Debian Bug report logs -
#519801
CVE-2009-0365, CVE-2009-0578
Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>
Date: Sun, 15 Mar 2009 10:42:01 UTC
Severity: serious
Tags: security
Found in version 0.6.6-4
Fixed in versions 0.7.0.99-1, network-manager-applet/0.6.6-4+lenny1, network-manager/0.6.4-6+etch4
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#519801; Package network-manager-applet.
(Sun, 15 Mar 2009 10:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Sun, 15 Mar 2009 10:42:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: network-manager-applet
Version: 0.6.6-4
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for network-manager-applet:
CVE-2009-0365[1]:
The dbus request handler in (1) network-manager-applet and (2)
NetworkManager in Ubuntu 6.06 LTS, 7.10, 8.04 LTS, and 8.10 does not
properly verify privileges, which allows local users to discover (a)
network connection passwords and (b) pre-shared keys via unspecified
queries.
CVE-2009-0578[2]:
network-manager-applet in Ubuntu 8.10 does not properly verify
privileges for dbus (1) modify and (2) delete requests, which allows
local users to change or remove the network connections of arbitrary
users via unspecified vectors.
These are already fixed in unstable, but I guess this should be fixed in
stable as well.
[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0365
[2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0578
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm82w4ACgkQNxpp46476ap+ywCfdgKlbQPrEDto0zx/YuEWQRfl
AnEAoIEp5CEhzHYO8Xmft4d8AjX/7hs6
=9LWP
-----END PGP SIGNATURE-----
Bug no longer marked as found in version 0.7.0.99-1.
Request was from Giuseppe Iuculano <giuseppe@iuculano.it>
to control@bugs.debian.org.
(Sun, 15 Mar 2009 11:27:06 GMT) (full text, mbox, link).
Reply sent
to Nico Golde <nion@debian.org>:
You have taken responsibility.
(Sun, 15 Mar 2009 11:30:15 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sun, 15 Mar 2009 11:30:15 GMT) (full text, mbox, link).
Message #12 received at 519801-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.7.0.99-1
* Giuseppe Iuculano <giuseppe@iuculano.it> [2009-03-15 12:17]:
[...]
> These are already fixed in unstable, but I guess this should be fixed in
> stable as well.
>
> [1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0365
> [2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0578
Please use appropriate tags & versions if you file bugs just
for stable.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Sun, 18 Apr 2010 14:10:46 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sun, 18 Apr 2010 14:10:46 GMT) (full text, mbox, link).
Message #17 received at 519801-close@bugs.debian.org (full text, mbox, reply):
Source: network-manager-applet
Source-Version: 0.6.6-4+lenny1
We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:
network-manager-applet_0.6.6-4+lenny1.diff.gz
to main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.diff.gz
network-manager-applet_0.6.6-4+lenny1.dsc
to main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.dsc
network-manager-gnome_0.6.6-4+lenny1_i386.deb
to main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 519801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager-applet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 15 Dec 2009 23:40:01 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.6.6-4+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
network-manager-gnome - network management framework (GNOME frontend)
Closes: 519801
Changes:
network-manager-applet (0.6.6-4+lenny1) stable-security; urgency=high
.
* debian/patches/10-CVE-2009-0365.patch
- SECURITY: It was discovered that NetworkManager did not properly enforce
permissions when responding to dbus requests. A local user could perform
dbus queries to view system and user network connection passwords and
pre-shared keys. (Closes: #519801)
FIXES: CVE-2009-0365
Checksums-Sha1:
598dfb6b99c968ad56692033b092f7d8f2d176f5 1734 network-manager-applet_0.6.6-4+lenny1.dsc
da572c48ae9ecb5c9ba61c0ed8fd06567dcbc4e3 781511 network-manager-applet_0.6.6.orig.tar.gz
7ddf6febdc947d7ddf4e2cb7daf6f22d52f8e2dc 8437 network-manager-applet_0.6.6-4+lenny1.diff.gz
eb67d943c67f6f83241409969784c55e4bd27a69 331344 network-manager-gnome_0.6.6-4+lenny1_i386.deb
Checksums-Sha256:
dd923cb6fc9b74a917eca4cf5e90fa32f36733f23a680ec3fc81d9d6ab43d939 1734 network-manager-applet_0.6.6-4+lenny1.dsc
8eb264d5838d1f9e2e507a570cb23dc54e11505023b71b6868cee31da2dff38d 781511 network-manager-applet_0.6.6.orig.tar.gz
851a66b459a8b7b563be893ce720d263dca83bed1b48c5ab6dc131554cb2b4bb 8437 network-manager-applet_0.6.6-4+lenny1.diff.gz
489667d7e3ff72e0e58a8094044e214ce0c817aff652c4b53fb5b8c6866aac58 331344 network-manager-gnome_0.6.6-4+lenny1_i386.deb
Files:
34200f4387757a3688c49c617bc09fc6 1734 gnome optional network-manager-applet_0.6.6-4+lenny1.dsc
16e95a3515e4255d034b14045a9effd5 781511 gnome optional network-manager-applet_0.6.6.orig.tar.gz
d5c7910fc754ef45eb7628f41e98023f 8437 gnome optional network-manager-applet_0.6.6-4+lenny1.diff.gz
993767ed8f55910cced53c641074b338 331344 gnome optional network-manager-gnome_0.6.6-4+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkso9cMACgkQh7PER70FhVQONQCfZ1Ua3rGzlLlOp9bojdEnyG9s
UskAniwtpHky7OMTYKRmtICRLMFHZRVa
=f8WP
-----END PGP SIGNATURE-----
Reply sent
to Michael Biebl <biebl@debian.org>:
You have taken responsibility.
