Your message dated Mon, 21 Mar 2011 14:20:23 +0000
with message-id <[email protected]>
and subject line Bug#606554: fixed in aolserver4 4.5.1-15
has caused the Debian Bug report #606554,
regarding cherokee: affected by privilege escalation vulnerability in logrotate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
606554: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606554
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cherokee
Version: 0.99.20-1
Severity: grave
Justification: privilege escalation vulnerability
Tags: security
There was a privilege escalation vulnerability in logrotate that I reported
about four years ago and which finally got fixed in testing rouhgly one
year ago (see bug #388608). In lenny this vulnerability still exists and
logrotate's maintainer doesn't seem to be interested in fixing it,
given that nothing of substance has happened since when I last notified him
of the problem about two weeks ago.
As a proof of concept, I did successfully use it to elevate my privileges
from the postgres user to root. As it affects packages where the log
directory is writable for the package's system user, I based this mass
filing on a rough analysis of maintainer scripts, avoiding the effort
of actually installing and testing each individual package.
These lines from this package's maintainer scripts suggest that it likely
is affected by the vulnerability:
---------------------------------------------------------------------------
chown $RUNAS_USER $LOGFILE
chown $RUNAS_USER $LOGDIR
---------------------------------------------------------------------------
Please note that the analysis this mass filing is based on also is
roughly a year old, and anyhow I don't recall which debian suite I based
it on at that time--as such, this report may be against the wrong version
and otherwise outdated in some details. Given how much effort I have
already needlessly put into this, I hope you have some understanding
for me not polishing this bug report.
Primarily I am filing this bug in order to allow the maintainers of
packages using logrotate to work around logrotate if they deem that
necessary.
Also, you should note that the security fix in testing introduces a
regression that may also affect this package which could cause data loss
in situations where this couldn't happen before. A fix for this regression
is available to logrotate's maintainer, also still unapplied for over a
year. A mass filing against packages affected by that regression may
follow later.
For some further details please see my announcement of this mass
filing on debian-qa:
http://lists.debian.org/debian-qa/2010/11/msg00024.html
I would also suggest to use that thread for any further discussion that
is not specific to this package and possibly for coordination between
maintainers of affected packages in order to avoid duplicated efforts
where possible.
--- End Message ---
--- Begin Message ---
Source: aolserver4
Source-Version: 4.5.1-15
We believe that the bug you reported is fixed in the latest version of
aolserver4, which is due to be installed in the Debian FTP archive:
aolserver4-core_4.5.1-15_i386.deb
to main/a/aolserver4/aolserver4-core_4.5.1-15_i386.deb
aolserver4-daemon_4.5.1-15_i386.deb
to main/a/aolserver4/aolserver4-daemon_4.5.1-15_i386.deb
aolserver4-dev_4.5.1-15_i386.deb
to main/a/aolserver4/aolserver4-dev_4.5.1-15_i386.deb
aolserver4-doc_4.5.1-15_all.deb
to main/a/aolserver4/aolserver4-doc_4.5.1-15_all.deb
aolserver4_4.5.1-15.diff.gz
to main/a/aolserver4/aolserver4_4.5.1-15.diff.gz
aolserver4_4.5.1-15.dsc
to main/a/aolserver4/aolserver4_4.5.1-15.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <[email protected]> (supplier of updated aolserver4
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 21 Mar 2011 12:41:19 +0100
Source: aolserver4
Binary: aolserver4-daemon aolserver4-core aolserver4-dev aolserver4-doc
Architecture: source all i386
Version: 4.5.1-15
Distribution: unstable
Urgency: low
Maintainer: Francesco Paolo Lovergine <[email protected]>
Changed-By: Francesco Paolo Lovergine <[email protected]>
Description:
aolserver4-core - AOL web server version 4 - core libraries
aolserver4-daemon - AOL web server version 4 - program files
aolserver4-dev - AOL web server version 4 - development files
aolserver4-doc - AOL web server version 4 - documentation
Closes: 600925 606554
Changes:
aolserver4 (4.5.1-15) unstable; urgency=low
.
* Merges from experimental branch.
* Added lintian overrides file for using rpath, which is legitimate for
internal libraries of aolserver4-core/daemon in order to avoid pollution
of /usr/lib path.
* Policy bumped to 3.9.1 without changes.
* Revised debian/changelog layout for 80 cols.
* Fixed aolserver4-daemon.postinst to avoid having +x in
/etc/default/aolserver4
(closes: #600925)
* Fixed postinst to avoid changing recursively run and log dirs at
configuration time. It could expose to (sym)link attacks when upgrading.
(closes: #606554)
* Fixed maint rules to autogenerate template *.in files at every build.
* ABI increased to 1 for safety to avoid mixing modules built with different
Tcl versions.
Checksums-Sha1:
223558b559b48fde777b40c17c675bde2c7d7640 1333 aolserver4_4.5.1-15.dsc
85b9129f5bebe2985d109c9bd95eea0358c884e4 96260 aolserver4_4.5.1-15.diff.gz
ef1f1508d4cc86ccb46e10e007b216ce8050c51f 3324862
aolserver4-doc_4.5.1-15_all.deb
178e8f2de366296413c21f5285af77faea4f3cc8 173452
aolserver4-daemon_4.5.1-15_i386.deb
7963c4e34a8088fd76ee9e76ceb90a774b2c4428 310130
aolserver4-core_4.5.1-15_i386.deb
c81b8b3f1724174f61ae87e2027dc3a0bd62b5de 958730
aolserver4-dev_4.5.1-15_i386.deb
Checksums-Sha256:
a5a5b8691a6fbf3093fe60b606c20f7d41900f645547dfdfa09810016e82d9fd 1333
aolserver4_4.5.1-15.dsc
71b12c0bfa3c8d6ae72e217f67fd5be24fbaa304648b2274958a2328678578b5 96260
aolserver4_4.5.1-15.diff.gz
9761a0020fa92df8ae3fb9279464254a3e515fe626607d4c07a169582d1ce474 3324862
aolserver4-doc_4.5.1-15_all.deb
b0a8cab812a1c565c7aceb9794de040681980a4cafd82f00ce72f0d1dfb3086e 173452
aolserver4-daemon_4.5.1-15_i386.deb
68ba754255b12c1782814ba1c4798e30a58701909ad13167db321b00dbf2b2df 310130
aolserver4-core_4.5.1-15_i386.deb
797606eeecba019dd8fa0d3bb4d5711e8c3dbecd838807abfb15652d6178a0fc 958730
aolserver4-dev_4.5.1-15_i386.deb
Files:
68b012880bb7cc99fb901bad0bfb76dd 1333 web optional aolserver4_4.5.1-15.dsc
973067d6f3107aecebfff8c19885c0b5 96260 web optional aolserver4_4.5.1-15.diff.gz
72ed9bf0cabb099ec5433654ba6adb9b 3324862 doc optional
aolserver4-doc_4.5.1-15_all.deb
db02645d279d38a10ae742823fdd4466 173452 web optional
aolserver4-daemon_4.5.1-15_i386.deb
c7bece44cfd98026c31602913ab6707c 310130 web optional
aolserver4-core_4.5.1-15_i386.deb
450f9fad411dff63d0ba4e277ccb6160 958730 web optional
aolserver4-dev_4.5.1-15_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk2HPAUACgkQpFNRmenyx0dsmwCgu/vtXGQVvPXkx6knXUVgv833
hcwAoPUDTybJDPEYwalCUR4pi+BAOkbH
=+cLY
-----END PGP SIGNATURE-----
--- End Message ---
