Package: condor; Maintainer for condor is HTCondor Developers <condor-debian@cs.wisc.edu>; Source for condor is src:condor (PTS, buildd, popcon).
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 20 Sep 2012 10:57:01 UTC
Severity: grave
Tags: security
Fixed in versions condor/7.8.4~dfsg.1-1, condor/7.8.2~dfsg.1-1+deb7u1
Done: Michael Hanke <mih@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Thu, 20 Sep 2012 10:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
.
(Thu, 20 Sep 2012 10:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: condor Severity: grave Tags: security Justification: user security hole Please see here for details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493 Cheers, Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Thu, 20 Sep 2012 17:00:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Jaime Frey <jfrey@cs.wisc.edu>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Thu, 20 Sep 2012 17:00:13 GMT) (full text, mbox, link).
Message #10 received at 688210@bugs.debian.org (full text, mbox, reply):
On Sep 20, 2012, at 5:50 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote: > Package: condor > Severity: grave > Tags: security > Justification: user security hole > > Please see here for details: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490 > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492 > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493 These security issues have been fixed in the just-released Condor 7.8.4. Michael, here are the commit hashes in the Condor git repo for the fixes: CVE-2012-3490: 94e84ce4 CVE-2012-3491: 1fff5d40 CVE-2012-3492: 1db67805 CVE-2012-3493: d2f33972 For Debian testing, I believe we want to create a new Condor 7.8.2 package with just these changes. Can you prepare that? I can offer whatever assistance you require. Thanks and regards, Jaime Frey UW-Madison Condor Team
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Thu, 20 Sep 2012 17:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Hanke <mih@debian.org>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Thu, 20 Sep 2012 17:51:03 GMT) (full text, mbox, link).
Message #15 received at 688210@bugs.debian.org (full text, mbox, reply):
Hi Moritz, hi Jaime, On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote: > On Sep 20, 2012, at 5:50 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote: > > > Package: condor > > Severity: grave > > Tags: security > > Justification: user security hole > > > > Please see here for details: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490 > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491 > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492 > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493 > > > These security issues have been fixed in the just-released Condor 7.8.4. Thanks for the notification -- I saw the release -- I'm on it. > Michael, here are the commit hashes in the Condor git repo for the fixes: > CVE-2012-3490: 94e84ce4 > CVE-2012-3491: 1fff5d40 > CVE-2012-3492: 1db67805 > CVE-2012-3493: d2f33972 Perfect! Thanks. > For Debian testing, I believe we want to create a new Condor 7.8.2 > package with just these changes. Can you prepare that? I can offer > whatever assistance you require. I'll see what I can do tonight -- if everything runs smooth, I'll upload in a few hours. If not, I'll come back to you. Thanks again, Michael -- Michael Hanke http://mih.voxindeserto.de
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Thu, 20 Sep 2012 18:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Hanke <mih@debian.org>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Thu, 20 Sep 2012 18:48:06 GMT) (full text, mbox, link).
Message #20 received at 688210@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote: > These security issues have been fixed in the just-released Condor 7.8.4. > > Michael, here are the commit hashes in the Condor git repo for the fixes: > CVE-2012-3491: 1fff5d40 > CVE-2012-3493: d2f33972 These two do not apply cleanly against 7.8.2: Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch patching file src/condor_schedd.V6/schedd.cpp Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines). Hunk #2 FAILED at 10251. 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp patching file src/condor_schedd.V6/scheduler.h Hunk #1 FAILED at 291. 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not apply (enforce with -f) Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch patching file src/condor_startd.V6/command.cpp Hunk #1 succeeded at 624 (offset 79 lines). patching file src/condor_startd.V6/command.h Hunk #1 FAILED at 83. 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h patching file src/condor_startd.V6/startd_main.cpp Hunk #1 succeeded at 267 (offset -6 lines). Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not apply (enforce with -f) Before I dig deeper, could you please confirm that cherry-picking the four commits alone will fully address the security vulnerabilities? If that is the case, it seems that at least one more commit is missing. Looking into the 7.8 branch in the condor repo, it seems that quite a bit more has happened -- a long list of bug fixes. I wonder (7.8 being a stable maintenance branch) whether it wouldn't be a better idea to aim for an upload of 7.8.4 as a whole. Is there something in it that is not a bugfix of some kind? Cheers, Michael -- Michael Hanke http://mih.voxindeserto.de
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Thu, 20 Sep 2012 18:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jaime Frey <jfrey@cs.wisc.edu>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Thu, 20 Sep 2012 18:57:05 GMT) (full text, mbox, link).