(Sun, 02 May 2010 14:12:06 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer.
(Sun, 02 May 2010 14:12:06 GMT) (full text, mbox, link).
Message #22 received at 519801-close@bugs.debian.org (full text, mbox, reply):
Source: network-manager
Source-Version: 0.6.4-6+etch4
We believe that the bug you reported is fixed in the latest version of
network-manager, which is due to be installed in the Debian FTP archive:
libnm-glib-dev_0.6.4-6+etch4_i386.deb
to main/n/network-manager/libnm-glib-dev_0.6.4-6+etch4_i386.deb
libnm-glib0_0.6.4-6+etch4_i386.deb
to main/n/network-manager/libnm-glib0_0.6.4-6+etch4_i386.deb
libnm-util-dev_0.6.4-6+etch4_i386.deb
to main/n/network-manager/libnm-util-dev_0.6.4-6+etch4_i386.deb
libnm-util0_0.6.4-6+etch4_i386.deb
to main/n/network-manager/libnm-util0_0.6.4-6+etch4_i386.deb
network-manager-dev_0.6.4-6+etch4_i386.deb
to main/n/network-manager/network-manager-dev_0.6.4-6+etch4_i386.deb
network-manager-gnome_0.6.4-6+etch4_i386.deb
to main/n/network-manager/network-manager-gnome_0.6.4-6+etch4_i386.deb
network-manager_0.6.4-6+etch4.diff.gz
to main/n/network-manager/network-manager_0.6.4-6+etch4.diff.gz
network-manager_0.6.4-6+etch4.dsc
to main/n/network-manager/network-manager_0.6.4-6+etch4.dsc
network-manager_0.6.4-6+etch4_i386.deb
to main/n/network-manager/network-manager_0.6.4-6+etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 519801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 15 Dec 2009 23:31:58 +0100
Source: network-manager
Binary: libnm-util-dev network-manager-gnome network-manager-dev libnm-util0 libnm-glib0 network-manager libnm-glib-dev
Architecture: source i386
Version: 0.6.4-6+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Riccardo Setti <giskard@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description:
libnm-glib-dev - network management framework (GLib interface)
libnm-glib0 - network management framework (GLib shared library)
libnm-util-dev - network management framework (development files)
libnm-util0 - network management framework (shared library)
network-manager - network management framework daemon
network-manager-dev - network management framework (development files)
network-manager-gnome - network management framework (GNOME frontend)
Closes: 519801
Changes:
network-manager (0.6.4-6+etch4) oldstable-security; urgency=high
.
* debian/patches/13-CVE-2009-0365.patch
- SECURITY: It was discovered that NetworkManager did not properly enforce
permissions when responding to dbus requests. A local user could perform
dbus queries to view system and user network connection passwords and
pre-shared keys. (Closes: #519801)
FIXES: CVE-2009-0365
Files:
9ca281c6a38a498e5735a9e8caa4b7bc 1034 net optional network-manager_0.6.4-6+etch4.dsc
2d8ec8b17f85ee9aa9c0e04c63b98c3a 1079499 net optional network-manager_0.6.4.orig.tar.gz
448d010bfa385c406fad97b0c9667731 20424 net optional network-manager_0.6.4-6+etch4.diff.gz
2f6c0940ac4e34ba3aea0c8cbf76cf60 239640 net optional network-manager_0.6.4-6+etch4_i386.deb
e925bac52eb8fad1bcdf7e14f6dbbc1e 371748 gnome optional network-manager-gnome_0.6.4-6+etch4_i386.deb
1e07c7c7318b89b08f443fcc2fcc4ed1 112858 devel optional network-manager-dev_0.6.4-6+etch4_i386.deb
f2bae719f42c8a30dcd3b7e8004b8d58 118136 libs optional libnm-glib0_0.6.4-6+etch4_i386.deb
d38c510c9e0094529575917272e74b72 118530 libdevel optional libnm-glib-dev_0.6.4-6+etch4_i386.deb
2c641df7d5ab4f100778795dce5ab9bb 123882 libs optional libnm-util0_0.6.4-6+etch4_i386.deb
e00655f007c778143f3b33eb2618cf2a 126232 libdevel optional libnm-util-dev_0.6.4-6+etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkso8h0ACgkQh7PER70FhVSUJwCfU2XqAyR9L6smbmzW7unHrEoj
cBsAn2Nxg5TgBo3cjoGT4VfPetjGaLCA
=b96c
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 27 Jun 2010 07:30:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:14:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon