Your message dated Thu, 04 Sep 2008 14:17:03 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#496404: fixed in caudium 3:1.4.12-11.1 has caused the Debian Bug report #496404, regarding The possibility of attack with the help of symlinks in some Debian packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 496404: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496404 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: caudium Severity: grave Hi, maintainer! This message about the error concerns a few packages at once. I've tested all the packages (for Lenny) on my Debian mirror. All scripts of packages (marked as executable) were tested. In some packages I've discovered scripts with errors which may be used by a user for damaging important system files or user's files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlink with the same name in this directory in order to destroy or rewrite some system or user file. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Even if you create files or directories with help of function 'RANDOM' or pid(), then your system is not protected. Attacker can create many symlinks in order to destroy your data or create 'denial of service' for your package scripts. Even if you make rm(dir) for files/directories, then your system is not protected. Attacker can permanently create symlinks. This list is created with the help of script. This list is sorted by hand. Howewer in some cases mistake is possible. Please, Be understanding to possible mistakes. :) I set Severity into grave for this bug. The table of discovered problems is below. Discussion of this bug you can see in debian-devel@: http://lists.debian.org/debian-devel/2008/08/msg00271.html Binary-package: r-base-core-ra (1.1.1-1) file: /usr/lib/Ra/lib/R/bin/javareconf Binary-package: rccp (0.9-2) file: /usr/lib/rccp/delqueueask Binary-package: mafft (6.240-1) file: /usr/bin/mafft-homologs Binary-package: openoffice.org-common (1:2.4.1-6) file: /usr/lib/openoffice/program/senddoc Binary-package: crossfire-maps (1.11.0-1) file: /usr/share/games/crossfire/maps/Info/combine.pl Binary-package: sgml2x (1.0.0-11.1) file: /usr/bin/rlatex Binary-package: liguidsoap (0.3.6-4) file: /var/lib/liguidsoap/liguidsoap.py Binary-package: citadel-server (7.37-1) file: /usr/lib/citadel-server/migrate_aliases.sh Binary-package: ampache (3.4.1-1) file: /usr/share/ampache/www/locale/base/gather-messages.sh Binary-package: xen-utils-3.2-1 (3.2.1-2) file: /usr/lib/xen-3.2-1/bin/qemu-dm.debug Binary-package: dtc-common (0.29.6-1) file: /usr/share/dtc/admin/accesslog.php file: /usr/share/dtc/admin/sa-wrapper Binary-package: honeyd-common (1.5c-3) file: /usr/share/honeyd/scripts/test.sh Binary-package: lustre-tests (1.6.5-1) file: /usr/lib/lustre/tests/runiozone Binary-package: linuxtrade (3.65-8+b4) file: /usr/share/linuxtrade/bin/linuxtrade.bwkvol file: /usr/share/linuxtrade/bin/linuxtrade.wn file: /usr/share/linuxtrade/bin/moneyam.helper Binary-package: freevo (1.8.1-0) file: /usr/bin/freevo.real Binary-package: fml (4.0.3.dfsg-2) file: /usr/share/fml/libexec/mead.pl Binary-package: rkhunter (1.3.2-3) file: /usr/bin/rkhunter Binary-package: openswan (1:2.4.12+dfsg-1.1) file: /usr/lib/ipsec/livetest Binary-package: linux-patch-openswan (1:2.4.12+dfsg-1.1) file: /usr/src/kernel-patches/all/openswan/packaging/utils/maysnap file: /usr/src/kernel-patches/all/openswan/packaging/utils/maytest Binary-package: aptoncd (0.1-1.1) file: /usr/share/aptoncd/xmlfile.py Binary-package: cdcontrol (1.90-1.1) file: /usr/lib/cdcontrol/writtercontrol Binary-package: newsgate (1.6-23) file: /usr/bin/mkmailpost Binary-package: gpsdrive-scripts (2.10~pre4-3) file: /usr/bin/geo-code Binary-package: impose+ (0.2-11) file: /usr/bin/impose Binary-package: mgt (2.31-5) file: /usr/games/mailgo Binary-package: audiolink (0.05-1) file: /usr/bin/audiolink Binary-package: ibackup (2.27-4.1) file: /usr/bin/ibackup Binary-package: emacspeak (26.0-3) file: /usr/share/emacs/site-lisp/emacspeak/etc/extract-table.pl Binary-package: bk2site (1:1.1.9-3.1) file: /usr/lib/cgi-bin/bk2site/redirect.pl Binary-package: datafreedom-perl (0.1.7-1) file: /usr/bin/dfxml-invoice Binary-package: emacs-jabber (0.7.91-1) file: /usr/lib/emacsen-common/packages/install/emacs-jabber Binary-package: lmbench (3.0-a7-1) file: /usr/lib/lmbench/scripts/rccs file: /usr/lib/lmbench/scripts/STUFF Binary-package: rancid-util (2.3.2~a8-1) file: /var/lib/rancid/getipacctg Binary-package: ogle (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: firehol (1.256-4) file: /sbin/firehol Binary-package: aview (1.3.0rc1-8) file: /usr/bin/asciiview Binary-package: radiance (3R9+20080530-3) file: /usr/bin/optics2rad file: /usr/bin/pdelta file: /usr/bin/dayfact file: /usr/bin/raddepend Binary-package: vdr-dbg (1.6.0-5) file: /usr/bin/vdrleaktest Binary-package: ogle-mmx (0.9.2-5.2) file: /usr/lib/ogle/ogle_audio_debug file: /usr/lib/ogle/ogle_cli_debug file: /usr/lib/ogle/ogle_ctrl_debug file: /usr/lib/ogle/ogle_gui_debug file: /usr/lib/ogle/ogle_mpeg_ps_debug file: /usr/lib/ogle/ogle_mpeg_vs_debug file: /usr/lib/ogle/ogle_nav_debug file: /usr/lib/ogle/ogle_vout_debug Binary-package: convirt (0.8.2-3) file: /usr/share/convirt/image_store/_template_/provision.sh file: /usr/share/convirt/image_store/Linux_CD_Install/provision.sh file: /usr/share/convirt/image_store/Fedora_PV_Install/provision.sh file: /usr/share/convirt/image_store/CentOS_PV_Install/provision.sh file: /usr/share/convirt/image_store/common/provision.sh file: /usr/share/convirt/image_store/example/provision.sh file: /usr/share/convirt/image_store/Windows_CD_Install/provision.sh Binary-package: printfilters-ppd (2.13-9) file: /usr/lib/printfilters/master-filter Binary-package: r-base-core (2.7.1-1) file: /usr/lib/R/bin/javareconf file: /usr/lib/R/bin/javareconf.orig Binary-package: xmcd (2.6-19.3) file: /usr/share/xmcd/scripts/ncsarmt file: /usr/share/xmcd/scripts/ncsawrap Binary-package: tiger (1:3.2.2-3.1) file: /usr/lib/tiger/util/genmsgidx Binary-package: scilab-bin (4.1.2-5) file: /usr/lib/scilab-4.1.2/bin/scilink file: /usr/lib/scilab-4.1.2/util/scidoc file: /usr/lib/scilab-4.1.2/util/scidem Binary-package: dpkg-cross (2.3.0) file: /usr/share/dpkg-cross/bin/gccross Binary-package: ltp-network-test (20060918-2.1) file: /usr/lib/debian-test/tests/linux/testcases/bin/ftp_setup_vsftp_conf file: /usr/lib/debian-test/tests/linux/testcases/bin/nfs_fsstress.sh Binary-package: cman (2.20080629-1) file: /usr/sbin/fence_egenera Binary-package: scratchbox2 (1.99.0.24-1) file: /usr/share/scratchbox2/scripts/dpkg-checkbuilddeps file: /usr/share/scratchbox2/scripts/sb2-check-pkg-mappings Binary-package: sendmail-base (8.14.3-5) file: /usr/sbin/checksendmail file: /usr/bin/expn Binary-package: fwbuilder (2.1.19-3) file: /usr/bin/fwb_install Binary-package: sng (1.0.2-5) file: /usr/bin/sng_regress Binary-package: dist (1:3.5-17-1) file: /usr/bin/patcil file: /usr/bin/patdiff Binary-package: sympa (5.3.4-5) file: /usr/lib/cgi-bin/sympa/wwsympa.fcgi file: /usr/lib/sympa/bin/sympa.pl Binary-package: postfix (2.5.2-2) file: /usr/lib/postfix_groups.pl Binary-package: caudium (3:1.4.12-11) file: /usr/share/caudium/configvar Binary-package: mgetty-fax (1.1.36-1.2) file: /usr/bin/faxspool Binary-package: aegis (4.24-3) file: /usr/share/doc/aegis/examples/remind/bng_dvlpd.sh file: /usr/share/doc/aegis/examples/remind/bng_rvwd.sh file: /usr/share/doc/aegis/examples/remind/awt_dvlp.sh file: /usr/share/doc/aegis/examples/remind/awt_intgrtn.sh Binary-package: aegis-web (4.24-3) file: /usr/lib/cgi-bin/aegis.cgi Binary-package: digitaldj (0.7.5-6+b1) file: /usr/share/digitaldj/fest.pl Binary-package: mon (0.99.2-12) file: /usr/lib/mon/alert.d/test.alert Binary-package: feta (1.4.16) file: /usr/share/feta/plugins/to-upgrade Binary-package: arb-common (0.0.20071207.1-4) file: /usr/lib/arb/SH/arb_fastdnaml file: /usr/lib/arb/SH/dszmconnect.pl Binary-package: qemu (0.9.1-5) file: /usr/sbin/qemu-make-debian-root Binary-package: apertium (3.0.7+1-1+b1) file: /usr/bin/apertium-gen-deformat file: /usr/bin/apertium-gen-reformat file: /usr/bin/apertium Binary-package: xcal (4.1-18.3) file: /usr/bin/pscal Binary-package: myspell-tools (1:3.1-20) file: /usr/bin/i2myspell Binary-package: gccxml (0.9.0+cvs20080525-1) file: /usr/share/gccxml-0.9/MIPSpro/find_flags Binary-package: freeradius-dialupadmin (2.0.4+dfsg-4) file: /usr/share/freeradius-dialupadmin/bin/backup_radacct file: /usr/share/freeradius-dialupadmin/bin/clean_radacct file: /usr/share/freeradius-dialupadmin/bin/monthly_tot_stats file: /usr/share/freeradius-dialupadmin/bin/tot_stats file: /usr/share/freeradius-dialupadmin/bin/truncate_radacct Binary-package: dhis-server (5.3-1) file: /usr/lib/dhis-server/dhis-dummy-log-engine Binary-package: wims (3.62-13) file: /var/lib/wims/public_html/bin/coqweb file: /var/lib/wims/bin/account.sh Binary-package: initramfs-tools (0.92f) file: /usr/share/initramfs-tools/init Binary-package: realtimebattle-common (1.0.8-7) file: /usr/lib/realtimebattle/Robots/perl.robot Binary-package: netmrg (0.20-1) file: /usr/bin/rrdedit Binary-package: bulmages-servers (0.11.1-2) file: /usr/share/bulmages/examples/scripts/actualizabulmacont file: /usr/share/bulmages/examples/scripts/installbulmages-db file: /usr/share/bulmages/examples/scripts/creabulmafact file: /usr/share/bulmages/examples/scripts/creabulmacont file: /usr/share/bulmages/examples/scripts/actualizabulmafact Binary-package: xastir (1.9.2-1) file: /usr/lib/xastir/get-maptools.sh file: /usr/lib/xastir/get_shapelib.sh Binary-package: plait (1.5.2-1) file: /usr/bin/plaiter file: /usr/bin/plait Binary-package: cdrw-taper (0.4-2) file: /usr/sbin/amlabel-cdrw Binary-package: konwert-filters (1.8-11.1) file: /usr/share/konwert/filters/any-UTF8 Binary-package: gdrae (0.1-1) file: /usr/bin/gdrae Binary-package: lazarus-src (0.9.24-0-9) file: /usr/lib/lazarus/tools/install/create_lazarus_export_tgz.sh
--- End Message ---
--- Begin Message ---Source: caudium Source-Version: 3:1.4.12-11.1 We believe that the bug you reported is fixed in the latest version of caudium, which is due to be installed in the Debian FTP archive: caudium-dev_1.4.12-11.1_all.deb to pool/main/c/caudium/caudium-dev_1.4.12-11.1_all.deb caudium-modules_1.4.12-11.1_amd64.deb to pool/main/c/caudium/caudium-modules_1.4.12-11.1_amd64.deb caudium-perl_1.4.12-11.1_all.deb to pool/main/c/caudium/caudium-perl_1.4.12-11.1_all.deb caudium-pixsl_1.4.12-11.1_amd64.deb to pool/main/c/caudium/caudium-pixsl_1.4.12-11.1_amd64.deb caudium-ultralog_1.4.12-11.1_amd64.deb to pool/main/c/caudium/caudium-ultralog_1.4.12-11.1_amd64.deb