Message #25 received at 688210@bugs.debian.org (full text, mbox, reply):
On Sep 20, 2012, at 1:46 PM, Michael Hanke <mih@debian.org> wrote: > On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote: >> These security issues have been fixed in the just-released Condor 7.8.4. >> >> Michael, here are the commit hashes in the Condor git repo for the fixes: >> CVE-2012-3491: 1fff5d40 >> CVE-2012-3493: d2f33972 > > These two do not apply cleanly against 7.8.2: > > Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch > patching file src/condor_schedd.V6/schedd.cpp > Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines). > Hunk #2 FAILED at 10251. > 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp > patching file src/condor_schedd.V6/scheduler.h > Hunk #1 FAILED at 291. > 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h > Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not apply (enforce with -f) > > > Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch > patching file src/condor_startd.V6/command.cpp > Hunk #1 succeeded at 624 (offset 79 lines). > patching file src/condor_startd.V6/command.h > Hunk #1 FAILED at 83. > 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h > patching file src/condor_startd.V6/startd_main.cpp > Hunk #1 succeeded at 267 (offset -6 lines). > Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not apply (enforce with -f) > > > Before I dig deeper, could you please confirm that cherry-picking the > four commits alone will fully address the security vulnerabilities? If > that is the case, it seems that at least one more commit is missing. > > Looking into the 7.8 branch in the condor repo, it seems that quite a > bit more has happened -- a long list of bug fixes. I wonder (7.8 being a > stable maintenance branch) whether it wouldn't be a better idea to aim > for an upload of 7.8.4 as a whole. Is there something in it that is not > a bugfix of some kind? The commits were made on the V7_6-branch, then merged into the V7_8-branch. We had to manually resolve conflicts during the merge, as the affected code had been modified during the 7.7.x series. Thus, there's no commit that can be cleanly cherry-picked. I can provide patch files that will apply cleanly. We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. I would prefer it if we could get it into Debian Testing as well, but I thought we were too far into the freeze for that. Thanks and regards, Jaime Frey UW-Madison Condor Team
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Fri, 21 Sep 2012 07:18:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Fri, 21 Sep 2012 07:18:09 GMT) (full text, mbox, link).
Message #30 received at 688210@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 20, 2012 at 01:55:52PM -0500, Jaime Frey wrote: > The commits were made on the V7_6-branch, then merged into the V7_8-branch. We had to manually resolve conflicts during the merge, as the affected code had been modified during the 7.7.x series. Thus, there's no commit that can be cleanly cherry-picked. I can provide patch files that will apply cleanly. > > We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. I would prefer it if we could get it into Debian Testing as well, but I thought we were too far into the freeze for that. During the freeze it's preferred to upload a 7.8.2~dfsg.1-1+deb7u1 version to unstable, which only contains the isolated security fixes. This version can then be unblocked by the Debian release managers (by filing a bug against release.debian.org) Cheers, Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Condor Developers <condor-debian@cs.wisc.edu>
:
Bug#688210
; Package condor
.
(Fri, 21 Sep 2012 11:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Hanke <mih@debian.org>
:
Extra info received and forwarded to list. Copy sent to Condor Developers <condor-debian@cs.wisc.edu>
.
(Fri, 21 Sep 2012 11:42:03 GMT) (full text, mbox, link).
