condor: Multiple security issues

Debian Bug report logs - #688210
condor: Multiple security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: condor: Multiple security issues

Date: Thu, 20 Sep 2012 12:50:40 +0200

Package: condor
Severity: grave
Tags: security
Justification: user security hole

Please see here for details:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493

Cheers,
        Moritz

Message #10 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Jaime Frey <jfrey@cs.wisc.edu>

To: Moritz Muehlenhoff <jmm@inutil.org>, 688210@bugs.debian.org

Cc: Michael Hanke <mih@debian.org>

Subject: Re: [condor-debian] Bug#688210: condor: Multiple security issues

Date: Thu, 20 Sep 2012 11:33:39 -0500

On Sep 20, 2012, at 5:50 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:

> Package: condor
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Please see here for details:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493


These security issues have been fixed in the just-released Condor 7.8.4.

Michael, here are the commit hashes in the Condor git repo for the fixes:
CVE-2012-3490: 94e84ce4
CVE-2012-3491: 1fff5d40
CVE-2012-3492: 1db67805
CVE-2012-3493: d2f33972

For Debian testing, I believe we want to create a new Condor 7.8.2 package with just these changes. Can you prepare that? I can offer whatever assistance you require.

Thanks and regards,
Jaime Frey
UW-Madison Condor Team

Message #15 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Michael Hanke <mih@debian.org>

To: Jaime Frey <jfrey@cs.wisc.edu>, 688210@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: Bug#688210: [condor-debian] Bug#688210: condor: Multiple security issues

Date: Thu, 20 Sep 2012 19:47:21 +0200

Hi Moritz, hi Jaime,

On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote:
> On Sep 20, 2012, at 5:50 AM, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> 
> > Package: condor
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > Please see here for details:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3490
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3491
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3492
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3493
> 
> 
> These security issues have been fixed in the just-released Condor 7.8.4.

Thanks for the notification -- I saw the release -- I'm on it.

> Michael, here are the commit hashes in the Condor git repo for the fixes:
> CVE-2012-3490: 94e84ce4
> CVE-2012-3491: 1fff5d40
> CVE-2012-3492: 1db67805
> CVE-2012-3493: d2f33972

Perfect! Thanks.

> For Debian testing, I believe we want to create a new Condor 7.8.2
> package with just these changes. Can you prepare that? I can offer
> whatever assistance you require.

I'll see what I can do tonight -- if everything runs smooth, I'll upload
in a few hours. If not, I'll come back to you.

Thanks again,

Michael

-- 
Michael Hanke
http://mih.voxindeserto.de

Message #20 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Michael Hanke <mih@debian.org>

To: Jaime Frey <jfrey@cs.wisc.edu>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 688210@bugs.debian.org

Subject: Re: Bug#688210: condor: Multiple security issues

Date: Thu, 20 Sep 2012 20:46:13 +0200

On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote:
> These security issues have been fixed in the just-released Condor 7.8.4.
> 
> Michael, here are the commit hashes in the Condor git repo for the fixes:
> CVE-2012-3491: 1fff5d40
> CVE-2012-3493: d2f33972

These two do not apply cleanly against 7.8.2:

Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch
patching file src/condor_schedd.V6/schedd.cpp
Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines).
Hunk #2 FAILED at 10251.
1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp
patching file src/condor_schedd.V6/scheduler.h
Hunk #1 FAILED at 291.
1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h
Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not apply (enforce with -f)


Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch
patching file src/condor_startd.V6/command.cpp
Hunk #1 succeeded at 624 (offset 79 lines).
patching file src/condor_startd.V6/command.h
Hunk #1 FAILED at 83.
1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h
patching file src/condor_startd.V6/startd_main.cpp
Hunk #1 succeeded at 267 (offset -6 lines).
Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not apply (enforce with -f)


Before I dig deeper, could you please confirm that cherry-picking the
four commits alone will fully address the security vulnerabilities? If
that is the case, it seems that at least one more commit is missing.

