Your message dated Sat, 23 Jan 2010 03:21:53 +0000
with message-id <[email protected]>
and subject line Bug#563371: fixed in network-manager-applet 0.7.2-2
has caused the Debian Bug report #563371,
regarding CVE-2009-4145: information disclosure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
563371: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563371
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: network-manager-applet
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for network-manager-applet.
CVE-2009-4145[0]:
| nm-connection-editor in NetworkManager (NM) 0.7.x exports connection
| objects over D-Bus upon actions in the connection editor GUI, which
| allows local users to obtain sensitive information by reading D-Bus
| signals, as demonstrated by using dbus-monitor to discover the
| password for the WiFi network.
Unfortunately the vulnerability described above is not important enough
to get it fixed via regular security update in Debian stable and oldstable. It
does not warrant a DSA.
However it would be nice if this could get fixed via a regular point update[1].
Please contact the release team for this.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4145
http://security-tracker.debian.org/tracker/CVE-2009-4145
[1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks/L/YACgkQNxpp46476arPBACeNs+9eC93EMDJUxvxMdxjvnvI
wP8AoJNMHewgvBXSxUA4iIHHuWZEEoK6
=vfPq
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: network-manager-applet
Source-Version: 0.7.2-2
We believe that the bug you reported is fixed in the latest version of
network-manager-applet, which is due to be installed in the Debian FTP archive:
network-manager-applet_0.7.2-2.diff.gz
to main/n/network-manager-applet/network-manager-applet_0.7.2-2.diff.gz
network-manager-applet_0.7.2-2.dsc
to main/n/network-manager-applet/network-manager-applet_0.7.2-2.dsc
network-manager-gnome_0.7.2-2_i386.deb
to main/n/network-manager-applet/network-manager-gnome_0.7.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Biebl <[email protected]> (supplier of updated network-manager-applet
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 22 Jan 2010 23:33:06 +0100
Source: network-manager-applet
Binary: network-manager-gnome
Architecture: source i386
Version: 0.7.2-2
Distribution: unstable
Urgency: low
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Michael Biebl <[email protected]>
Description:
network-manager-gnome - network management framework (GNOME frontend)
Closes: 560067 563371
Changes:
network-manager-applet (0.7.2-2) unstable; urgency=low
.
* debian/control
- Bump Build-Depends on libdbus-glib-1-dev to (>= 0.74).
- Bump Build-Depends on libgtk2.0-dev to (>= 2.14).
* debian/patches/02-CVE-2009-4145_fix_leakage_of_secrets_on_system_bus.patch
- Fix potential leakage of secrets onto the system bus. (Closes: #563371)
Patch backported from upstream Git.
Fixes: CVE-2009-4145
*
debian/patches/03-CVE-2009-4144_fix_ca_cert_handling_after_cert_file_deletion.patch
- Fix possible connections to spoofed WPA Enterprise networks when
certification file is deleted. (Closes: #560067)
Patch backported from upstream Git.
Fixes: CVE-2009-4144
Checksums-Sha1:
15becbfe6aead279afc52538459a694761df360d 1759
network-manager-applet_0.7.2-2.dsc
cf76986a4d1711f141719efd7d02a9741591fbac 14785
network-manager-applet_0.7.2-2.diff.gz
2dc386a749baf58b92507ca090b18d42d7e93b0d 917806
network-manager-gnome_0.7.2-2_i386.deb
Checksums-Sha256:
5b941473679ea6728e94e37d9a3f857577fbb2c6a0aeeaa6efc346bf32230e0d 1759
network-manager-applet_0.7.2-2.dsc
3823228b3428f1f0441fc73248e452d42cdf90e609647a4c0b2c259dfae84504 14785
network-manager-applet_0.7.2-2.diff.gz
d18f6e81ac89cc18f7d58965b83504f1a54f1e8dcd3c4a1ffafcbb356f890659 917806
network-manager-gnome_0.7.2-2_i386.deb
Files:
67c8fb551ed5d0b176e23b87e6b19b5e 1759 gnome optional
network-manager-applet_0.7.2-2.dsc
b6be6cf6066090e988f2bbf137265a75 14785 gnome optional
network-manager-applet_0.7.2-2.diff.gz
5562f0367cae62ec89f8d0c2a01e17b2 917806 gnome optional
network-manager-gnome_0.7.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktaVe4ACgkQh7PER70FhVSxrgCdGC8g/1a4zUEKbsMldTFve3pA
HoIAn3dZU6me/MqwORVMN8H/MCqcV9pu
=mz+I
-----END PGP SIGNATURE-----
--- End Message ---