Message #35 received at 688210@bugs.debian.org (full text, mbox, reply):
[CC the release team to get an opinion on incorporating bugfixes from upstream stable/bugfix releases during the freeze] On Fri, Sep 21, 2012 at 09:11:56AM +0200, Moritz Muehlenhoff wrote: > On Thu, Sep 20, 2012 at 01:55:52PM -0500, Jaime Frey wrote: > > The commits were made on the V7_6-branch, then merged into the > > V7_8-branch. We had to manually resolve conflicts during the merge, > > as the affected code had been modified during the 7.7.x series. > > Thus, there's no commit that can be cleanly cherry-picked. I can > > provide patch files that will apply cleanly. > > > > We should certainly get Condor 7.8.4 into Unstable. It only contains > > bug fixes. I would prefer it if we could get it into Debian Testing > > as well, but I thought we were too far into the freeze for that. > > During the freeze it's preferred to upload a 7.8.2~dfsg.1-1+deb7u1 > version to unstable, which only contains the isolated security fixes. > This version can then be unblocked by the Debian release managers (by > filing a bug against release.debian.org) It is indeed preferred. However, while it makes perfect sense for many projects to use this as a stabilization method, I think the situation here is a little different. Condor uses a dual stable (even version) and development (odd version) branch system. The current stable release 7.8 has been uploaded to wheezy to not have problems with a development version in a stable Debian release. Every single update to the 7.8 branch is a bugfix-only release. If you look into the changelog you find: New Features: None. for all 7.8.* releases after the one we have in wheezy right now. So the purpose of the branch is identical to the purpose of the wheezy freeze -- stabilization. In this particular case I find it difficult to see, why we would want one kind of bugfix but not the other. Especially at the cost of breaking stuff when having to backport the patches. IMHO it makes perfect sense to base stabilization efforts for Condor in Debian wheezy atop of the continuous work on stabilizing Condor 7.8 done by the Condor development team (with pretty impressive man power). Here is the current list of bugs we are not planning on fixing for wheezy when following the preferred procedure (excluding those already filed in the Debian BTS): 1. Fixed the condor_schedd daemon; it would crash when a submit description file contained a malformed $$() expansion macro that contained a period. (Ticket #3216). 2. Fixed a case in which a daemon could crash and leave behind a log file owned by root. This root-owned file would then cause subsequent attempts to restart the daemon to fail. (Ticket #2894). 3. Fixed a special case bug in which configuration variables defined utilizing initial substrings of $(DOLLAR), for example $(D) and $(DO), were not expanded properly. (Ticket #3217). 4. Fixed a bug in which usage of cgroups incorrectly included the page cache in the maximum memory usage. This bug fix is also included in Condor version 7.9.0. (Ticket #3003). 5. Jobs from a hook to fetch work, where the hook is defined by configuration variable <Keyword>_HOOK_FETCH_WORK, now correctly receive dynamic slots from a partitionable slot instead of claiming the entire partitionable slot. (Ticket #2819). 6. Fixed a bug in which a slot might become stuck in the Preempting state when a condor_startd is configured with a hook to fetch work, as defined by <Keyword>_HOOK_FETCH_WORK . (Ticket #3076). 7. Fixed a bug that caused Condor to transfer a job's input files from the execute machine back to the submit machine as if they were output files. This would happen if the job's input files were stored in Condor's spool directory; occurred if the job was submitted via Condor-C or via condor_submit with the -spool or -remote options. (Ticket #2406). 8. Fixed a bug that could cause the first grid-type cream jobs destined for a particular CREAM server to never be submitted to that server. This bug was probably introduced in Condor version 7.6.5. (Ticket #3054). 