Debian Bug report logs -
#767171
tnftp: CVE-2014-8517: ftp(1) can be made execute arbitrary commands by malicious webserver
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 28 Oct 2014 22:18:01 UTC
Severity: grave
Tags: security, upstream
Found in version tnftp/20100108-1
Fixed in version tnftp/20130505-2
Done: Anibal Monsalve Salazar <anibal@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#767171; Package tnftp.
(Tue, 28 Oct 2014 22:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Anibal Monsalve Salazar <anibal@debian.org>.
(Tue, 28 Oct 2014 22:18:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tnftp
Severity: grave
Tags: security
Please see http://www.openwall.com/lists/oss-security/2014/10/28/4
No CVE ID has been assigned yet. This doesn't warrant a DSA, but
you could fix it up in a point release.
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 28 Oct 2014 22:24:17 GMT) (full text, mbox, link).
Marked as found in versions tnftp/20100108-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 28 Oct 2014 22:24:18 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#767171; Package tnftp.
(Wed, 29 Oct 2014 05:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>.
(Wed, 29 Oct 2014 05:30:04 GMT) (full text, mbox, link).
Message #14 received at 767171@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 tnftp: CVE-2014-8517: ftp(1) can be made execute arbitrary commands by malicious webserver
Hi,
On Tue, Oct 28, 2014 at 11:15:44PM +0100, Moritz Muehlenhoff wrote:
> Package: tnftp
> Severity: grave
> Tags: security
>
> Please see http://www.openwall.com/lists/oss-security/2014/10/28/4
> No CVE ID has been assigned yet. This doesn't warrant a DSA, but
> you could fix it up in a point release.
In meanwhile a CVE is assigned: CVE-2014-8517, could you please
reference it when you fix this issue.
Regards,
Salvatore
Changed Bug title to 'tnftp: CVE-2014-8517: ftp(1) can be made execute arbitrary commands by malicious webserver' from 'Command execution'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 767171-submit@bugs.debian.org.
(Wed, 29 Oct 2014 05:30:04 GMT) (full text, mbox, link).
Reply sent
to Anibal Monsalve Salazar <anibal@debian.org>:
You have taken responsibility.
(Thu, 06 Nov 2014 11:24:20 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Nov 2014 11:24:20 GMT) (full text, mbox, link).
Message #21 received at 767171-close@bugs.debian.org (full text, mbox, reply):
Source: tnftp
Source-Version: 20130505-2
We believe that the bug you reported is fixed in the latest version of
tnftp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 767171@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated tnftp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Nov 2014 10:42:01 +0000
Source: tnftp
Binary: tnftp
Architecture: source amd64
Version: 20130505-2
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <anibal@debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
tnftp - enhanced ftp client
Closes: 759467 767171
Changes:
tnftp (20130505-2) unstable; urgency=medium
.
* Only trust filenames with special meaning if they came from
the command line. CVE-2014-8517.
Add upstream patch CVE-2014-8517.patch.
Closes: #767171.
* Run dh-autoreconf to update for new architectures.
Patch by Brahadambal Srinivasan <latha@linux.vnet.ibm.com>.
Closes: 759467.
* Standards Version is 3.9.6.
* Fix uses-deprecated-compression-for-data-tarball.
* Fix build-depends-on-obsolete-package.
build-depends: hardening-wrapper => use dpkg-buildflags instead.
Checksums-Sha1:
0ae33994045d362047f232441784913dbbddf073 1742 tnftp_20130505-2.dsc
c24c22862522f257954997b696aaad130e9e02ad 6684 tnftp_20130505-2.debian.tar.xz
0c9b3c0a3e1052357f80718ffc983632f934679f 170162 tnftp_20130505-2_amd64.deb
Checksums-Sha256:
af466271cd5ed2c76c060eea5551b97c350eaf6f2bfd8e1a7091b3f5c342a773 1742 tnftp_20130505-2.dsc
2acea23ca1b36099a6517f1215edefb196c8d2b06fde30cecacfed5d34a11d19 6684 tnftp_20130505-2.debian.tar.xz
c442209bc774a09813632eccd2c3d34b01fd86739f3220c65903cd3366a9bd53 170162 tnftp_20130505-2_amd64.deb
Files:
614d5d30801431bbe6bc52c3ba5a1c4a 1742 net optional tnftp_20130505-2.dsc
7f6c8e47de72ba5e38e0e78cfd93b10d 6684 net optional tnftp_20130505-2.debian.tar.xz
c477e2b89f398523bc68277c8bc9b346 170162 net optional tnftp_20130505-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUW1HxAAoJEHxWrP6UeJfYxKwP/1fqHgB6M9xfBMMs2suMUPLV
aO4T1mH20AIz1Q6cjuixXoTX1qufIBM3c5CDtrqsy7wnQiLif8nKKGHqJu7+yZhL
VzCu960agXR5aVWk6LES5CPBGi3J2VWNytLv++nj1ANCCkax46TAd372uqJCAuFT
KbkJMjWv3d+BUxCR4xhYGh0rztQGRCYExh41Nf8DG6TxQbdrKc+vOoAFtpSRoUcP
DdYoNXzwf7u71CU+lIfXPHDgKEhwW5ULUH8vEpY3jbYckUJI5B3RjVqW9LcezhC0
3ut70IdV1nMjKtoqgv6TMso8By8hFwD2C2dG6usqY3l3TQuZihyVhkgLgEl4gO15
AE/UU+4hzvnsDTq6tRoByvL/inmV+8TFaaXtv1rBYYDPehRYYMCF/ncx38xZ+KYV
CwXoqM0Z5lMvFrdVmMJDKrk3IFtWWWnzyH6iZmB1F7BMI49o5DJLFdaZcyrxoJRR
zJrgpbbzbFePljQst4A8D4Uwl0xnEaqJ5JKDzmRdu5bq3cT6o1udu2DN5dKDtW1j
JsguntTCHkB35uQIlxWBr9EXH6lgFO/u65BcmMYPA4YW7TN7sKxmcOl09L2ci+Y7
VtrCZPBy/LzoPpAxqdvgKP+FJ7Dfsx7EKm0s5xR4oOOTQLT0H+MgEr+liJzTlHRq
ZSvZbuPt2mOF50hXDclm
=FAB5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:59:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:33:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon