Bug#546945: marked as done (libgeoip1: GeoIP example update scripts downloaded content without hashsum)

Debian Bug Tracking System Mon, 05 Oct 2009 10:37:50 -0700

Your message dated Mon, 05 Oct 2009 17:02:23 +0000
with message-id <[email protected]>
and subject line Bug#546945: fixed in geoip 1.4.6.dfsg-13
has caused the Debian Bug report #546945,
regarding libgeoip1: GeoIP example update scripts downloaded content without 
hashsum
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
546945: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546945
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: libgeoip1
Version: 1.4.6.dfsg-12
Severity: normal

Hi,

The example GeoIP database update scripts, located at
/usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
from a potentially unsafe source, without validating the downloaded
content, making it vulnerable at least to DNS spoofing, and probably
some more related attacks.

I marked this bug as normal, as the default behavior of the package is
not to use these scripts, but the fact that they exist in the package
will cause people to use them and thus weaken the security of their
machines.

See related bug in another package that also downloads content from the
internet: http://bugs.debian.org/545241

As GeoIP is an important service, maybe we we should offer debian built
 updates, which are built from source, just like the GeoIP.dat that is
provided with the package upon installation, or maybe find some other
secure solution.

Thanks,
    Tom Feiner

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.28-15-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgeoip1 depends on:
ii  libc6                  2.9-26            GNU C Library: Shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages libgeoip1 recommends:
ii  geoip-database             1.4.6.dfsg-12 IP lookup command line
tools that

Versions of packages libgeoip1 suggests:
ii  geoip-bin                  1.4.6.dfsg-12 IP lookup command line
tools that

-- no debconf information

signature.asc
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

Source: geoip
Source-Version: 1.4.6.dfsg-13

We believe that the bug you reported is fixed in the latest version of
geoip, which is due to be installed in the Debian FTP archive:

geoip-bin_1.4.6.dfsg-13_i386.deb
  to pool/main/g/geoip/geoip-bin_1.4.6.dfsg-13_i386.deb
geoip-database_1.4.6.dfsg-13_all.deb
  to pool/main/g/geoip/geoip-database_1.4.6.dfsg-13_all.deb
geoip_1.4.6.dfsg-13.diff.gz
  to pool/main/g/geoip/geoip_1.4.6.dfsg-13.diff.gz
geoip_1.4.6.dfsg-13.dsc
  to pool/main/g/geoip/geoip_1.4.6.dfsg-13.dsc
libgeoip-dev_1.4.6.dfsg-13_i386.deb
  to pool/main/g/geoip/libgeoip-dev_1.4.6.dfsg-13_i386.deb
libgeoip1_1.4.6.dfsg-13_i386.deb
  to pool/main/g/geoip/libgeoip1_1.4.6.dfsg-13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <[email protected]> (supplier of updated geoip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Oct 2009 18:36:29 +0200
Source: geoip
Binary: libgeoip1 libgeoip-dev geoip-bin geoip-database
Architecture: source all i386
Version: 1.4.6.dfsg-13
Distribution: unstable
Urgency: low
Maintainer: Patrick Matthäi <[email protected]>
Changed-By: Patrick Matthäi <[email protected]>
Description: 
 geoip-bin  - IP lookup command line tools that use the GeoIP library
 geoip-database - IP lookup command line tools that use the GeoIP library 
(country 
 libgeoip-dev - Development files for the GeoIP library
 libgeoip1  - A non-DNS IP-to-country resolver library
Closes: 546945 547629
Changes: 
 geoip (1.4.6.dfsg-13) unstable; urgency=low
 .
   * Merge 1.4.6.dfsg-12~bpo40+1 and 1.4.6.dfsg-12~bpo50+1 changelog.
   * Fix patch description for the 02-add_asnum_support. Thanks to Kalle Olavi
     Niemitalo.
     Closes: #547629
   * Update GeoIP Country v4 database to the 1.10.2009 version.
   * Update GeoIP Country v6 database to the 2.10.2009 version.
   * Update debian/README.Debian and note there, that the example scripts for
     downloading databases is not secure.
     Closes: #546945
Checksums-Sha1: 
 4f3644386fa710a9c987ed2607927880a5852e8c 1097 geoip_1.4.6.dfsg-13.dsc
 e156fa4ba39b4d9509fd6f33662d2ca9e85d9ac8 1733588 geoip_1.4.6.dfsg-13.diff.gz
 977148b8a1ef5896a0fee228be105da2489a5491 628622 
geoip-database_1.4.6.dfsg-13_all.deb
 7c86fe4a7886528e77b7126dfaf88b3d3f8f9387 109080 
libgeoip1_1.4.6.dfsg-13_i386.deb
 3c114cc5936442c7fe1378a2b2565771983854b0 147014 
libgeoip-dev_1.4.6.dfsg-13_i386.deb
 773d4102c39677c03169396f40d9a1209634c11b 33448 geoip-bin_1.4.6.dfsg-13_i386.deb
Checksums-Sha256: 
 8a5baac00d35f576976e13f118cf7dcdba91c01f0191fab47df563018e9eecb9 1097 
geoip_1.4.6.dfsg-13.dsc
 082b4ab3645abf57b1c392536033eeade4d47385e2568f9fe172cccb07e46d34 1733588 
geoip_1.4.6.dfsg-13.diff.gz
 2fb19011e5347be9937fb896c3567c87aa9a77bb94ab5c1bb339610ce09f0244 628622 
geoip-database_1.4.6.dfsg-13_all.deb
 3045b6a9961fc3ec66c509b26947b1372ce7db939370c5afcd3e365edd62b0c8 109080 
libgeoip1_1.4.6.dfsg-13_i386.deb
 97cd714eddc7a91fb37fc5cb789458d16352b30da742e25bf42a7f724595e608 147014 
libgeoip-dev_1.4.6.dfsg-13_i386.deb
 215b9827ed92b6bdf7db525a8f195473a055ef1580f64329ef2cbd5d498507ad 33448 
geoip-bin_1.4.6.dfsg-13_i386.deb
Files: 
 7126fea28507ebebd5b7d488489d751e 1097 net optional geoip_1.4.6.dfsg-13.dsc
 e2679a207197bd3bf48e9efbab2dca19 1733588 net optional 
geoip_1.4.6.dfsg-13.diff.gz
 3e65321edae10e5c17503129802e6229 628622 net optional 
geoip-database_1.4.6.dfsg-13_all.deb
 0b9b232fc01f18f4fd0f1124cad20ae5 109080 libs optional 
libgeoip1_1.4.6.dfsg-13_i386.deb
 270229527bfd8e3c21e95131a6348821 147014 libdevel optional 
libgeoip-dev_1.4.6.dfsg-13_i386.deb
 64ec3961cbb2321a2a73362f1f3b0e94 33448 net optional 
geoip-bin_1.4.6.dfsg-13_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrKImkACgkQ2XA5inpabMfNpwCgoPKn/KPn6AcvnJSvjwT4nlkB
LKkAoJZXLs3ThGnSgdXw3cbDZ//cKZIv
=iCw7
-----END PGP SIGNATURE-----

--- End Message ---

Bug#546945: marked as done (libgeoip1: GeoIP example update scripts downloaded content without hashsum)

Reply via email to