Bug#866677: marked as done (rkhunter: CVE-2017-7480: File download via http might lead to RCE)

2017-07-16 Thread Debian Bug Tracking System 
Your message dated Sun, 16 Jul 2017 12:17:35 +
with message-id 
and subject line Bug#866677: fixed in rkhunter 1.4.2-0.4+deb8u1
has caused the Debian Bug report #866677,
regarding rkhunter: CVE-2017-7480: File download via http might lead to RCE
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rkhunter
Version: 1.4.2-0.4
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for rkhunter (somehow
releated will be at least #765895)

CVE-2017-7480[0]:
File download via http might lead to RCE

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7480
[1] http://www.openwall.com/lists/oss-security/2017/06/29/2
[2] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG
[3] 
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.549=1.550

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rkhunter
Source-Version: 1.4.2-0.4+deb8u1

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier  (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jul 2017 20:17:08 -0700
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.2-0.4+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Forensics 
Changed-By: Francois Marier 
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 765895 866677
Changes:
 rkhunter (1.4.2-0.4+deb8u1) jessie; urgency=high
 .
   * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
 it in the future (closes: #765895, #866677)
Checksums-Sha1:
 45834ddf4054f6f90c9ee0655c0e7208c5a384ff 2048 rkhunter_1.4.2-0.4+deb8u1.dsc
 da01bc6757e14549560ad6ea46d1e93dbf5ac90f 277707 rkhunter_1.4.2.orig.tar.gz
 bf2103294777af8334151dba501de08ebcf4ba47 25896 
rkhunter_1.4.2-0.4+deb8u1.debian.tar.xz
 5781b925cee003e7e8e91d1e36955ffb8853dff4 237628 
rkhunter_1.4.2-0.4+deb8u1_all.deb
Checksums-Sha256:
 bf6f0c795a76e4980ed0ddde14140e153951a4bd2c9b56f82a0ad0ee16ac4b38 2048 
rkhunter_1.4.2-0.4+deb8u1.dsc
 789cc84a21faf669da81e648eead2e62654cfbe0b2d927119d8b1e55b22b65c3 277707 
rkhunter_1.4.2.orig.tar.gz
 670f6d1ed3fa4fd4a5c95ec0dced06f6c0f6b31ef07b612a7562c8d44287c5b6 25896 
rkhunter_1.4.2-0.4+deb8u1.debian.tar.xz
 5dcd154028540a19879095b264be8547138deec5a66773f3ab40b918cb344811 237628 
rkhunter_1.4.2-0.4+deb8u1_all.deb
Files:
 97d9c24358150b3c158b121cad7ea0e8 2048 admin optional 
rkhunter_1.4.2-0.4+deb8u1.dsc
 85ad366b7f3999eb2a9371e39a1a4df7 277707 admin optional 
rkhunter_1.4.2.orig.tar.gz
 a065aad9095c32cbc7e986b2cda81f27 25896 admin optional 
rkhunter_1.4.2-0.4+deb8u1.debian.tar.xz
 bafcf26c711bbd8f8fab95ea4cf47fa7 237628 admin optional 
rkhunter_1.4.2-0.4+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJZamw6XxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4QzQ3MEIyQTBCMzE1NjhFMTEwRDQzMjUx
NjI4MUYyRTAwN0M5OEQxAAoJEBYoHy4AfJjR5p0QALE2rnZYI4M+9esSuJhkA1+8
iKLv2brVAnHpP4/JT2WitwQDvfMFD5srGpDd1+XoDL5t2S33Qsi/5aMUaxFTY5pT
qWs3UWhyxCQf6vyLjEbyjnGosD5gGOo5qc2DpW8pVNX426wfjvyK9J3+4tMo/Zp1
xVqRq1q0mC0N78ZwoX8RJLgX7oOdDUJn5n/Tnbzah9BA6jasB9fTjs1FOQTqSlZT
yzSitxKD9VtDNy61dpemFqZIkvWZiprVPuXsW54X9rRgAtG6ubOIuP10WtN3RZzd
37UCI7/iXhgx9lTptEhk8V2Y+3yec/jyxvFD1YeCCfhuIDTp/DJiIKsUKwjEFrol
6rAneCPG/ncGJVe6oIIEX9mMAjdvryk6REmtej3Ek75k0dH6CTnu5juorQBOmI93
XBBxULTVIUU3g7eLlE3XYpmGfnmQ6Xd+RDW4B7+UYONJdtcXjE9mnZIU7p5taKpK

Bug#866677: marked as done (rkhunter: CVE-2017-7480: File download via http might lead to RCE)

2017-07-15 Thread Debian Bug Tracking System 
Your message dated Sat, 15 Jul 2017 22:17:23 +
with message-id 
and subject line Bug#866677: fixed in rkhunter 1.4.2-6+deb9u1
has caused the Debian Bug report #866677,
regarding rkhunter: CVE-2017-7480: File download via http might lead to RCE
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866677: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866677
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: rkhunter
Version: 1.4.2-0.4
Severity: grave
Tags: upstream security

Hi,

the following vulnerability was published for rkhunter (somehow
releated will be at least #765895)

CVE-2017-7480[0]:
File download via http might lead to RCE

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7480
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7480
[1] http://www.openwall.com/lists/oss-security/2017/06/29/2
[2] http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/CHANGELOG
[3] 
http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.549=1.550

Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rkhunter
Source-Version: 1.4.2-6+deb9u1

We believe that the bug you reported is fixed in the latest version of
rkhunter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier  (supplier of updated rkhunter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 12 Jul 2017 03:07:17 +
Source: rkhunter
Binary: rkhunter
Architecture: source all
Version: 1.4.2-6+deb9u1
Distribution: stable
Urgency: high
Maintainer: Debian Forensics 
Changed-By: Francois Marier 
Description:
 rkhunter   - rootkit, backdoor, sniffer and exploit scanner
Closes: 765895 866677
Changes:
 rkhunter (1.4.2-6+deb9u1) stable; urgency=high
 .
   * Disable remote updates to fix CVE-2017-7480 and prevent bugs like
 it in the future (closes: #765895, #866677)
Checksums-Sha1:
 41e927f0fe49875118a6329637cfe59cf133228b 2082 rkhunter_1.4.2-6+deb9u1.dsc
 da01bc6757e14549560ad6ea46d1e93dbf5ac90f 277707 rkhunter_1.4.2.orig.tar.gz
 3aa3287916cd2b9f7c96f29210669776eecd7de1 28200 
rkhunter_1.4.2-6+deb9u1.debian.tar.xz
 f22ff045219eaa4a8005db4bc3f6aa5bdd0b77ca 237966 rkhunter_1.4.2-6+deb9u1_all.deb
 46e7bdac0a20978b575e961a85e7bbfe39932774 5524 
rkhunter_1.4.2-6+deb9u1_amd64.buildinfo
Checksums-Sha256:
 749932842111c7b4726279941bd99ab6a2abff004f7dcd6dc94909b4ae1ceef4 2082 
rkhunter_1.4.2-6+deb9u1.dsc
 789cc84a21faf669da81e648eead2e62654cfbe0b2d927119d8b1e55b22b65c3 277707 
rkhunter_1.4.2.orig.tar.gz
 8543558da2e832ec9b873c1f743b6ae0b426745df35657bbd92d18152d270d8e 28200 
rkhunter_1.4.2-6+deb9u1.debian.tar.xz
 dc6898b138e8c26e860e5a2b4270e31aeab7af325fc0a4331ea2100a8a176033 237966 
rkhunter_1.4.2-6+deb9u1_all.deb
 a31ff7c777af4d9a9aa1fd6757517cc6488c7225cb970d0bdb633260b0ba0a68 5524 
rkhunter_1.4.2-6+deb9u1_amd64.buildinfo
Files:
 62c1704884500d98298deabd965ac8ad 2082 admin optional 
rkhunter_1.4.2-6+deb9u1.dsc
 85ad366b7f3999eb2a9371e39a1a4df7 277707 admin optional 
rkhunter_1.4.2.orig.tar.gz
 81159869ce7b75ddbc7209b821f788cb 28200 admin optional 
rkhunter_1.4.2-6+deb9u1.debian.tar.xz
 c385efe1e7d620cdeb9966a561e4620f 237966 admin optional 
rkhunter_1.4.2-6+deb9u1_all.deb
 d8068f6f8d03d29b2a0f49821dfa3059 5524 admin optional 
rkhunter_1.4.2-6+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEEjEcLKgsxVo4RDUMlFigfLgB8mNEFAlllkqhfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDhD
NDcwQjJBMEIzMTU2OEUxMTBENDMyNTE2MjgxRjJFMDA3Qzk4RDEACgkQFigfLgB8
mNEZig//ay7rWim392nmJqu37+s23iwxvOpRt/9Pd3iTv6h8HbFnfbpUyuP1c8nP
DMr2KGC8GZjM2MQrk/ybplh/LgdajzL1VPGb7cw/aKt0msBfBMwk8sPydEh0NBJi
csjHj7ios1tORlXuuotpgm3bCgt6L9A/HHlJC7jvqI3zd8aZRf8fQzsIDqKH3cNj