Looking into the 7.8 branch in the condor repo, it seems that quite a
bit more has happened -- a long list of bug fixes. I wonder (7.8 being a
stable maintenance branch) whether it wouldn't be a better idea to aim
for an upload of 7.8.4 as a whole. Is there something in it that is not
a bugfix of some kind?

Cheers,

Michael

-- 
Michael Hanke
http://mih.voxindeserto.de

Message #25 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Jaime Frey <jfrey@cs.wisc.edu>

To: Michael Hanke <mih@debian.org>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 688210@bugs.debian.org

Subject: Re: Bug#688210: condor: Multiple security issues

Date: Thu, 20 Sep 2012 13:55:52 -0500

On Sep 20, 2012, at 1:46 PM, Michael Hanke <mih@debian.org> wrote:

> On Thu, Sep 20, 2012 at 11:33:39AM -0500, Jaime Frey wrote:
>> These security issues have been fixed in the just-released Condor 7.8.4.
>> 
>> Michael, here are the commit hashes in the Condor git repo for the fixes:
>> CVE-2012-3491: 1fff5d40
>> CVE-2012-3493: d2f33972
> 
> These two do not apply cleanly against 7.8.2:
> 
> Applying patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch
> patching file src/condor_schedd.V6/schedd.cpp
> Hunk #1 succeeded at 2961 with fuzz 1 (offset 94 lines).
> Hunk #2 FAILED at 10251.
> 1 out of 2 hunks FAILED -- rejects in file src/condor_schedd.V6/schedd.cpp
> patching file src/condor_schedd.V6/scheduler.h
> Hunk #1 FAILED at 291.
> 1 out of 1 hunk FAILED -- rejects in file src/condor_schedd.V6/scheduler.h
> Patch Remove-unused-KILL_FRGN_JOB-DEACTIVATE_CLAIM_FORIBLY.patch does not apply (enforce with -f)
> 
> 
> Applying patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch
> patching file src/condor_startd.V6/command.cpp
> Hunk #1 succeeded at 624 (offset 79 lines).
> patching file src/condor_startd.V6/command.h
> Hunk #1 FAILED at 83.
> 1 out of 1 hunk FAILED -- rejects in file src/condor_startd.V6/command.h
> patching file src/condor_startd.V6/startd_main.cpp
> Hunk #1 succeeded at 267 (offset -6 lines).
> Patch Remove-unused-GIVE_REQUEST_AD-command-from-the-start.patch does not apply (enforce with -f)
> 
> 
> Before I dig deeper, could you please confirm that cherry-picking the
> four commits alone will fully address the security vulnerabilities? If
> that is the case, it seems that at least one more commit is missing.
> 
> Looking into the 7.8 branch in the condor repo, it seems that quite a
> bit more has happened -- a long list of bug fixes. I wonder (7.8 being a
> stable maintenance branch) whether it wouldn't be a better idea to aim
> for an upload of 7.8.4 as a whole. Is there something in it that is not
> a bugfix of some kind?


The commits were made on the V7_6-branch, then merged into the V7_8-branch. We had to manually resolve conflicts during the merge, as the affected code had been modified during the 7.7.x series. Thus, there's no commit that can be cleanly cherry-picked. I can provide patch files that will apply cleanly.

We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. I would prefer it if we could get it into Debian Testing as well, but I thought we were too far into the freeze for that.

Thanks and regards,
Jaime Frey
UW-Madison Condor Team

Message #30 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Jaime Frey <jfrey@cs.wisc.edu>

Cc: Michael Hanke <mih@debian.org>, 688210@bugs.debian.org

Subject: Re: Bug#688210: condor: Multiple security issues

Date: Fri, 21 Sep 2012 09:11:56 +0200

On Thu, Sep 20, 2012 at 01:55:52PM -0500, Jaime Frey wrote:
> The commits were made on the V7_6-branch, then merged into the V7_8-branch. We had to manually resolve conflicts during the merge, as the affected code had been modified during the 7.7.x series. Thus, there's no commit that can be cleanly cherry-picked. I can provide patch files that will apply cleanly.
> 
> We should certainly get Condor 7.8.4 into Unstable. It only contains bug fixes. I would prefer it if we could get it into Debian Testing as well, but I thought we were too far into the freeze for that.

During the freeze it's preferred to upload a 7.8.2~dfsg.1-1+deb7u1 version to unstable,
which only contains the isolated security fixes. This version can then be unblocked
by the Debian release managers (by filing a bug against release.debian.org)

Cheers,
        Moritz

Message #35 received at 688210@bugs.debian.org (full text, mbox, reply):

From: Michael Hanke <mih@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: Jaime Frey <jfrey@cs.wisc.edu>, 688210@bugs.debian.org, debian-release <debian-release@lists.debian.org>

Subject: Re: Bug#688210: condor: Multiple security issues

Date: Fri, 21 Sep 2012 13:40:13 +0200

[CC the release team to get an opinion on incorporating bugfixes
 from upstream stable/bugfix releases during the freeze]

On Fri, Sep 21, 2012 at 09:11:56AM +0200, Moritz Muehlenhoff wrote:
> On Thu, Sep 20, 2012 at 01:55:52PM -0500, Jaime Frey wrote:
> > The commits were made on the V7_6-branch, then merged into the
> > V7_8-branch. We had to manually resolve conflicts during the merge,
> > as the affected code had been modified during the 7.7.x series.
> > Thus, there's no commit that can be cleanly cherry-picked. I can
> > provide patch files that will apply cleanly.
> > 
> > We should certainly get Condor 7.8.4 into Unstable. It only contains
> > bug fixes. I would prefer it if we could get it into Debian Testing
> > as well, but I thought we were too far into the freeze for that.
> 
> During the freeze it's preferred to upload a 7.8.2~dfsg.1-1+deb7u1
> version to unstable, which only contains the isolated security fixes.
> This version can then be unblocked by the Debian release managers (by
> filing a bug against release.debian.org)

It is indeed preferred. However, while it makes perfect sense for many
projects to use this as a stabilization method, I think the situation
here is a little different.

Condor uses a dual stable (even version) and development (odd version)
branch system. The current stable release 7.8 has been uploaded to
wheezy to not have problems with a development version in a stable
Debian release. Every single update to the 7.8 branch is a bugfix-only
release. If you look into the changelog you find:

	New Features:
	  None.

for all 7.8.* releases after the one we have in wheezy right now. So the
purpose of the branch is identical to the purpose of the wheezy freeze
-- stabilization. In this particular case I find it difficult to see,
why we would want one kind of bugfix but not the other. Especially at
the cost of breaking stuff when having to backport the patches.

IMHO it makes perfect sense to base stabilization efforts for Condor in
Debian wheezy atop of the continuous work on stabilizing Condor 7.8 done
by the Condor development team (with pretty impressive man power).

Here is the current list of bugs we are not planning on fixing for
wheezy when following the preferred procedure (excluding those already
filed in the Debian BTS):