9. Fixed several problems with the XML parsing class ClassAdXMLParser in the ClassAds library: - Several methods named ParseClassAd() were declared, but never implemented. (Ticket #3049). - The parser silently dropped leading white space in string values. (Ticket #3042). - The parser could go into an infinite loop or leak memory when reading a malformed ClassAd XML document. (Ticket #3045). 10. Fixed a bug that prevented the -f command line option to condor_history from being recognized. The -f option was being interpreted as -forward. At least four letters are now required for the -forward option (-forw) to prevent ambiguity. (Ticket #3044). 11. The implementation of the condor_history -backwards option, which is the default ordering for reading the history file, in the 7.7 series did not work on Windows platforms. This has been fixed. (Ticket #3055). 12. Fixed a bug that caused an invalid proxy to be delegated when refreshing the job's X.509 proxy when configuration variable DELEGATE_JOB_GSI_CREDENTIALS_LIFETIME was set to 0. (Ticket #3059). 13. Fixed a bug in which DAGMan did not account properly for jobs being suspended and then unsuspended. (Ticket #3108). 14. condor_dagman now takes note of job reconnect failed events (event code 24) in the user log, for counting idle jobs. (Ticket #3189). 15. Job IDs generated by NorduGrid ARC 12.05 and above are now properly recognized. (Ticket #3062). 16. Fixed a bug in which Condor would not mark grid-type nordugrid jobs as Running due to variation in the format of the job status value. NorduGrid ARC job statuses of the form INLRMS: ? are now properly recognized both with and without the space after the colon. (Ticket #3118). 17. The condor_gridmanager now properly handles X.509 proxy files that are specified in the job ClassAd with a relative path name. (Ticket #3027). 18. Fixed a bug that caused daemon names, as set in configuration variables such as STARTD_NAME, containing a period character to be ignored. (Ticket #3172). 19. Fixed a bug that prevented the condor_schedd from removing old execute directories for local universe jobs on start up. (Ticket #3176). 20. The condor_defrag daemon sometimes scheduled fewer draining attempts than specified. (Ticket #3199). 21. Fixed a bug that could cause the condor_gridmanager to crash if a grid universe job's X.509 user certificate did not contain an e-mail address. (Ticket #3203). 22. Fixed a bug introduced in Condor version 7.7.5 that caused multiple condor_schedd daemons running on the same machine to share the job queue with each other due to way in which the default value of configuration variable JOB_QUEUE_LOG was set. (Ticket #3196). 23. Fixed a bug that could cause condor_q to not print all jobs when it thought it was querying an old condor_schedd daemon. (Ticket #3206). 24. Fixed a bug that could cause a job's standard output and standard error files to be written in the job's initial working directory, despite the submit description file's specification to write them to a different directory. This would happen when the file transfer mechanism was used, the execution machine was running Condor version 7.7.1 or earlier, and either Condor's security negotiation was disabled or the configuration variable SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION was set to True. (Ticket #3208). 25. The log message generated when the EXECUTE directory is missing is now more helpful. (Ticket #3194). 26. The load average was incorrect for non-English versions on Windows platforms. This has been fixed for Windows Vista and more recent versions. (Ticket #3182). 27. The command condor_q -run now displays correct HOST field information for local universe jobs. (Ticket #3150). Given these facts, and unless someone convinces me otherwise, I'm inclined to upload Condor 7.8.4 with all the bugfixes to unstable. All the sites I have talked to that use the Debian Condor package have no interest in testing a version that has known but unfixed bugs. If the release team objects a transition of this package into wheezy, a security-fix-only version could go through proposed-updates. The reduction in testing exposure for this package from by-passing unstable is probably negligible anyway. Cheers, Michael -- Michael Hanke http://mih.voxindeserto.de
