Your message dated Fri, 08 Apr 2011 17:18:12 +0000
with message-id <[email protected]>
and subject line Bug#605188: fixed in python-omniorb 3.5-1
has caused the Debian Bug report #605188,
regarding python-omniorb-doc: Use of PYTHONPATH env var in an insecure way
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
605188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: python-omniorb-doc
Version: 3.3-1
Severity: important
Tags: security
User: [email protected]
Usertags: pythonpath
Jakub Wilk performed an analysis[1] for packages setting PYTHONPATH in
an insecure way. Those packages do something like:
PYTHONPATH=/spam/eggs:$PYTHONPATH
This is wrong, because if PYTHONPATH were originally unset or empty,
current working directory would be added to sys.path.
[1] http://lists.debian.org/debian-python/2010/11/msg00045.html
Your package turns out to ship vulnerable examples or contains
insecure advices: you can find a complete log at [2].
[2] http://people.debian.org/~morph/mbf/pythonpath.txt
Some guidelines on how to fix these bugs: in the case given above, you
can use something like
PYTHONPATH=/spam/eggs${PYTHONPATH:+:$PYTHONPATH}
(If you don't known this construct, grep for "Use Alternative Value"
in the bash/dash manpage.)
Also, in cases like
PYTHONPATH=/usr/lib/python2.5/site-packages/:$PYTHONPATH
or
PYTHONPATH=$PYTHONPATH:$SPAMDIR exec python $SPAMDIR/spam.py
you shouldn't need to touch PYTHONPATH at all.
Feel free to contact [email protected] in case of
help.
--- End Message ---
--- Begin Message ---
Source: python-omniorb
Source-Version: 3.5-1
We believe that the bug you reported is fixed in the latest version of
python-omniorb, which is due to be installed in the Debian FTP archive:
omniidl-python_3.5-1_all.deb
to main/p/python-omniorb/omniidl-python_3.5-1_all.deb
python-omniorb-dbg_3.5-1_i386.deb
to main/p/python-omniorb/python-omniorb-dbg_3.5-1_i386.deb
python-omniorb-doc_3.5-1_all.deb
to main/p/python-omniorb/python-omniorb-doc_3.5-1_all.deb
python-omniorb-omg_3.5-1_all.deb
to main/p/python-omniorb/python-omniorb-omg_3.5-1_all.deb
python-omniorb_3.5-1.debian.tar.gz
to main/p/python-omniorb/python-omniorb_3.5-1.debian.tar.gz
python-omniorb_3.5-1.dsc
to main/p/python-omniorb/python-omniorb_3.5-1.dsc
python-omniorb_3.5-1_i386.deb
to main/p/python-omniorb/python-omniorb_3.5-1_i386.deb
python-omniorb_3.5.orig.tar.bz2
to main/p/python-omniorb/python-omniorb_3.5.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Girard <[email protected]> (supplier of updated python-omniorb
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 08 Apr 2011 18:09:45 +0200
Source: python-omniorb
Binary: python-omniorb python-omniorb-dbg python-omniorb-doc python-omniorb-omg
omniidl-python
Architecture: source all i386
Version: 3.5-1
Distribution: unstable
Urgency: low
Maintainer: Debian CORBA Team <[email protected]>
Changed-By: Thomas Girard <[email protected]>
Description:
omniidl-python - omniidl backend to compile Python stubs from IDL files
python-omniorb - Python bindings for omniORB
python-omniorb-dbg - Python bindings for omniORB
python-omniorb-doc - omniORBpy documentation
python-omniorb-omg - CORBA OMG standard files for python-omniorb
Closes: 605188 617015
Changes:
python-omniorb (3.5-1) unstable; urgency=low
.
[ Floris Bruynooghe ]
* New upstream release
* debian/python-omniorb-doc.docs, debian/python-omniorb-doc.doc-base:
remove .ps documentation, dropped by upstream.
* Change to dpkg-source format 3.0 (quilt).
* Add XB-Python-Version to python-omniorb-dbg.
* Bump Standars-Version to 3.9.1: no changes needed.
* debian/control: make python-omniorb-dbg recommend python-dbg.
* Bump debhelper compat level to 7 due to auto debian/tmp prefix usage.
