Debian Bug report logs -
#654231
CVE-2011-4862
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 2 Jan 2012 13:48:15 UTC
Severity: critical
Tags: security
Found in version krb5-appl/1:1.0~alpha1-1
Fixed in versions krb5-appl/1:1.0.1-1.2, krb5-appl/1:1.0.1-2
Done: Russ Allbery <rra@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#654231
; Package krb5-telnetd
.
(Mon, 02 Jan 2012 13:48:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Sam Hartman <hartmans@debian.org>
.
(Mon, 02 Jan 2012 13:48:20 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: krb5-telnetd
Severity: critical
Tags: security
http://www.debian.org/security/2011/dsa-2375 is still unfixed in sid.
Patch from the DSA attached.
Cheers,
Moritz
[CVE-2011-4862 (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#654231
; Package krb5-telnetd
.
(Mon, 19 Mar 2012 19:54:09 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>
.
(Mon, 19 Mar 2012 19:54:09 GMT) (full text, mbox, link).
Message #10 received at 654231@bugs.debian.org (full text, mbox, reply):
found 654231 1:1.0~alpha1-1
fixed 654231 1:1.0.1-1.2
thanks
On Mon, 2012-01-02 at 14:46 +0100, Moritz Muehlenhoff wrote:
> Package: krb5-telnetd
> Severity: critical
> Tags: security
>
> http://www.debian.org/security/2011/dsa-2375 is still unfixed in sid.
fwiw, this is now fixed in sid, but only because we propagated the
package up to testing and unstable during the 6.0.4 point release, so as
not to make dak cry. This is also the reason that CVE-2011-1526 (from
DSA-2283) is fixed in sid.
Regards,
Adam
Marked as found in versions krb5-appl/1:1.0~alpha1-1.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to control@bugs.debian.org
.
(Mon, 19 Mar 2012 19:54:31 GMT) (full text, mbox, link).
Marked as fixed in versions krb5-appl/1:1.0.1-1.2.
Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk>
to control@bugs.debian.org
.
(Mon, 19 Mar 2012 19:54:32 GMT) (full text, mbox, link).
Reply sent
to Russ Allbery <rra@debian.org>
:
You have taken responsibility.
(Tue, 20 Mar 2012 05:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Tue, 20 Mar 2012 05:51:04 GMT) (full text, mbox, link).
Message #19 received at 654231-close@bugs.debian.org (full text, mbox, reply):
Source: krb5-appl
Source-Version: 1:1.0.1-2
We believe that the bug you reported is fixed in the latest version of
krb5-appl, which is due to be installed in the Debian FTP archive:
krb5-appl_1.0.1-2.debian.tar.gz
to main/k/krb5-appl/krb5-appl_1.0.1-2.debian.tar.gz
krb5-appl_1.0.1-2.dsc
to main/k/krb5-appl/krb5-appl_1.0.1-2.dsc
krb5-clients_1.0.1-2_i386.deb
to main/k/krb5-appl/krb5-clients_1.0.1-2_i386.deb
krb5-ftpd_1.0.1-2_i386.deb
to main/k/krb5-appl/krb5-ftpd_1.0.1-2_i386.deb
krb5-rsh-server_1.0.1-2_i386.deb
to main/k/krb5-appl/krb5-rsh-server_1.0.1-2_i386.deb
krb5-telnetd_1.0.1-2_i386.deb
to main/k/krb5-appl/krb5-telnetd_1.0.1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 654231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated krb5-appl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 19 Mar 2012 22:20:08 -0700
Source: krb5-appl
Binary: krb5-clients krb5-rsh-server krb5-ftpd krb5-telnetd
Architecture: source i386
Version: 1:1.0.1-2
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description:
krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
krb5-ftpd - Secure FTP server supporting MIT Kerberos
krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
krb5-telnetd - Secure telnet server supporting MIT Kerberos
Closes: 654231 657842
Changes:
krb5-appl (1:1.0.1-2) unstable; urgency=low
.
* Hopefully temporary interim release until I learn the proper procedure
for package updates to new upstream releases.
* Acknowledge security NMUs, thanks Florian Weimer.
- Apply patch from FreeBSD to fix CVE-2011-4862 (Closes: #654231)
- CVE-2011-1526, MIT-SA-2011-005: Kerberos ftpd fails to set correct
group permissions. The ftp daemon always runs with the group
permissions of the user it is started as, probably the root group.
