augeas: CVE-2013-6412

Debian Bug report logs - #731111
augeas: CVE-2013-6412

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: augeas: CVE-2013-6412

Date: Mon, 02 Dec 2013 09:43:00 +0100

Package: augeas
Severity: important
Tags: security

Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6412 for
details and a link to the fix.

Cheers,
        Moritz

Message #10 received at 731111@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 731111@bugs.debian.org

Subject: Re: Bug#731111: augeas: CVE-2013-6412

Date: Wed, 15 Jan 2014 17:26:54 +0100

[Message part 1 (text/plain, inline)]

Control: tag -1 patch

Attached are patches fixing the issues for squeeze and wheezy.
Also attached is an additional patch needed in squeeze to be able to
run the test-save.c test.

Could you please coordinate with the release team to fix these issues via O/SPU?

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[cutest-macros.squeeze.patch (text/x-patch, attachment)]

[CVE-2013-6412.squeeze.patch (text/x-patch, attachment)]

[CVE-2013-6412.wheezy.patch (text/x-patch, attachment)]

Message #17 received at 731111-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 731111-close@bugs.debian.org

Subject: Bug#731111: fixed in augeas 0.7.2-1+deb6u1

Date: Fri, 01 Aug 2014 11:19:33 +0000

Source: augeas
Source-Version: 0.7.2-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
augeas, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 731111@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated augeas package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 31 Jul 2014 15:40:31 +0200
Source: augeas
Binary: augeas-tools libaugeas-dev libaugeas0 augeas-dbg augeas-lenses
Architecture: source amd64 all
Version: 0.7.2-1+deb6u1
Distribution: squeeze-lts
Urgency: low
Maintainer: Nicolas Valcárcel Scerpella (Canonical) <nicolas.valcarcel@canonical.com>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 augeas-dbg - Debugging symbols for libaugeas0
 augeas-lenses - Set of lenses needed by libaugeas0 to parse config files
 augeas-tools - Augeas command line tools
 libaugeas-dev - Development files for writing applications based on libaugeas0
 libaugeas0 - The augeas configuration editing library and API
Closes: 731111 731132
Changes: 
 augeas (0.7.2-1+deb6u1) squeeze-lts; urgency=low
 .
   * Fix CVE-2012-0786 and CVE-2012-0787, race conditions when saving
     the configuration files (Closes: #731132). Introduces CVE-2013-6412.
   * Fix CVE-2013-6412: incorrect file permission due to a programming
     error when applying the umask (Closes: #731111).
   * debian/rules: run the test suite at build time but do not fail on it.
   * debian/control: build-depend on ruby for the test suite.
   * cutest-macros.patch: add missing macros to test-save.c
Checksums-Sha1: 
 9e0ad31d6c55a9501a1dde164e346038743b1e31 1352 augeas_0.7.2-1+deb6u1.dsc
 cc5c079e3dbc01c8576971332c0993751fd3ff59 1390996 augeas_0.7.2.orig.tar.gz
 91f7f9b3daf32b20ec5ebf2cbb9e3be865bb20f2 15998 augeas_0.7.2-1+deb6u1.debian.tar.gz
 b3f488033aa1fe549412e8bc4ecff8c6586d1784 38106 augeas-tools_0.7.2-1+deb6u1_amd64.deb
 3120cdfca5cd23bfa41fe3a93aafed2686503f49 23714 libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
 f6bbd89735dfe1dca177f3ff130b9f0b81ac5b8d 234804 libaugeas0_0.7.2-1+deb6u1_amd64.deb
 dd02adaccadbb256e7031abafa0c347d16419625 434800 augeas-dbg_0.7.2-1+deb6u1_amd64.deb
 9c1cca59c942e9537f8ad8f89dc3cbb5b5b06e9a 115122 augeas-lenses_0.7.2-1+deb6u1_all.deb
Checksums-Sha256: 
 6e445de2a8a83d74eb8bfa5aaba0a18c3ce66319444338d26d8f1a4c4b5f55e2 1352 augeas_0.7.2-1+deb6u1.dsc
 4ed9af57bc87bfb3734643a0fd505e66f8b5c772f68d0b63eef608e6a2e7f4ed 1390996 augeas_0.7.2.orig.tar.gz
 a7f26bd52966d421882681c155e7a70378ab7bd12331bfaca07a4f1eba4f451b 15998 augeas_0.7.2-1+deb6u1.debian.tar.gz
 6f7ea1817e04e1b1c0e8ac47ab2e11117923bf7c1bf571feefd25a38c3ca1ae8 38106 augeas-tools_0.7.2-1+deb6u1_amd64.deb
 efa8f27e5f97d26597b423c4427aff594a1959ab6cc77c34373c8e66b7946589 23714 libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
 a1c92ff520284319d93bfda90a1d2fff86fe17eaa3e1bccaf12e199943d43a42 234804 libaugeas0_0.7.2-1+deb6u1_amd64.deb
 5b9d143bd038041ce600ead3fa1f1671df41792897eea567229535d32bd5ed87 434800 augeas-dbg_0.7.2-1+deb6u1_amd64.deb
 bef870d657b441d3453c647883576d390380fd59415ccada15c47d1eaa0224d1 115122 augeas-lenses_0.7.2-1+deb6u1_all.deb
Files: 
 19a4352e6424587296ef11e5cb3ce946 1352 libs optional augeas_0.7.2-1+deb6u1.dsc
 0fe232b7f37a6e468e81019895fd01f4 1390996 libs optional augeas_0.7.2.orig.tar.gz
 36663f974d4e400bfd9fcb407dc579cb 15998 libs optional augeas_0.7.2-1+deb6u1.debian.tar.gz
 8d61462c13bf4d032861404a7444643d 38106 admin optional augeas-tools_0.7.2-1+deb6u1_amd64.deb
 5ef88121bc093a47bd6ddc6aaa58bb50 23714 libdevel optional libaugeas-dev_0.7.2-1+deb6u1_amd64.deb
 0f94f0847e37245d3010dca3bc112c16 234804 libs optional libaugeas0_0.7.2-1+deb6u1_amd64.deb
 2c5414bbba48dbd64ccfacdee84c8683 434800 debug extra augeas-dbg_0.7.2-1+deb6u1_amd64.deb
 0af907bfc242fa4566d67797c1546e1e 115122 misc optional augeas-lenses_0.7.2-1+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPbdXkACgkQYy49rUbZzlodnwCgl4Y0CooxX/lJItBrL4X2CM5z
+WEAnRldj2hU1hMx+ylrW5n8n68rMN7C
=tmNl
-----END PGP SIGNATURE-----

Message #22 received at 731111@bugs.debian.org (full text, mbox, reply):

From: Florian Ernst <florian_ernst@gmx.net>

To: 731132@bugs.debian.org, 731111@bugs.debian.org, 751232@bugs.debian.org

Subject: Re: Bug#731132: augeas: CVE-2012-0786, CVE-2012-0787

Date: Mon, 18 Aug 2014 10:10:17 +0200

Hello there,

On Mon, Dec 02, 2013 at 12:05:30PM +0100, Raphael Geissert wrote:
> [...]
> Could you please prepare the packages and coordinate with the release
> team?

On Wed, Jan 15, 2014 at 05:26:54PM +0100, Raphael Geissert wrote:
> [...]
> Could you please coordinate with the release team to fix these issues
> via O/SPU?

Both #731132 (augeas: CVE-2012-0786, CVE-2012-0787) and #731111 (augeas:
CVE-2013-6412) don't show any maintainer action. These security bugs
remained untouched for several months.

Furthermore, the last maintainer upload of augeas seems to have been
over 1.5y ago, and two new upstream releases are now available (cf.
#751232).

Thus, I wonder whether augeas is still maintained ...?

Best regards,
Flo

Send a report that this bug log contains spam.