* Convert to use dh_python2 (closes: #617015):
- install omniidl python backed to /usr/lib/omniidl/omniidl_be.
* Use dh_prep instead of dh_clean -k.
* Remove conflicts and provides of old packages now that those packages are
no longer in stable.
* Change Recommends of omniidl-python to python-omniorb instead of
libomniorb4-dev.
* Remove usused python:Provides as per python policy.
* Correct examples of modifying PYTHONPATH (closes: #605188)
.
[ Thomas Girard ]
* Remove obsolete Build-Conflicts: in debian/control.
Checksums-Sha1:
f7b9147579f1c40bf49cc17eadf62c096a1cd3ee 1550 python-omniorb_3.5-1.dsc
33ef2d2c59ede8a7b1072db12fe6bb2378606027 607213 python-omniorb_3.5.orig.tar.bz2
de4851f36c92f806375a9d28148c59d7bbd1546a 8551
python-omniorb_3.5-1.debian.tar.gz
ab73ddd5fc20ffa84919d0b3cd329f1040e1a47d 431238
python-omniorb-doc_3.5-1_all.deb
328bd2968ad8bcd12540c4218140f9b13c954df6 16198 python-omniorb-omg_3.5-1_all.deb
dac309b85029316e823676003993787931cfc445 29050 omniidl-python_3.5-1_all.deb
bc4b09fcdb5fc56cb4f01aa4d19b36650a4cdc7c 530332 python-omniorb_3.5-1_i386.deb
dc36f797b65fbdab1bf724638f1a5285d1ea2db4 1067128
python-omniorb-dbg_3.5-1_i386.deb
Checksums-Sha256:
5c5db28136db69a72b988c8dbdf4b878c32cd3c226e51c22ef3336babcdd4c80 1550
python-omniorb_3.5-1.dsc
f9d0dcb8a398a50eb8fb7bb01116889b09acbb70fb01ac3ce62374805738914e 607213
python-omniorb_3.5.orig.tar.bz2
bab8de5e7e705818f94754397c29a217a3d9f163b83a1ece90f6fe9831269773 8551
python-omniorb_3.5-1.debian.tar.gz
a183c32bc66084e3c5ac2d9fc0802abc1aaf78064268d840092ea8b8a59025fd 431238
python-omniorb-doc_3.5-1_all.deb
5fd1a7125553b9ba1763b63e60b8248b44a04e23c4bc2a6a9ede6bcedd454cc7 16198
python-omniorb-omg_3.5-1_all.deb
c4242db828223e6433557a7492876ee27ebd704e44990810e5b0c0e69f1c58e6 29050
omniidl-python_3.5-1_all.deb
c3e8146fb7f69758d8de84cfb03a6050f5f5ded61202e2c001123e6b3354fa35 530332
python-omniorb_3.5-1_i386.deb
b1a57f4f1da7566253c71072474e9d8955dbdde737c737dd2844721afc82086f 1067128
python-omniorb-dbg_3.5-1_i386.deb
Files:
74315f5df6955368f2b1efc6622ea984 1550 python optional python-omniorb_3.5-1.dsc
8a13f68726852d74b5661524eb8e163c 607213 python optional
python-omniorb_3.5.orig.tar.bz2
1c7bd6b3cea44612e6cd2c33cbd8629e 8551 python optional
python-omniorb_3.5-1.debian.tar.gz
2ddecbe25ea2f1d8de59fe2359512cbd 431238 doc optional
python-omniorb-doc_3.5-1_all.deb
78dd67167f5b4dd1f9606088f2643293 16198 python optional
python-omniorb-omg_3.5-1_all.deb
15fd2de1524d1228a0c682f69f6679d6 29050 python optional
omniidl-python_3.5-1_all.deb
e890d9f4ca44ac06c652e44be0667f3d 530332 python optional
python-omniorb_3.5-1_i386.deb
e7bc2c21e74216e47bf4645c261b450a 1067128 debug extra
python-omniorb-dbg_3.5-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk2fPd8ACgkQz2LXlDjmjg7mOwCghQBDpJ7yR4ya4oCA0lui7ozn
F1YAn3BFfhApnbtJVG8TaJQdGob+EqW9
=tH3s
-----END PGP SIGNATURE-----
--- End Message ---