1. Fixed the condor_schedd daemon; it would crash when a submit description
   file contained a malformed $$() expansion macro that contained a period.
   (Ticket #3216).
2. Fixed a case in which a daemon could crash and leave behind a log file
   owned by root. This root-owned file would then cause subsequent attempts
   to restart the daemon to fail. (Ticket #2894).
3. Fixed a special case bug in which configuration variables defined utilizing
   initial substrings of $(DOLLAR), for example $(D) and $(DO), were not
   expanded properly. (Ticket #3217).
4. Fixed a bug in which usage of cgroups incorrectly included the page cache
   in the maximum memory usage. This bug fix is also included in Condor version
   7.9.0. (Ticket #3003).
5. Jobs from a hook to fetch work, where the hook is defined by configuration
   variable <Keyword>_HOOK_FETCH_WORK, now correctly receive dynamic slots
   from a partitionable slot instead of claiming the entire partitionable slot.
   (Ticket #2819).
6. Fixed a bug in which a slot might become stuck in the Preempting state when
   a condor_startd is configured with a hook to fetch work, as defined by
   <Keyword>_HOOK_FETCH_WORK . (Ticket #3076).
7. Fixed a bug that caused Condor to transfer a job's input files from the
   execute machine back to the submit machine as if they were output files.
   This would happen if the job's input files were stored in Condor's spool
   directory; occurred if the job was submitted via Condor-C or via
   condor_submit with the -spool or -remote options. (Ticket #2406).
8. Fixed a bug that could cause the first grid-type cream jobs destined for a
   particular CREAM server to never be submitted to that server. This bug was
   probably introduced in Condor version 7.6.5. (Ticket #3054).
9. Fixed several problems with the XML parsing class ClassAdXMLParser in the
   ClassAds library:
   - Several methods named ParseClassAd() were declared, but never implemented.
     (Ticket #3049).
   - The parser silently dropped leading white space in string values.
     (Ticket #3042).
   - The parser could go into an infinite loop or leak memory when reading a
     malformed ClassAd XML document. (Ticket #3045).
10. Fixed a bug that prevented the -f command line option to condor_history
    from being recognized. The -f option was being interpreted as -forward. At
    least four letters are now required for the -forward option (-forw) to
    prevent ambiguity. (Ticket #3044).
11. The implementation of the condor_history -backwards option, which is the
    default ordering for reading the history file, in the 7.7 series did not
    work on Windows platforms. This has been fixed. (Ticket #3055).
12. Fixed a bug that caused an invalid proxy to be delegated when refreshing
    the job's X.509 proxy when configuration variable
    DELEGATE_JOB_GSI_CREDENTIALS_LIFETIME was set to 0. (Ticket #3059).
13. Fixed a bug in which DAGMan did not account properly for jobs being
    suspended and then unsuspended. (Ticket #3108).
14. condor_dagman now takes note of job reconnect failed events (event code 24)
    in the user log, for counting idle jobs. (Ticket #3189).
15. Job IDs generated by NorduGrid ARC 12.05 and above are now properly
    recognized. (Ticket #3062).
16. Fixed a bug in which Condor would not mark grid-type nordugrid jobs as
    Running due to variation in the format of the job status value. NorduGrid
    ARC job statuses of the form INLRMS: ? are now properly recognized both
    with and without the space after the colon. (Ticket #3118).
17. The condor_gridmanager now properly handles X.509 proxy files that are
    specified in the job ClassAd with a relative path name. (Ticket #3027).
18. Fixed a bug that caused daemon names, as set in configuration variables
    such as STARTD_NAME, containing a period character to be ignored.
    (Ticket #3172).
19. Fixed a bug that prevented the condor_schedd from removing old execute
    directories for local universe jobs on start up. (Ticket #3176).
20. The condor_defrag daemon sometimes scheduled fewer draining attempts
    than specified. (Ticket #3199).
21. Fixed a bug that could cause the condor_gridmanager to crash if a grid
    universe job's X.509 user certificate did not contain an e-mail address.
    (Ticket #3203).
22. Fixed a bug introduced in Condor version 7.7.5 that caused multiple
    condor_schedd daemons running on the same machine to share the job queue
    with each other due to way in which the default value of configuration
    variable JOB_QUEUE_LOG was set. (Ticket #3196).
23. Fixed a bug that could cause condor_q to not print all jobs when it
    thought it was querying an old condor_schedd daemon. (Ticket #3206).
24. Fixed a bug that could cause a job's standard output and standard error
    files to be written in the job's initial working directory, despite the
    submit description file's specification to write them to a different
    directory. This would happen when the file transfer mechanism was used,
    the execution machine was running Condor version 7.7.1 or earlier, and
    either Condor's security negotiation was disabled or the configuration
    variable SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION was set to True.
    (Ticket #3208).
25. The log message generated when the EXECUTE directory is missing is now
    more helpful. (Ticket #3194).
26. The load average was incorrect for non-English versions on Windows
    platforms. This has been fixed for Windows Vista and more recent versions.
    (Ticket #3182).
27. The command condor_q -run now displays correct HOST field information for
    local universe jobs. (Ticket #3150).


Given these facts, and unless someone convinces me otherwise, I'm
inclined to upload Condor 7.8.4 with all the bugfixes to unstable. All
the sites I have talked to that use the Debian Condor package have no
interest in testing a version that has known but unfixed bugs. If the
release team objects a transition of this package into wheezy, a
security-fix-only version could go through proposed-updates. The
reduction in testing exposure for this package from by-passing unstable
is probably negligible anyway.


Cheers,

Michael

-- 
Michael Hanke
http://mih.voxindeserto.de

Message #40 received at 688210-close@bugs.debian.org (full text, mbox, reply):

From: Michael Hanke <mih@debian.org>

To: 688210-close@bugs.debian.org

Subject: Bug#688210: fixed in condor 7.8.4~dfsg.1-1

Date: Sat, 22 Sep 2012 07:47:45 +0000

Source: condor
Source-Version: 7.8.4~dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
condor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Hanke <mih@debian.org> (supplier of updated condor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 21 Sep 2012 20:56:32 +0200
Source: condor
Binary: condor condor-dev condor-doc condor-dbg libclassad-dev libclassad3
Architecture: source amd64 all
Version: 7.8.4~dfsg.1-1
Distribution: experimental
Urgency: low
Maintainer: Condor Developers <condor-debian@cs.wisc.edu>
Changed-By: Michael Hanke <mih@debian.org>
Description: 
 condor     - distributed workload management system
 condor-dbg - distributed workload management system - debugging symbols
 condor-dev - distributed workload management system - development files
 condor-doc - distributed workload management system - documentation
 libclassad-dev - Condor classads expression language - development library
 libclassad3 - Condor classads expression language - runtime library
Closes: 685892 688210
Changes: 
 condor (7.8.4~dfsg.1-1) experimental; urgency=low
 .
   * New upstream bug fix release (missed 7.8.3). This release addresses four
     security-related issues, as well as numerous other bug fixes
     (Closes: #688210):
     - Security Item: Some code that was no longer used was removed. The presence
       of this code could expose information which would allow an attacker to
       control another user's job. (CVE-2012-3493)
     - Security Item: Some code that was no longer used was removed. The presence
       of this code could have lead to a Denial-of-Service attack which would
       allow an attacker to remove another user's idle job. (CVE-2012-3491)
     - Security Item: Filesystem (FS) authentication was improved to check the
       UNIX permissions of the directory used for authentication. Without this,
       an attacker may have been able to impersonate another submitter on the
       same submit machine. (CVE-2012-3492)
     - Security Item: Although not user-visible, there were multiple updates to
       remove places in the code where potential buffer overruns could occur,
       thus removing potential attacks. None were known to be exploitable.
     - Security Item: Although not user-visible, there were updates to the code
       to improve error checking of system calls, removing some potential
       security threats. None were known to be exploitable.
     - The full changelog listing numerous additional bugs is available at
       http://research.cs.wisc.edu/condor/manual/v7.8/9_3Stable_Release.html
   * Added patch to fix a FTBFS on alpha, due to missing getpid syscall.
     Courtesy of Michael Cree <mcree@orcon.net.nz> (Closes: #685892).
Checksums-Sha1: 
 1e0b1fb78f47dee8056df0255a83807912bdf10c 2632 condor_7.8.4~dfsg.1-1.dsc
 5d49894b62a83ffbe5ea593c5e50752442a5ad96 8162567 condor_7.8.4~dfsg.1.orig.tar.gz
 fcce390f5c59c8b76f62d51ca4e6aa987932beb6 85853 condor_7.8.4~dfsg.1-1.debian.tar.gz
 d43a4db4f1435da459491996cddbb6a52dbc2eac 5039606 condor_7.8.4~dfsg.1-1_amd64.deb
 50f59dd4da715dd2a505f62a8e5e7afd859fdc15 459560 condor-dev_7.8.4~dfsg.1-1_amd64.deb
 c9db312f5a72c57e1018d2a6aed237dea06e4d96 1360966 condor-doc_7.8.4~dfsg.1-1_all.deb
 ac82b596b26a70834c6b67becd740a84e5a8b2d4 12340338 condor-dbg_7.8.4~dfsg.1-1_amd64.deb
 388fac743b66148c12cc9d9661cf5f9cb7ba964f 522398 libclassad-dev_7.8.4~dfsg.1-1_amd64.deb
 2aba39f2891ad94bfdb6eb2a510734cec80e5c70 283298 libclassad3_7.8.4~dfsg.1-1_amd64.deb
Checksums-Sha256: 
 f274f9d9f0d8eec5865795d05d8e234a8c3e4fa8348069f8b010e6a5ae2ae564 2632 condor_7.8.4~dfsg.1-1.dsc
 f558d650227186d903fc4cb0b557c9c987ed28cab3d6a4334e8766f59f6e4947 8162567 condor_7.8.4~dfsg.1.orig.tar.gz
 72853167b357e9702a8bcaec725cafe20668b2e50fe9be0903277c9d7fd4612d 85853 condor_7.8.4~dfsg.1-1.debian.tar.gz
 7f9a948802d7dedd80103567db5ae3218b76ada970610fad1d93bc20bf65d106 5039606 condor_7.8.4~dfsg.1-1_amd64.deb
 b259b3a8842ed79fc9f7a9ff30ede88542d2f176eb698eab625c422f0571c66d 459560 condor-dev_7.8.4~dfsg.1-1_amd64.deb
 2299d59bcc14e23d663dbe166585b26ed7bbe1765a7402b8747104cef9900248 1360966 condor-doc_7.8.4~dfsg.1-1_all.deb
 82d82b8e4dd83dc026d860cbfb53234595c09cf6a0355e45088c3925c2e72f9e 12340338 condor-dbg_7.8.4~dfsg.1-1_amd64.deb
 58e4d3af52c1421e654b6cdfcbcf70da3c6e3b8b197534a532a78039d95b48c4 522398 libclassad-dev_7.8.4~dfsg.1-1_amd64.deb
 440979af3b67df1a985c9feca65388ecb9c6efd0b20d5b557da3a0d5f19a9105 283298 libclassad3_7.8.4~dfsg.1-1_amd64.deb
Files: 
 965e3f961e0b984b4d9554072f70953a 2632 science extra condor_7.8.4~dfsg.1-1.dsc
 62268c55c20baa7d81df61f29451d2df 8162567 science extra condor_7.8.4~dfsg.1.orig.tar.gz
 4e21057a450369e0e76b6e74cc186d73 85853 science extra condor_7.8.4~dfsg.1-1.debian.tar.gz
 c088e89aa360ac1b8a0b7f077362302f 5039606 science extra condor_7.8.4~dfsg.1-1_amd64.deb
 cbdc2bc09f7da9e5c0c1919b1dc1024f 459560 devel extra condor-dev_7.8.4~dfsg.1-1_amd64.deb
 50705a8fa1567bcea9b5e28ee01f9fd4 1360966 doc extra condor-doc_7.8.4~dfsg.1-1_all.deb
 cc4bf7d9e85a7d297b31ef15890c7a90 12340338 debug extra condor-dbg_7.8.4~dfsg.1-1_amd64.deb
 8e671bf0eff8b3e967eff39c2752423d 522398 libdevel extra libclassad-dev_7.8.4~dfsg.1-1_amd64.deb
 ea644eee9d74448cf1e6678b3e2fdd7c 283298 science extra libclassad3_7.8.4~dfsg.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQXWpsAAoJEMBz0ih/+56bljoP/0oB/TspiOuaBwhzsgQbltNs
Z+MHv673CuikMM2RRrx2MKT+U9Xes9MM6bGSbd0RfPvQIkYAs/gQFIygE9FH7hRB
QE3L72UEoLaaD+A76/FzbTnxDpOyeqaVGX3AVAaMPN+NazOrW/jwEb57Im1ztk+T
7jTiqKpecfyrSK5cfIi9DpK4fFuKHtHNpUZRVK+grbG322Imx95nlZKGdiiFtXyV
i9o32+6Lre1WPXQlxPNnplm61pJEBQXIMedHe9r2i7xEjU1UZIGbQRjL8Ld71HYQ
w//+mT4W3KhqH1s5ivXjSJTfaOSWldwea4l+Kaef3haehJID4JmRRCEqNRQJ7wlg
ilddNEvyIBexrccpd75pYcl3I/u7Z8WexEu3WtPfaJNTn0x2WDdMFQROZycDJQE/
D2xbW8iIB5eX8d5DCYjoFax6cnaAsO7hjXUgwIa+QmK0PMtKMUX05kkNsHIGcOEr
u5bEqqN99J/EsMm87l73aDGqMSoQWk5R4TFSWbZCRhpHFGZGCgQZ+vsHmjLANt1B
tXJNHKNsGc6m8dQI37g8ZzjFAzBOBxUoun3BtxvzX1UpFMbUX9Om3sb2VXt1hOGM
g02xTOJx1gg+LN6IAqZjmvZFCZK5Q6wemtfmeF2W7QFGbucxbkBTeVdEbmBCOHYK
04y4/v5FpSCBWh/4KrKF
=ezmh
-----END PGP SIGNATURE-----

