun 2010 21:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Serafeim Zanikolas <sez@debian.org>:
Extra info received and forwarded to list.
(Wed, 09 Jun 2010 21:24:03 GMT) (full text, mbox, link).
Message #17 received at 585162@bugs.debian.org (full text, mbox, reply):
On Tue, Jun 01, 2010 at 11:14:23PM +0200, Serafeim Zanikolas wrote:
> Please retry a build of beanstalkd-1.4.6-1 for the mips arch.
>
> Justification: beanstalkd FTBFS in ball.d.o (due to a test failure) but I
> repeatedly failed to reproduce the test failure in gabrielli.d.o (another mips
> host).
Any news on this? It's rather important to get this release to testing,
because it fixes a security issue.
Cheers,
Serafeim
Information forwarded
to debian-bugs-dist@lists.debian.org, Serafeim Zanikolas <sez@debian.org>:
Bug#585162; Package beanstalkd.
(Wed, 09 Jun 2010 21:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Serafeim Zanikolas <sez@debian.org>.
(Wed, 09 Jun 2010 21:27:03 GMT) (full text, mbox, link).
Message #22 received at 585162@bugs.debian.org (full text, mbox, reply):
On Wed, Jun 09, 2010 at 11:17:37PM +0200, Serafeim Zanikolas wrote:
> fixed 585162 1.4.6-1
> thanks
>
> Thanks for the notice Moritz. I'm already aware of the issue, and I've
> uploaded over a week ago the new upstream that fixes it.
>
> On Wed, Jun 09, 2010 at 07:01:44PM +0200, Moritz Muehlenhoff wrote [edited]:
> > please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2060
>
> That page is wrong in stating that 1.4.6-1 is vulnerable.
Thanks, noted in the Debian security tracker.
Cheers,
Moritz
Reply sent
to Serafeim Zanikolas <sez@debian.org>:
You have taken responsibility.
(Wed, 23 Mar 2011 09:00:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 23 Mar 2011 09:00:03 GMT) (full text, mbox, link).
Message #27 received at 585162-done@bugs.debian.org (full text, mbox, reply):
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 30 Apr 2011 08:29:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:58:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon