Your message dated Sun, 24 Jan 2010 15:35:31 +0000
with message-id <[email protected]>
and subject line Bug#559815: fixed in hercules 3.06-1.2
has caused the Debian Bug report #559815,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
559815: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559815
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: hercules
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: hercules
Source-Version: 3.06-1.2
We believe that the bug you reported is fixed in the latest version of
hercules, which is due to be installed in the Debian FTP archive:
hercules_3.06-1.2.diff.gz
to main/h/hercules/hercules_3.06-1.2.diff.gz
hercules_3.06-1.2.dsc
to main/h/hercules/hercules_3.06-1.2.dsc
hercules_3.06-1.2_amd64.deb
to main/h/hercules/hercules_3.06-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <[email protected]> (supplier of updated hercules package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 24 Jan 2010 00:44:52 +0000
Source: hercules
Binary: hercules
Architecture: source amd64
Version: 3.06-1.2
Distribution: unstable
Urgency: low
Maintainer: Peter De Schrijver (p2) <[email protected]>
Changed-By: Thorsten Glaser <[email protected]>
Description:
hercules - System/370, ESA/390 and z/Architecture Emulator
Closes: 559815
Changes:
hercules (3.06-1.2) unstable; urgency=low
.
* Non-maintainer upload.
* Use autoreconf in order to use system libltdl instead of the bundled
one (upgrading from 1.x to 2.2). (Closes: #559815) (CVE-2009-3736)
Checksums-Sha1:
0303ff24fb9029a2ef417c49268ea5347e4cafa6 1170 hercules_3.06-1.2.dsc
67a19368b90d460bfa0596e74ca8e40e6deb7d27 18658 hercules_3.06-1.2.diff.gz
d94c428e6cc3b22b00427e249d866233d9533041 2077576 hercules_3.06-1.2_amd64.deb
Checksums-Sha256:
e4765e6c6a7cfad3fb94c54645681a2bd604f428e259adb5191fb08c5bf732f6 1170
hercules_3.06-1.2.dsc
d2c0580195d370aee1c32c2db25a2d43b0d2ee15c66c03a275ebc93d9928e1e0 18658
hercules_3.06-1.2.diff.gz
1376f912ae34ff10f966f00f327a60f86a8fa16cb504e614529220af7f4819ab 2077576
hercules_3.06-1.2_amd64.deb
Files:
19565cbae260a173c6e0c538ff48a2c2 1170 otherosfs extra hercules_3.06-1.2.dsc
82c5772dd012ca5382da5f9f69dea32c 18658 otherosfs extra
hercules_3.06-1.2.diff.gz
ff0d44d274651489a246e7e26ccf1fdc 2077576 otherosfs extra
hercules_3.06-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLXFgwVkEm8inxm9ERAlj3AJ400otJBQWb993MAeelVd8eyejDSwCfTMBf
SW5akfqRPFE+EBUtD7jCHkg=
=jg3o
-----END PGP SIGNATURE-----
--- End Message ---