caudium_1.4.12-11.1.diff.gz to pool/main/c/caudium/caudium_1.4.12-11.1.diff.gz caudium_1.4.12-11.1.dsc to pool/main/c/caudium/caudium_1.4.12-11.1.dsc caudium_1.4.12-11.1_all.deb to pool/main/c/caudium/caudium_1.4.12-11.1_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[EMAIL PROTECTED]> (supplier of updated caudium package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 04 Sep 2008 13:34:24 +0200 Source: caudium Binary: caudium caudium-modules caudium-pixsl caudium-ultralog caudium-dev caudium-perl Architecture: source amd64 all Version: 3:1.4.12-11.1 Distribution: unstable Urgency: high Maintainer: Henrik Andreasson <[EMAIL PROTECTED]> Changed-By: Nico Golde <[EMAIL PROTECTED]> Description: caudium - An extensible WWW server written in Pike caudium-dev - Development files for Caudium caudium-modules - C modules for Caudium caudium-perl - Perl script support for Caudium caudium-pixsl - Pike XSLT module for Caudium caudium-ultralog - Log Parser module for Caudium Closes: 496404 Changes: caudium (3:1.4.12-11.1) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix insecure temporary file usage in configvar script (CVE-2008-3883; Closes: #496404) Checksums-Sha1: 619c2de0e832e3ff33cb6e8b0c4684969c18bed0 1447 caudium_1.4.12-11.1.dsc 491251fbc07047c389b9b317e3d1efd107f47299 91464 caudium_1.4.12-11.1.diff.gz 40ebfbee833e2bfcc3aa3c3b53b94b7d33e612f8 234282 caudium-modules_1.4.12-11.1_amd64.deb 57336bab542c12392331019997697662afd67257 205206 caudium-pixsl_1.4.12-11.1_amd64.deb 9425ce7b4a333e789552652b0dd6663194bd32e2 239708 caudium-ultralog_1.4.12-11.1_amd64.deb 9edf3333c12a5514640a92259533fccfb0ef720b 2737954 caudium_1.4.12-11.1_all.deb 4bbc42604087df163c1dff1bfdbb89572df302fe 235646 caudium-dev_1.4.12-11.1_all.deb cadeacce8383cdc24f56e74c74f72a136ebee336 195490 caudium-perl_1.4.12-11.1_all.deb Checksums-Sha256: 16d0c95602d5ec4cf043e439fbdc999b9e0ea72472aa084d5a14667d41fb0f75 1447 caudium_1.4.12-11.1.dsc 5c368fe201977a902c5bc75525b518e6a750edc56192c27f71e294ab4ce3b729 91464 caudium_1.4.12-11.1.diff.gz 6ea6d1a128d53034041403794a2b517755147550d1da2213a783fa04479e27fa 234282 caudium-modules_1.4.12-11.1_amd64.deb 8b3ac090dd3cc28ea7b8ef48dde5d83a986e93f80b3ad23739f2427b084fce16 205206 caudium-pixsl_1.4.12-11.1_amd64.deb 0348cb25fba0b3bcf53cca3286b9819aadb8ccfab8b783999244076d857fcf14 239708 caudium-ultralog_1.4.12-11.1_amd64.deb 3ccd03e3e5f398eaaf595d4469f20f1026343586f20fcce269ea93b26d00cff2 2737954 caudium_1.4.12-11.1_all.deb dabfc9d36bad6dffc4f1f1230333e2a001e7387270a12d26dc9697fbb062745b 235646 caudium-dev_1.4.12-11.1_all.deb 901a5061205443523dae75ad2822d1529e6d15aa5e215ea382876238b01bff11 195490 caudium-perl_1.4.12-11.1_all.deb Files: c15813e5eaf1787fa25fabad0c839619 1447 web optional caudium_1.4.12-11.1.dsc fa1a6f336f805db593443f254e33f54c 91464 web optional caudium_1.4.12-11.1.diff.gz f6f8c092fbef60122fbe1e67fb43b03a 234282 web optional caudium-modules_1.4.12-11.1_amd64.deb 53380babc03ab8797aa77d2b5b3a9567 205206 web optional caudium-pixsl_1.4.12-11.1_amd64.deb 02fb4f07cdf23be855f9d78b1e7e5e81 239708 web optional caudium-ultralog_1.4.12-11.1_amd64.deb cc51bc53ca5d8a09eaf8cf2535c7eba4 2737954 web optional caudium_1.4.12-11.1_all.deb b887f5e17ff7f624274ea99dacb50152 235646 devel optional caudium-dev_1.4.12-11.1_all.deb e9e65256e03735a11069b188ee775250 195490 web optional caudium-perl_1.4.12-11.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAki/yMsACgkQHYflSXNkfP8fqQCgjTzFWKffOJnrtXzxk3P8n7jC 2wMAnif1IT3HVWcSbo65KGkVFGAhKhtz =V0dv -----END PGP SIGNATURE-----
--- End Message ---