Reply sent
to Michael Hanke <mih@debian.org>
:
You have taken responsibility.
(Sat, 22 Sep 2012 07:51:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Sat, 22 Sep 2012 07:51:06 GMT) (full text, mbox, link).
Message #40 received at 688210-close@bugs.debian.org (full text, mbox, reply):
Source: condor Source-Version: 7.8.4~dfsg.1-1 We believe that the bug you reported is fixed in the latest version of condor, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 688210@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Hanke <mih@debian.org> (supplier of updated condor package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 21 Sep 2012 20:56:32 +0200 Source: condor Binary: condor condor-dev condor-doc condor-dbg libclassad-dev libclassad3 Architecture: source amd64 all Version: 7.8.4~dfsg.1-1 Distribution: experimental Urgency: low Maintainer: Condor Developers <condor-debian@cs.wisc.edu> Changed-By: Michael Hanke <mih@debian.org> Description: condor - distributed workload management system condor-dbg - distributed workload management system - debugging symbols condor-dev - distributed workload management system - development files condor-doc - distributed workload management system - documentation libclassad-dev - Condor classads expression language - development library libclassad3 - Condor classads expression language - runtime library Closes: 685892 688210 Changes: condor (7.8.4~dfsg.1-1) experimental; urgency=low . * New upstream bug fix release (missed 7.8.3). This release addresses four security-related issues, as well as numerous other bug fixes (Closes: #688210): - Security Item: Some code that was no longer used was removed. The presence of this code could expose information which would allow an attacker to control another user's job. (CVE-2012-3493) - Security Item: Some code that was no longer used was removed. The presence of this code could have lead to a Denial-of-Service attack which would allow an attacker to remove another user's idle job. (CVE-2012-3491) - Security Item: Filesystem (FS) authentication was improved to check the UNIX permissions of the directory used for authentication. Without this, an attacker may have been able to impersonate another submitter on the same submit machine. (CVE-2012-3492) - Security Item: Although not user-visible, there were multiple updates to remove places in the code where potential buffer overruns could occur, thus removing potential attacks. None were known to be exploitable. - Security Item: Although not user-visible, there were updates to the code to improve error checking of system calls, removing some potential security threats. None were known to be exploitable. - The full changelog listing numerous additional bugs is available at http://research.cs.wisc.edu/condor/manual/v7.8/9_3Stable_Release.html * Added patch to fix a FTBFS on alpha, due to missing getpid syscall. Courtesy of Michael Cree <mcree@orcon.net.nz> (Closes: #685892). Checksums-Sha1: 1e0b1fb78f47dee8056df0255a83807912bdf10c 2632 condor_7.8.4~dfsg.1-1.dsc 5d49894b62a83ffbe5ea593c5e50752442a5ad96 8162567 condor_7.8.4~dfsg.1.orig.tar.gz fcce390f5c59c8b76f62d51ca4e6aa987932beb6 85853 condor_7.8.4~dfsg.1-1.debian.tar.gz d43a4db4f1435da459491996cddbb6a52dbc2eac 5039606 condor_7.8.4~dfsg.1-1_amd64.deb 50f59dd4da715dd2a505f62a8e5e7afd859fdc15 459560 condor-dev_7.8.4~dfsg.1-1_amd64.deb c9db312f5a72c57e1018d2a6aed237dea06e4d96 1360966 condor-doc_7.8.4~dfsg.1-1_all.deb ac82b596b26a70834c6b67becd740a84e5a8b2d4 12340338 condor-dbg_7.8.4~dfsg.1-1_amd64.deb 388fac743b66148c12cc9d9661cf5f9cb7ba964f 522398 libclassad-dev_7.8.4~dfsg.1-1_amd64.deb 2aba39f2891ad94bfdb6eb2a510734cec80e5c70 283298 libclassad3_7.8.4~dfsg.1-1_amd64.deb Checksums-Sha256: f274f9d9f0d8eec5865795d05d8e234a8c3e4fa8348069f8b010e6a5ae2ae564 2632 condor_7.8.4~dfsg.1-1.dsc f558d650227186d903fc4cb0b557c9c987ed28cab3d6a4334e8766f59f6e4947 8162567 condor_7.8.4~dfsg.1.orig.tar.gz 