Debian Bug report logs -
#740846
percona-toolkit: CVE-2014-2029
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 5 Mar 2014 14:36:08 UTC
Severity: grave
Tags: security
Fixed in version percona-toolkit/2.2.7-1~dfsg1
Done: Dario Minnucci <midget@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dario Minnucci <midget@debian.org>
:
Bug#740846
; Package percona-toolkit
.
(Wed, 05 Mar 2014 14:36:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Dario Minnucci <midget@debian.org>
.
(Wed, 05 Mar 2014 14:36:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: percona-toolkit
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2014-2029:
http://seclists.org/oss-sec/2014/q1/377
We should disable it in the Debian package.
Cheers,
Moritz
Added tag(s) pending.
Request was from Dario Minnucci <midget@debian.org>
to control@bugs.debian.org
.
(Wed, 05 Mar 2014 19:54:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dario Minnucci <midget@debian.org>
:
Bug#740846
; Package percona-toolkit
.
(Wed, 05 Mar 2014 19:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dario Minnucci (midget)" <debian@midworld.net>
:
Extra info received and forwarded to list. Copy sent to Dario Minnucci <midget@debian.org>
.
(Wed, 05 Mar 2014 19:57:04 GMT) (full text, mbox, link).
Message #12 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Moritz,
I'm checking with upstream if version in stable is really vulnerable to CVE-2014-2029 as well.
I'll upload a fix to unstable in a while.
Thanks,
On 03/05/2014 03:22 PM, Moritz Muehlenhoff wrote:
> Package: percona-toolkit
> Severity: grave
> Tags: security
> Justification: user security hole
>
> This was assigned CVE-2014-2029:
> http://seclists.org/oss-sec/2014/q1/377
>
> We should disable it in the Debian package.
>
> Cheers,
> Moritz
>
--
Dario Minnucci (midget) <debian@midworld.net>
Phone: +34 902021030 | Fax: +34 902024417
Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Dario Minnucci <midget@debian.org>
:
Bug#740846
; Package percona-toolkit
.
(Wed, 05 Mar 2014 19:57:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dario Minnucci (midget)" <debian@midworld.net>
:
Extra info received and forwarded to list. Copy sent to Dario Minnucci <midget@debian.org>
.
(Wed, 05 Mar 2014 19:57:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#740846
; Package percona-toolkit
.
(Wed, 05 Mar 2014 20:39:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Dario Minnucci <midget@debian.org>
:
Extra info received and forwarded to list.
(Wed, 05 Mar 2014 20:39:12 GMT) (full text, mbox, link).
Message #22 received at 740846@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Hrvoje,
I'm also Cc: this message to Debian BTS (#740846) to keep track of this issue in case we need this
info in the future.
Thanks a lot.
Regards,
On 03/05/2014 09:14 PM, Hrvoje Matijakovic wrote:
> On Wed, Mar 05, 2014 at 08:43:51PM +0100, Dario Minnucci wrote:
>>
>> Hi Hrvoje,
>>
>> I'm in the way of closing CVE-2014-2029 in the Debian package and everything seems OK on version
>> 2.2.7 (soon will be uploaded to 'unstable' and 'testing|jessie', thanks), but my question is about
>> version 2.1.2 (currentrly in 'stable|wheezzy')
>>
>>
>> Here it goes...
>>
>>
>> By checking Percona Toolkit's Changelog file in 'percona-toolkit_2.2.7.tar.gz' I've found this:
>>
>>
>>
>> v2.1.4 released 2012-09-20
>>
>> * ...
>> * Implemented the version-check feature in several tools, enabled with the --version-check option
>> * ...
>>
>>
>>
>> Can you please confirm if the CVE-2014-2029 was introduced in version '2.1.4' or is really present
>> in version in previous versions (as '2.1.2').
>>
>> If my assumptions are correct and CVE-2014-2029 was introduced in version '2.1.4', this means that
>> version '2.1.2' (currently in 'stable|wheezy') is *NOT* vulnerable to this CVE and I'll be able to
>> notify this to the Debian Security Team in order to update the Debian Security Tracker[0].
>>
>>
>> Thanks in advance.
>>
>> Regards,
>>
>>
>>
>> [0] https://security-tracker.debian.org/tracker/source-package/percona-toolkit
>
> Hi Dario,
>
> I've checked with our lead PT developer he confirmed that VersionCheck
> was introduced in 2.1.4. LP milestone says that as well:
> https://launchpad.net/percona-toolkit/2.1/2.1.4
>
> Let me know if you need anything else regarding this,
>
> Thanks,
> Hrvoje
>
--
Dario Minnucci <midget@debian.org>
Phone: +34 902884117 | Fax: +34 902024417 | Support: +34 807450000
Key fingerprint = BAA1 7AAF B21D 6567 D457 D67D A82F BB83 F3D5 7033
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to Dario Minnucci <midget@debian.org>
:
You have taken responsibility.
(Wed, 05 Mar 2014 21:24:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Wed, 05 Mar 2014 21:24:04 GMT) (full text, mbox, link).
Message #27 received at 740846-close@bugs.debian.org (full text, mbox, reply):
Source: percona-toolkit
Source-Version: 2.2.7-1~dfsg1
We believe that the bug you reported is fixed in the latest version of
percona-toolkit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 740846@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dario Minnucci <midget@debian.org> (supplier of updated percona-toolkit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 05 Mar 2014 21:32:01 +0100
Source: percona-toolkit
Binary: percona-toolkit
Architecture: source all
Version: 2.2.7-1~dfsg1
Distribution: unstable
Urgency: high
Maintainer: Dario Minnucci <midget@debian.org>
Changed-By: Dario Minnucci <midget@debian.org>
Description:
percona-toolkit - Command-line tools for MySQL and system tasks
Closes: 740846
Changes:
percona-toolkit (2.2.7-1~dfsg1) unstable; urgency=high
.
* New upstream release (2.2.7)
* Sources repacked to remove provided 'debian' directory. Package
tagged as '~dfsg1'
* Fix for CVE-2014-2029: --version-check behaves like spyware.
(Closes: #740846)
Checksums-Sha1:
ac11f407aa90f9b0e2859fdeeb708d1982997704 1977 percona-toolkit_2.2.7-1~dfsg1.dsc
fa5f8c2f900d75e1ed7950dea76ea58d0f2c55c2 1464630 percona-toolkit_2.2.7.orig.tar.gz
375d550d4cca69aa59e5ef2cbcd2b2e1c23475c0 4792 percona-toolkit_2.2.7-1~dfsg1.debian.tar.xz
4fd96aa2d0f1700a7174f6774dd381705d302d70 780698 percona-toolkit_2.2.7-1~dfsg1_all.deb
Checksums-Sha256:
90fd1152237d8a48525465c9fbc8b01e10caec22a0498d540c1bce5a716bc0ef 1977 percona-toolkit_2.2.7-1~dfsg1.dsc
cc313a6f83f1c94cee73282dbb6ab936bf5e086cd83ea26fe5201f497af0cd78 1464630 percona-toolkit_2.2.7.orig.tar.gz
7d9f0a7c3c34a6c847f50c712403ff1685158760f0b3a6f30ffc8dbbcc6c30ac 4792 percona-toolkit_2.2.7-1~dfsg1.debian.tar.xz
3eeb2a3443c337b92f4d41291676abae78b0b654e6e5f2598cb50ea2c3deda14 780698 percona-toolkit_2.2.7-1~dfsg1_all.deb
Files:
6569b694f90b47309fed0b6916678f82 1977 utils optional percona-toolkit_2.2.7-1~dfsg1.dsc
962eb0ff39c21c4cf3d345ff3280c9e4 1464630 utils optional percona-toolkit_2.2.7.orig.tar.gz
c1e616433a0406047d22f900bde2a59d 4792 utils optional percona-toolkit_2.2.7-1~dfsg1.debian.tar.xz
9e81eb6dab969ef85df66f92aea3c64d 780698 utils optional percona-toolkit_2.2.7-1~dfsg1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTF4prAAoJEKgvu4Pz1XAz4l4P/iRar7RAIIkiIAHhtvzZx2N+
n5OpeZp08rXk9ofEBrZtP8KHu3K7G9bqjZ7uTLono2nYBe8DM2Sd02hUzd3tOEpS
jCZcAQQ4XKRTLmDunILH49+vKT0kwMALHEXCtolw3nGO5bvvCXwIFBc76NCSLNdi
Dptw1uQiJijtN5fRCVEEyvJnz79XhdCmtC4AIRzFwIEGX2joptaGBWLkHlCLQwx5
/5hhAT/rpjYyoh4EHPqC5kgmqEp3sD7aYKkF9+BTUwW6krDlnTe6yu2PMH9sPY8h
7TXtPjyIvAtc3Yuptk0cy4EjfM4FDjbgX7b8CVKcQySMWak0Gssjhhf0mNpPkyTd
D6ldWLFc9bFFh/QqElAUjH7hmwn2Ahdii+/+9fnI7HP27Hvpc94rnoCVmEQOe/ED
ihzm8j/1HFsE18UzBr+pFtfRaJw4QaqJOB7eFwQu3yVG6zH2QqyDA4xSGyz+wLCT
YdPoKCKmfzCsCLBfBqlNHafQgxkf+vyIJtUSj/ya/edKs/MZE8BroZznVF0D//1I
WDli9b1W6GMHwXVpaHy1IOY5HZxS+FDy3K62NVDYwmsro1MVXg4IsLr46kW9htXj
31CsU1FDDWPtQDhIVA/pHTbPcc+CwQAjlsQllTPwxNxdW/yzwrMC2s6LVwOnN5nS
5I6C2oDu7Zvcsw464rOK
=zCZJ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Dario Minnucci <midget@debian.org>
:
Bug#740846
; Package percona-toolkit
.
(Thu, 06 Mar 2014 08:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Dario Minnucci <midget@debian.org>
.
(Thu, 06 Mar 2014 08:48:04 GMT) (full text, mbox, link).
Message #32 received at 740846@bugs.debian.org (full text, mbox, reply):
On Wed, Mar 05, 2014 at 09:27:41PM +0100, Dario Minnucci wrote:
>
> Hi Hrvoje,
>
> I'm also Cc: this message to Debian BTS (#740846) to keep track of this issue in case we need this
> info in the future.
Thanks for the confirmation. The Security Tracker has been updated.
Cheers,
Moritz
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 26 Apr 2015 07:40:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:53 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.