Your message dated Tue, 14 Oct 2008 13:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#502019: fixed in bugzilla 3.0.4.1-2+lenny1
has caused the Debian Bug report #502019,
regarding CVE-2008-4437 - Directory traversal vulnerability in importxml.pl
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
502019: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502019
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: bugzilla
Version: 3.0.4.1-2
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu ubuntu-patch intrepid
Directory traversal vulnerability in importxml.pl in
Bugzilla before 2.22.5, and 3.x before 3.0.5, when --attach_path
is enabled, allows remote attackers to read arbitrary files via an
XML file with a .. (dot dot) in the data element
Ubuntu Bug - https://bugs.edge.launchpad.net/ubuntu/+source/bugzilla/+bug/280641
Patch supplied is from Upstream.
--
Stefan Lesicnik
([EMAIL PROTECTED])
debian-patch
Description: Binary data
--- End Message ---
--- Begin Message ---
Source: bugzilla
Source-Version: 3.0.4.1-2+lenny1
We believe that the bug you reported is fixed in the latest version of
bugzilla, which is due to be installed in the Debian FTP archive:
bugzilla3-doc_3.0.4.1-2+lenny1_all.deb
to pool/main/b/bugzilla/bugzilla3-doc_3.0.4.1-2+lenny1_all.deb
bugzilla3_3.0.4.1-2+lenny1_all.deb
to pool/main/b/bugzilla/bugzilla3_3.0.4.1-2+lenny1_all.deb
bugzilla_3.0.4.1-2+lenny1.diff.gz
to pool/main/b/bugzilla/bugzilla_3.0.4.1-2+lenny1.diff.gz
bugzilla_3.0.4.1-2+lenny1.dsc
to pool/main/b/bugzilla/bugzilla_3.0.4.1-2+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated bugzilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 14 Oct 2008 12:12:35 +0200
Source: bugzilla
Binary: bugzilla3 bugzilla3-doc
Architecture: source all
Version: 3.0.4.1-2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Raphael Bossek <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
bugzilla3 - web-based bug tracking system
bugzilla3-doc - comprehensive guide to Bugzilla
Closes: 502019
Changes:
bugzilla (3.0.4.1-2+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add upstream patch to 32_importxml.sh to filter out all leading path
data from the filename passed to importxml.pl to prevent directory
traversal attacks (CVE-2008-4437; Closes: #502019).
Checksums-Sha1:
57d85be14428b406168e285208a2d425fe146c97 1242 bugzilla_3.0.4.1-2+lenny1.dsc
ad2470db964ed713b0f286db5ddcba3331cbc0ad 3954446 bugzilla_3.0.4.1.orig.tar.gz
bdcd26f16bd52b7ba3dd95670b2ddc0c4b5ae14b 68617
bugzilla_3.0.4.1-2+lenny1.diff.gz
63006eded1f6ce0f60f901f4ca69c1a6cc9aabf3 2159336
bugzilla3_3.0.4.1-2+lenny1_all.deb
240391e59ffc218c0a50e927657ac351610d59c8 759746
bugzilla3-doc_3.0.4.1-2+lenny1_all.deb
Checksums-Sha256:
2eb13c4b7f4a27ae456be68116db6f860020f718ae7654e094898ba4908dcb6d 1242
bugzilla_3.0.4.1-2+lenny1.dsc
373277aa535424e7aef9e15f93047965ddc965e15a55e9301f8ed2abbe075286 3954446
bugzilla_3.0.4.1.orig.tar.gz
18c1147f0e3638e18a4cc29eba7e1a56444cb9cf2c556e4281ffd381b3baac18 68617
bugzilla_3.0.4.1-2+lenny1.diff.gz
b51c37ecf0f1adbcbb054840c50f53044605f925be439454767b6053cc9d9764 2159336
bugzilla3_3.0.4.1-2+lenny1_all.deb
c22a930424a0a45ce62a39c0eabc312bc4449470d2ee4bf954b00163777a6517 759746
bugzilla3-doc_3.0.4.1-2+lenny1_all.deb
Files:
1e05b4a22f8b9fefb1fa4f5f85bd2a23 1242 web optional
bugzilla_3.0.4.1-2+lenny1.dsc
a5059f2d816d9675f7029146c2153a7a 3954446 web optional
bugzilla_3.0.4.1.orig.tar.gz
7a3cb55337b5559e9d88a08d60684ada 68617 web optional
bugzilla_3.0.4.1-2+lenny1.diff.gz
79c384041f6615a52dd6504c16e3b2b6 2159336 web optional
bugzilla3_3.0.4.1-2+lenny1_all.deb
f152d2159ba9542ce6154694ca6f97bf 759746 doc optional
bugzilla3-doc_3.0.4.1-2+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj0c1MACgkQHYflSXNkfP+eiwCfaOQGzMnDbSiUfb49BOaJVrUj
K2cAnAvYiRXcPTqF6GhpBP9lmDgNz+m9
=YaGI
-----END PGP SIGNATURE-----
--- End Message ---