72853167b357e9702a8bcaec725cafe20668b2e50fe9be0903277c9d7fd4612d 85853 condor_7.8.4~dfsg.1-1.debian.tar.gz 7f9a948802d7dedd80103567db5ae3218b76ada970610fad1d93bc20bf65d106 5039606 condor_7.8.4~dfsg.1-1_amd64.deb b259b3a8842ed79fc9f7a9ff30ede88542d2f176eb698eab625c422f0571c66d 459560 condor-dev_7.8.4~dfsg.1-1_amd64.deb 2299d59bcc14e23d663dbe166585b26ed7bbe1765a7402b8747104cef9900248 1360966 condor-doc_7.8.4~dfsg.1-1_all.deb 82d82b8e4dd83dc026d860cbfb53234595c09cf6a0355e45088c3925c2e72f9e 12340338 condor-dbg_7.8.4~dfsg.1-1_amd64.deb 58e4d3af52c1421e654b6cdfcbcf70da3c6e3b8b197534a532a78039d95b48c4 522398 libclassad-dev_7.8.4~dfsg.1-1_amd64.deb 440979af3b67df1a985c9feca65388ecb9c6efd0b20d5b557da3a0d5f19a9105 283298 libclassad3_7.8.4~dfsg.1-1_amd64.deb Files: 965e3f961e0b984b4d9554072f70953a 2632 science extra condor_7.8.4~dfsg.1-1.dsc 62268c55c20baa7d81df61f29451d2df 8162567 science extra condor_7.8.4~dfsg.1.orig.tar.gz 4e21057a450369e0e76b6e74cc186d73 85853 science extra condor_7.8.4~dfsg.1-1.debian.tar.gz c088e89aa360ac1b8a0b7f077362302f 5039606 science extra condor_7.8.4~dfsg.1-1_amd64.deb cbdc2bc09f7da9e5c0c1919b1dc1024f 459560 devel extra condor-dev_7.8.4~dfsg.1-1_amd64.deb 50705a8fa1567bcea9b5e28ee01f9fd4 1360966 doc extra condor-doc_7.8.4~dfsg.1-1_all.deb cc4bf7d9e85a7d297b31ef15890c7a90 12340338 debug extra condor-dbg_7.8.4~dfsg.1-1_amd64.deb 8e671bf0eff8b3e967eff39c2752423d 522398 libdevel extra libclassad-dev_7.8.4~dfsg.1-1_amd64.deb ea644eee9d74448cf1e6678b3e2fdd7c 283298 science extra libclassad3_7.8.4~dfsg.1-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQXWpsAAoJEMBz0ih/+56bljoP/0oB/TspiOuaBwhzsgQbltNs Z+MHv673CuikMM2RRrx2MKT+U9Xes9MM6bGSbd0RfPvQIkYAs/gQFIygE9FH7hRB QE3L72UEoLaaD+A76/FzbTnxDpOyeqaVGX3AVAaMPN+NazOrW/jwEb57Im1ztk+T 7jTiqKpecfyrSK5cfIi9DpK4fFuKHtHNpUZRVK+grbG322Imx95nlZKGdiiFtXyV i9o32+6Lre1WPXQlxPNnplm61pJEBQXIMedHe9r2i7xEjU1UZIGbQRjL8Ld71HYQ w//+mT4W3KhqH1s5ivXjSJTfaOSWldwea4l+Kaef3haehJID4JmRRCEqNRQJ7wlg ilddNEvyIBexrccpd75pYcl3I/u7Z8WexEu3WtPfaJNTn0x2WDdMFQROZycDJQE/ D2xbW8iIB5eX8d5DCYjoFax6cnaAsO7hjXUgwIa+QmK0PMtKMUX05kkNsHIGcOEr u5bEqqN99J/EsMm87l73aDGqMSoQWk5R4TFSWbZCRhpHFGZGCgQZ+vsHmjLANt1B tXJNHKNsGc6m8dQI37g8ZzjFAzBOBxUoun3BtxvzX1UpFMbUX9Om3sb2VXt1hOGM g02xTOJx1gg+LN6IAqZjmvZFCZK5Q6wemtfmeF2W7QFGbucxbkBTeVdEbmBCOHYK 04y4/v5FpSCBWh/4KrKF =ezmh -----END PGP SIGNATURE-----
Reply sent
to Michael Hanke <mih@debian.org>
:
You have taken responsibility.
(Wed, 26 Sep 2012 21:06:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Wed, 26 Sep 2012 21:06:08 GMT) (full text, mbox, link).
Message #45 received at 688210-close@bugs.debian.org (full text, mbox, reply):
Source: condor Source-Version: 7.8.2~dfsg.1-1+deb7u1 We believe that the bug you reported is fixed in the latest version of condor, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 688210@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Michael Hanke <mih@debian.org> (supplier of updated condor package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Wed, 26 Sep 2012 16:10:17 +0200 Source: condor Binary: condor condor-dev condor-doc condor-dbg libclassad-dev libclassad3 Architecture: source amd64 all Version: 7.8.2~dfsg.1-1+deb7u1 Distribution: unstable Urgency: high Maintainer: Condor Developers <condor-debian@cs.wisc.edu> Changed-By: Michael Hanke <mih@debian.org> Description: condor - distributed workload management system condor-dbg - distributed workload management system - debugging symbols condor-dev - distributed workload management system - development files condor-doc - distributed workload management system - documentation libclassad-dev - Condor classads expression language - development library libclassad3 - Condor classads expression language - runtime library Closes: 688210 Changes: condor (7.8.2~dfsg.1-1+deb7u1) unstable; urgency=high . * Security update. This release addresses four CVE issues (Closes: #688210): - Security Item: Some code that was no longer used was removed. The presence of this code could expose information which would allow an attacker to control another user's job. (CVE-2012-3493) - Security Item: Some code that