* Apply upstream commits r3299 and r3326 to not use variable data
as format strings, which allows the source to compile safely with
-Wformat -Werror=format-security.
* Fix spelling errors in man pages (thanks, Lintian).
* Update debhelper compatibility level to V9.
- Use hardening build flags. (Closes: #657842)
* Use dh-autoreconf to regenerate the build system during build and use
its support for --as-needed. Use the new dpkg-buildflags method of
passing -Wl,--as-needed.
* Remove duplicate Priority fields from binary packages.
* Update standards version to 3.9.3 (no changes required).
Checksums-Sha1:
ae474e4f1edc769eb36159f69ce3b62b752d1060 1755 krb5-appl_1.0.1-2.dsc
8a5c7395f56046bf969226f5a2bfc9d62276b887 11260 krb5-appl_1.0.1-2.debian.tar.gz
dc2c6f25c96b91fe3361a29fcce4d9dc9b49256a 168420 krb5-clients_1.0.1-2_i386.deb
34781ca0594c5a48cc0fae948284015a16c6e10e 61234 krb5-rsh-server_1.0.1-2_i386.deb
a7f5f65ae820b0b0b68a97bb1eba439d46f36f39 45784 krb5-ftpd_1.0.1-2_i386.deb
0eb76017b16c41f514dfc4ad1800a1d9bffd3893 52468 krb5-telnetd_1.0.1-2_i386.deb
Checksums-Sha256:
a5decafd9818ae5c079c205e8fb84968ecd9337a884f66aec75560b5c7c3d03c 1755 krb5-appl_1.0.1-2.dsc
d3a3cc715a5cf8210704e525e33ea2af537e488b8cf2d839b29cb661c702c38d 11260 krb5-appl_1.0.1-2.debian.tar.gz
3da11c440c9dd64791fa4cc4c3c8fca4a1f834e7c945b87ab68d1497367ae88c 168420 krb5-clients_1.0.1-2_i386.deb
77556e68dd5c88115a74b4b589bd12ba12de1f434b64df1cc6db76b2ffb406a6 61234 krb5-rsh-server_1.0.1-2_i386.deb
99b4cdd503d2af11c7588fd2f8770eeb6a3a9d666085bb6f6fde17afaad7edc8 45784 krb5-ftpd_1.0.1-2_i386.deb
3065f377e185a0ec64cefcf4aa76e919eb1fba20217b686c4e0a1d9487153abd 52468 krb5-telnetd_1.0.1-2_i386.deb
Files:
b1815d97f9abe9571700776509090483 1755 net extra krb5-appl_1.0.1-2.dsc
91c56674563c8b44cfde58cf2a4f2c26 11260 net extra krb5-appl_1.0.1-2.debian.tar.gz
222e59809485a38c6ad171005ffcf140 168420 net optional krb5-clients_1.0.1-2_i386.deb
89ecc9e4972c8f5aa8e9e6189e39dd5b 61234 net extra krb5-rsh-server_1.0.1-2_i386.deb
fe9bdaa5e073c8c196e0815cf15f1eb7 45784 net extra krb5-ftpd_1.0.1-2_i386.deb
f4b74f932647a0c8adde8ea902ffaa8e 52468 net extra krb5-telnetd_1.0.1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJPaBabAAoJEH2AMVxXNt51VmwIAI8+BudedysAwuVDV8Nyrwhz
9U3Uwu9P9BzVa42v2Si0CAD8y6JsEl07+9B2XSPJOKeWxO6RB30Unb2cnbshsXrk
8xtpquYDEnbYNrUDJV6D87MFyo4xVd3YQh4Ea6AVng/tooyOURvQ/Dq1JfzShKi7
2ivX3NbAlga8zZLeCR04z1iTSS2VMUFbHFKrR+dXpe3uUxDXkjlRBRdfJxq/dvI4
0RgbUnOL7xmjWJd+u5fv5/y/3crr/d39a6SCRRyHAeIkjGuYXKSf000Y1HGhOflU
WcJVQdTZwJivEyEN9XfEosdjmjuFeLCKd6fzSfYweMlLUXyguRm0LKp0lUMoebY=
=bW8C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 17 Apr 2012 07:32:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:08:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.