Debian Bug report logs -
#731132
augeas: CVE-2012-0786, CVE-2012-0787
Reported by: Raphael Geissert <geissert@debian.org>
Date: Mon, 2 Dec 2013 11:09:01 UTC
Severity: important
Tags: patch, security
Fixed in version augeas/0.7.2-1+deb6u1
Done: Raphael Geissert <geissert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Nicolas Valcárcel Scerpella <nvalcarcel@gmail.com>
:
Bug#731132
; Package augeas
.
(Mon, 02 Dec 2013 11:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Geissert <geissert@debian.org>
:
New Bug report received and forwarded. Copy sent to Nicolas Valcárcel Scerpella <nvalcarcel@gmail.com>
.
(Mon, 02 Dec 2013 11:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: augeas
Severity: important
Tags: patch security
Hi,
It appears that this never reached the BTS: CVE-2012-0786 and
CVE-2012-0787 both affect oldstable and stable. They do not warrant a
DSA, but it would be great to fix them via a SPU.
Could you please prepare the packages and coordinate with the release team?
Attached tarballs contain patches for the corresponding release. Note,
however, that #731111 is introduced by them and should also be fixed
:)
Thanks in advance.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
[squeeze.tar.gz (application/x-gzip, attachment)]
[wheezy.tar.gz (application/x-gzip, attachment)]
Reply sent
to Raphael Geissert <geissert@debian.org>
:
You have taken responsibility.
(Fri, 01 Aug 2014 11:21:13 GMT) (full text, mbox, link).
Notification sent
to Raphael Geissert <geissert@debian.org>
:
Bug acknowledged by developer.
(Fri, 01 Aug 2014 11:21:13 GMT) (full text, mbox, link).
Message #10 received at 731132-close@bugs.debian.org (full text, mbox, reply):
Source: augeas
Source-Version: 0.7.2-1+deb6u1
We believe that the bug you reported is fixed in the latest version of
augeas, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 731132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated augeas package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 31 Jul 2014 15:40:31 +0200
Source: augeas
Binary: augeas-tools libaugeas-dev libaugeas0 augeas-dbg augeas-lenses
Architecture: source amd64 all
Version: 0.7.2-1+deb6u1
Distribution: squeeze-lts
Urgency: low
Maintainer: Nicolas Valcárcel Scerpella (Canonical) <nicolas.valcarcel@canonical.com>
Changed-By: Raphael Geissert <geissert@debian.org>
Description:
augeas-dbg - Debugging symbols for libaugeas0
augeas-lenses - Set of lenses needed by libaugeas0 to parse config files
augeas-tools - Augeas command line tools
libaugeas-dev - Development files for writing applications based on libaugeas0
libaugeas0 - The augeas configuration editing library and API
Closes: 731111 731132
Changes:
augeas (0.7.2-1+deb6u1) squeeze-lts; urgency=low
.
* Fix CVE-2012-0786 and CVE-2012-0787, race conditions when saving
the configuration files (Closes: #731132). Introduces CVE-2013-6412.
* Fix CVE-2013-6412: incorrect file permission due to a programming
error when applying the umask (Closes: #731111).
* debian/rules: run the test suite at build time but do not fail on it.
* debian/control: build-depend on ruby for the test suite.
* cutest-macros.patch: add missing macros to test-save.c
Checksums-Sha1:
9e0ad31d6c55a9501a1dde164e346038743b1e31 1352 augeas_0.7.2-1+deb6u1.dsc
cc5c079e3dbc01c8576971332c0993751fd3ff59 1390996 augeas_0.7.2.orig.tar.gz
91f7f9b3daf32b20ec5ebf2cbb9e3be865bb20f2 15998 augeas_0.7.2-1+deb6u1.debian.tar.gz
b3f488033aa1fe549412e8bc4ecff8c6586d1784 38106 augeas-tools_0.7.2-1+deb6u1_amd64.deb
3120cdfca5cd23bfa41fe3a93aafed2686503f49 23714 libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
f6bbd89735dfe1dca177f3ff130b9f0b81ac5b8d 234804 libaugeas0_0.7.2-1+deb6u1_amd64.deb
dd02adaccadbb256e7031abafa0c347d16419625 434800 augeas-dbg_0.7.2-1+deb6u1_amd64.deb
9c1cca59c942e9537f8ad8f89dc3cbb5b5b06e9a 115122 augeas-lenses_0.7.2-1+deb6u1_all.deb
Checksums-Sha256:
6e445de2a8a83d74eb8bfa5aaba0a18c3ce66319444338d26d8f1a4c4b5f55e2 1352 augeas_0.7.2-1+deb6u1.dsc
4ed9af57bc87bfb3734643a0fd505e66f8b5c772f68d0b63eef608e6a2e7f4ed 1390996 augeas_0.7.2.orig.tar.gz
a7f26bd52966d421882681c155e7a70378ab7bd12331bfaca07a4f1eba4f451b 15998 augeas_0.7.2-1+deb6u1.debian.tar.gz
6f7ea1817e04e1b1c0e8ac47ab2e11117923bf7c1bf571feefd25a38c3ca1ae8 38106 augeas-tools_0.7.2-1+deb6u1_amd64.deb
efa8f27e5f97d26597b423c4427aff594a1959ab6cc77c34373c8e66b7946589 23714 libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
a1c92ff520284319d93bfda90a1d2fff86fe17eaa3e1bccaf12e199943d43a42 234804 libaugeas0_0.7.2-1+deb6u1_amd64.deb
5b9d143bd038041ce600ead3fa1f1671df41792897eea567229535d32bd5ed87 434800 augeas-dbg_0.7.2-1+deb6u1_amd64.deb
bef870d657b441d3453c647883576d390380fd59415ccada15c47d1eaa0224d1 115122 augeas-lenses_0.7.2-1+deb6u1_all.deb
Files:
19a4352e6424587296ef11e5cb3ce946 1352 libs optional augeas_0.7.2-1+deb6u1.dsc
0fe232b7f37a6e468e81019895fd01f4 1390996 libs optional augeas_0.7.2.orig.tar.gz
36663f974d4e400bfd9fcb407dc579cb 15998 libs optional augeas_0.7.2-1+deb6u1.debian.tar.gz
8d61462c13bf4d032861404a7444643d 38106 admin optional augeas-tools_0.7.2-1+deb6u1_amd64.deb
5ef88121bc093a47bd6ddc6aaa58bb50 23714 libdevel optional libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
0f94f0847e37245d3010dca3bc112c16 234804 libs optional libaugeas0_0.7.2-1+deb6u1_amd64.deb
2c5414bbba48dbd64ccfacdee84c8683 434800 debug extra augeas-dbg_0.7.2-1+deb6u1_amd64.deb
0af907bfc242fa4566d67797c1546e1e 115122 misc optional augeas-lenses_0.7.2-1+deb6u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlPbdXkACgkQYy49rUbZzlodnwCgl4Y0CooxX/lJItBrL4X2CM5z
+WEAnRldj2hU1hMx+ylrW5n8n68rMN7C
=tmNl
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Nicolas Valcárcel Scerpella <nvalcarcel@gmail.com>
:
Bug#731132
; Package augeas
.
(Mon, 18 Aug 2014 08:12:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Ernst <florian_ernst@gmx.net>
:
Extra info received and forwarded to list. Copy sent to Nicolas Valcárcel Scerpella <nvalcarcel@gmail.com>
.
(Mon, 18 Aug 2014 08:12:16 GMT) (full text, mbox, link).
Message #15 received at 731132@bugs.debian.org (full text, mbox, reply):
Hello there,
On Mon, Dec 02, 2013 at 12:05:30PM +0100, Raphael Geissert wrote:
> [...]
> Could you please prepare the packages and coordinate with the release
> team?
On Wed, Jan 15, 2014 at 05:26:54PM +0100, Raphael Geissert wrote:
> [...]
> Could you please coordinate with the release team to fix these issues
> via O/SPU?
Both #731132 (augeas: CVE-2012-0786, CVE-2012-0787) and #731111 (augeas:
CVE-2013-6412) don't show any maintainer action. These security bugs
remained untouched for several months.
Furthermore, the last maintainer upload of augeas seems to have been
over 1.5y ago, and two new upstream releases are now available (cf.
#751232).
Thus, I wonder whether augeas is still maintained ...?
Best regards,
Flo
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 30 Sep 2014 07:30:35 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.