was no longer used was removed. The presence of this code could have lead to a Denial-of-Service attack which would allow an attacker to remove another user's idle job. (CVE-2012-3491) - Security Item: Filesystem (FS) authentication was improved to check the UNIX permissions of the directory used for authentication. Without this, an attacker may have been able to impersonate another submitter on the same submit machine. (CVE-2012-3492) - Security item: Check setuid return value (CVE-2012-3490) Checksums-Sha1: 3442e4c6123a0eab4e45ea12d947d3b3c96c3e69 2660 condor_7.8.2~dfsg.1-1+deb7u1.dsc 3ae4d4507de3f20cf8dac93f56589242212615eb 87803 condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz 1a3b863cf94918e65734e589fea82d2064e363ee 4733846 condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb 76aeca17fa6a44bc42d03433b5a51003f2cdd0bb 453300 condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb 767c8b30d2ae8783ce88f413a4d9781216377940 1328236 condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb 92631baa14d812e54f64121194a8428956adf789 11648692 condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb 6f9680c993f000ee77fa1d877a580590b7252e31 521400 libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb c290802439a50f45c058ad006dd64bb4b8eae378 282354 libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb Checksums-Sha256: 8152b73a48a024751949a7360df7b78dcab4f6687fa1f4e7b81f1b6f976ef753 2660 condor_7.8.2~dfsg.1-1+deb7u1.dsc e8d574ad1f4e8090ee66dce9dce75d17a64eee1004d23faaa8e5ab17d61d0593 87803 condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz cde0bf583a6d2921ecf7dd871fdfe0161369729b97286170b868139e3e4c93cc 4733846 condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb 13d8a1050b849e9112c856de71ef842d385a1388631d298a6a0bad4f900eabec 453300 condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb a723a0c0674809c332877f32d8e3ed523432a08b3c395140e0aa36a157f74ef2 1328236 condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb 5814b1eebb9771ce30302c0ca915f1cfb4fbec670441d2922aa32a30094a9201 11648692 condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb 96caa12b7b5d21571034f1097a3f3c3b5d2d9cb005a78a2e16b8c11207abd64e 521400 libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb 0f6347c03d643e7cb8a0cec8977b9649a1765e334616bd0619333ba4726042d5 282354 libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb Files: 9b7ce45bef40a8be65966cd1d58f5aa5 2660 science extra condor_7.8.2~dfsg.1-1+deb7u1.dsc 9f141bbd5c232ec92bf35df0b8c66751 87803 science extra condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz dedf4104d2e5b769b180ee1b1ff5cd8d 4733846 science extra condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb 3cadbf348aef8be85917b038651e11c3 453300 devel extra condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb f39b00b602eb12bf462cadb133f72259 1328236 doc extra condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb 404408e4994f5ab7ee25df6aa7801afe 11648692 debug extra condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb 8d7e03647af0149b7ee25a1e5f7f03d5 521400 libdevel extra libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb 9dd0954b7b47a6aa77e6f6f3ade9539d 282354 science extra libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQY2IrAAoJEMBz0ih/+56bCYcP/182hspx9n2TdUp6FBuafGDj aecelsu34w3SwcqvUIjnm7mYMWk1twzSGxBr8fBwXWUK5goL1l6Kb3Afa/3mu1m4 eBbjWCmHTyXP6l6onDoPcN2Sws6zTZrszmadk4LMlWMwse17S04oGSLCKGoffqIM YxfQONYqmNZbvBFkk4UU9NAKX9eUsDI1J/4RlcQ/qXL9f9x56+veN8af8HOT8IaO xNvQnX3MUdzJLHpOny4uU7EANdLkJ/N8DEDeE+R5jXDKv/KXgrX7gBz70mGy18TW gNhzYxAWN718g2UtAFMM4pi5HMduFXGb8rOOy/v7x2bx7oz8QQn84Br7q0rbJAwG b8m9N/pZkd0y8vqSWwbh4/92tf+krJuutb+69S6DdvDzka0+YOWXhcAEcas5Q7wm aBTxEwDjN0qwWWiTZbFB1iw3MxQr9HnhT1tcdJIyw/UP5JLt22fP0rPms782dIM8 9tIfU8U7yiIQ319AwXT91dAcZDhAsEPpK+knWAAodMpYcNlwB+pkCBZKDxqSHK0w I02xtk1WwH7nD5dJ0omg4saAge9q2jYnim3wbW2KQS55VQLjXPEI1WBlaJ83pw4V nhi5b74P+7NHLXTJZgg3LjWtt3f9H57M2Pi3IRGxKzV3e94gxx12wCT8eEbT2RMV dRqVyeydt/uVUcYUwAar =F2l/ -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 27 Oct 2012 07:25:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.