Message #45 received at 688210-close@bugs.debian.org (full text, mbox, reply):

From: Michael Hanke <mih@debian.org>

To: 688210-close@bugs.debian.org

Subject: Bug#688210: fixed in condor 7.8.2~dfsg.1-1+deb7u1

Date: Wed, 26 Sep 2012 21:02:51 +0000

Source: condor
Source-Version: 7.8.2~dfsg.1-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
condor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 688210@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Hanke <mih@debian.org> (supplier of updated condor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 26 Sep 2012 16:10:17 +0200
Source: condor
Binary: condor condor-dev condor-doc condor-dbg libclassad-dev libclassad3
Architecture: source amd64 all
Version: 7.8.2~dfsg.1-1+deb7u1
Distribution: unstable
Urgency: high
Maintainer: Condor Developers <condor-debian@cs.wisc.edu>
Changed-By: Michael Hanke <mih@debian.org>
Description: 
 condor     - distributed workload management system
 condor-dbg - distributed workload management system - debugging symbols
 condor-dev - distributed workload management system - development files
 condor-doc - distributed workload management system - documentation
 libclassad-dev - Condor classads expression language - development library
 libclassad3 - Condor classads expression language - runtime library
Closes: 688210
Changes: 
 condor (7.8.2~dfsg.1-1+deb7u1) unstable; urgency=high
 .
   * Security update. This release addresses four CVE issues (Closes: #688210):
     - Security Item: Some code that was no longer used was removed. The presence
       of this code could expose information which would allow an attacker to
       control another user's job. (CVE-2012-3493)
     - Security Item: Some code that was no longer used was removed. The presence
       of this code could have lead to a Denial-of-Service attack which would
       allow an attacker to remove another user's idle job. (CVE-2012-3491)
     - Security Item: Filesystem (FS) authentication was improved to check the
       UNIX permissions of the directory used for authentication. Without this,
       an attacker may have been able to impersonate another submitter on the
       same submit machine. (CVE-2012-3492)
     - Security item: Check setuid return value (CVE-2012-3490)
Checksums-Sha1: 
 3442e4c6123a0eab4e45ea12d947d3b3c96c3e69 2660 condor_7.8.2~dfsg.1-1+deb7u1.dsc
 3ae4d4507de3f20cf8dac93f56589242212615eb 87803 condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz
 1a3b863cf94918e65734e589fea82d2064e363ee 4733846 condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 76aeca17fa6a44bc42d03433b5a51003f2cdd0bb 453300 condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 767c8b30d2ae8783ce88f413a4d9781216377940 1328236 condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb
 92631baa14d812e54f64121194a8428956adf789 11648692 condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 6f9680c993f000ee77fa1d877a580590b7252e31 521400 libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 c290802439a50f45c058ad006dd64bb4b8eae378 282354 libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb
Checksums-Sha256: 
 8152b73a48a024751949a7360df7b78dcab4f6687fa1f4e7b81f1b6f976ef753 2660 condor_7.8.2~dfsg.1-1+deb7u1.dsc
 e8d574ad1f4e8090ee66dce9dce75d17a64eee1004d23faaa8e5ab17d61d0593 87803 condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz
 cde0bf583a6d2921ecf7dd871fdfe0161369729b97286170b868139e3e4c93cc 4733846 condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 13d8a1050b849e9112c856de71ef842d385a1388631d298a6a0bad4f900eabec 453300 condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 a723a0c0674809c332877f32d8e3ed523432a08b3c395140e0aa36a157f74ef2 1328236 condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb
 5814b1eebb9771ce30302c0ca915f1cfb4fbec670441d2922aa32a30094a9201 11648692 condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 96caa12b7b5d21571034f1097a3f3c3b5d2d9cb005a78a2e16b8c11207abd64e 521400 libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 0f6347c03d643e7cb8a0cec8977b9649a1765e334616bd0619333ba4726042d5 282354 libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb
Files: 
 9b7ce45bef40a8be65966cd1d58f5aa5 2660 science extra condor_7.8.2~dfsg.1-1+deb7u1.dsc
 9f141bbd5c232ec92bf35df0b8c66751 87803 science extra condor_7.8.2~dfsg.1-1+deb7u1.debian.tar.gz
 dedf4104d2e5b769b180ee1b1ff5cd8d 4733846 science extra condor_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 3cadbf348aef8be85917b038651e11c3 453300 devel extra condor-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 f39b00b602eb12bf462cadb133f72259 1328236 doc extra condor-doc_7.8.2~dfsg.1-1+deb7u1_all.deb
 404408e4994f5ab7ee25df6aa7801afe 11648692 debug extra condor-dbg_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 8d7e03647af0149b7ee25a1e5f7f03d5 521400 libdevel extra libclassad-dev_7.8.2~dfsg.1-1+deb7u1_amd64.deb
 9dd0954b7b47a6aa77e6f6f3ade9539d 282354 science extra libclassad3_7.8.2~dfsg.1-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQY2IrAAoJEMBz0ih/+56bCYcP/182hspx9n2TdUp6FBuafGDj
aecelsu34w3SwcqvUIjnm7mYMWk1twzSGxBr8fBwXWUK5goL1l6Kb3Afa/3mu1m4
eBbjWCmHTyXP6l6onDoPcN2Sws6zTZrszmadk4LMlWMwse17S04oGSLCKGoffqIM
YxfQONYqmNZbvBFkk4UU9NAKX9eUsDI1J/4RlcQ/qXL9f9x56+veN8af8HOT8IaO
xNvQnX3MUdzJLHpOny4uU7EANdLkJ/N8DEDeE+R5jXDKv/KXgrX7gBz70mGy18TW
gNhzYxAWN718g2UtAFMM4pi5HMduFXGb8rOOy/v7x2bx7oz8QQn84Br7q0rbJAwG
b8m9N/pZkd0y8vqSWwbh4/92tf+krJuutb+69S6DdvDzka0+YOWXhcAEcas5Q7wm
aBTxEwDjN0qwWWiTZbFB1iw3MxQr9HnhT1tcdJIyw/UP5JLt22fP0rPms782dIM8
9tIfU8U7yiIQ319AwXT91dAcZDhAsEPpK+knWAAodMpYcNlwB+pkCBZKDxqSHK0w
I02xtk1WwH7nD5dJ0omg4saAge9q2jYnim3wbW2KQS55VQLjXPEI1WBlaJ83pw4V
nhi5b74P+7NHLXTJZgg3LjWtt3f9H57M2Pi3IRGxKzV3e94gxx12wCT8eEbT2RMV
dRqVyeydt/uVUcYUwAar
=F2l/
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.