CVE-2009-4145: information disclosure

Debian Bug report logs - #563371
CVE-2009-4145: information disclosure

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-4145: information disclosure

Date: Sat, 02 Jan 2010 12:37:30 +0100

Package: network-manager-applet
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for network-manager-applet.

CVE-2009-4145[0]:
| nm-connection-editor in NetworkManager (NM) 0.7.x exports connection
| objects over D-Bus upon actions in the connection editor GUI, which
| allows local users to obtain sensitive information by reading D-Bus
| signals, as demonstrated by using dbus-monitor to discover the
| password for the WiFi network.

Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.

However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4145
    http://security-tracker.debian.org/tracker/CVE-2009-4145
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks/L/YACgkQNxpp46476arPBACeNs+9eC93EMDJUxvxMdxjvnvI
wP8AoJNMHewgvBXSxUA4iIHHuWZEEoK6
=vfPq
-----END PGP SIGNATURE-----

Message #10 received at 563371-close@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 563371-close@bugs.debian.org

Subject: Bug#563371: fixed in network-manager-applet 0.7.2-2

Date: Sat, 23 Jan 2010 03:21:53 +0000

Source: network-manager-applet
Source-Version: 0.7.2-2

We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:

network-manager-applet_0.7.2-2.diff.gz
  to main/n/network-manager-applet/network-manager-applet_0.7.2-2.diff.gz
network-manager-applet_0.7.2-2.dsc
  to main/n/network-manager-applet/network-manager-applet_0.7.2-2.dsc
network-manager-gnome_0.7.2-2_i386.deb
  to main/n/network-manager-applet/network-manager-gnome_0.7.2-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 563371@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated network-manager-applet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jan 2010 23:33:06 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.7.2-2
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 network-manager-gnome - network management framework (GNOME frontend)
Closes: 560067 563371
Changes: 
 network-manager-applet (0.7.2-2) unstable; urgency=low
 .
   * debian/control
     - Bump Build-Depends on libdbus-glib-1-dev to (>= 0.74).
     - Bump Build-Depends on libgtk2.0-dev to (>= 2.14).
   * debian/patches/02-CVE-2009-4145_fix_leakage_of_secrets_on_system_bus.patch
     - Fix potential leakage of secrets onto the system bus. (Closes: #563371)
       Patch backported from upstream Git.
       Fixes: CVE-2009-4145
   * debian/patches/03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
     - Fix possible connections to spoofed WPA Enterprise networks when
       certification file is deleted. (Closes: #560067)
       Patch backported from upstream Git.
       Fixes: CVE-2009-4144
Checksums-Sha1: 
 15becbfe6aead279afc52538459a694761df360d 1759 network-manager-applet_0.7.2-2.dsc
 cf76986a4d1711f141719efd7d02a9741591fbac 14785 network-manager-applet_0.7.2-2.diff.gz
 2dc386a749baf58b92507ca090b18d42d7e93b0d 917806 network-manager-gnome_0.7.2-2_i386.deb
Checksums-Sha256: 
 5b941473679ea6728e94e37d9a3f857577fbb2c6a0aeeaa6efc346bf32230e0d 1759 network-manager-applet_0.7.2-2.dsc
 3823228b3428f1f0441fc73248e452d42cdf90e609647a4c0b2c259dfae84504 14785 network-manager-applet_0.7.2-2.diff.gz
 d18f6e81ac89cc18f7d58965b83504f1a54f1e8dcd3c4a1ffafcbb356f890659 917806 network-manager-gnome_0.7.2-2_i386.deb
Files: 
 67c8fb551ed5d0b176e23b87e6b19b5e 1759 gnome optional network-manager-applet_0.7.2-2.dsc
 b6be6cf6066090e988f2bbf137265a75 14785 gnome optional network-manager-applet_0.7.2-2.diff.gz
 5562f0367cae62ec89f8d0c2a01e17b2 917806 gnome optional network-manager-gnome_0.7.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktaVe4ACgkQh7PER70FhVSxrgCdGC8g/1a4zUEKbsMldTFve3pA
HoIAn3dZU6me/MqwORVMN8H/MCqcV9pu
=mz+I
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.