Your message dated Thu, 29 Jan 2015 18:49:10 +0000 with message-id <[email protected]> and subject line Bug#775681: fixed in kamailio 4.2.0-2 has caused the Debian Bug report #775681, regarding multiple /tmp file vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 775681: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775681 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: kamailio Version: 4.2.0-1.1 Severity: important Tags: security The kamailio package now installs /etc/kamailio/kamailio-basic.cfg which can be selected via the CFGFILE= setting in /etc/default/kamailio. The configuration contains: modparam("mi_fifo", "fifo_name", "/tmp/kamailio_fifo") This setting is insecure and may allow local users to elevate privileges to the kamailio user. The issue extends to kamailio-advanced.cfg. It seems that this is due to an incomplete fix of #712083. Looking further, the state of /tmp file vulnerabilities in kamailio looks worrisome. Most of the results of the following command (to be executed in the kamailio source) are likely vulnerable if executed: grep '/tmp/[a-z0-9_.-]\+\(\$\$\)\?\([" ]\|$\)' -r . Granted, some of the results are examples, documentation or obsolete. But quite a few reach the default settings: * kamcmd defaults to connecting to unixs:/tmp/kamailio_ctl. * The kamailio build definitely is vulnerable as can be seen in utils/kamctl/Makefile. More research clearly is required here. Given these findings, the security team may want to veto the inclusion of kamailio in a stable release, which would be very unfortunate as kamailio is quite a unique piece of software with little competitors in its field. Helmut
--- End Message ---
--- Begin Message ---Source: kamailio Source-Version: 4.2.0-2 We believe that the bug you reported is fixed in the latest version of kamailio, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Victor Seva <[email protected]> (supplier of updated kamailio package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 28 Jan 2015 20:43:44 +0100 Source: kamailio Binary: kamailio kamailio-dbg kamailio-geoip-modules kamailio-sqlite-modules kamailio-json-modules kamailio-memcached-modules kamailio-lua-modules kamailio-mono-modules kamailio-python-modules kamailio-redis-modules kamailio-mysql-modules kamailio-postgres-modules kamailio-cpl-modules kamailio-radius-modules kamailio-unixodbc-modules kamailio-presence-modules kamailio-perl-modules kamailio-snmpstats-modules kamailio-xmpp-modules kamailio-xml-modules kamailio-carrierroute-modules kamailio-berkeley-modules kamailio-berkeley-bin kamailio-ldap-modules kamailio-ims-modules kamailio-utils-modules kamailio-sctp-modules kamailio-java-modules kamailio-tls-modules kamailio-outbound-modules kamailio-websocket-modules kamailio-dnssec-modules kamailio-autheph-modules kamailio-extra-modules Architecture: source amd64 Version: 4.2.0-2 Distribution: unstable Urgency: medium Maintainer: Debian VoIP Team <[email protected]> Changed-By: Victor Seva <[email protected]> Description: kamailio - very fast and configurable SIP proxy kamailio-autheph-modules - authentication using ephemeral credentials module for Kamailio kamailio-berkeley-bin - Berkeley database module for Kamailio - helper program kamailio-berkeley-modules - Berkeley database module for Kamailio kamailio-carrierroute-modules - carrierroute module for Kamailio kamailio-cpl-modules - CPL module (CPL interpreter engine) for Kamailio kamailio-dbg - very fast and configurable SIP proxy [debug symbols] kamailio-dnssec-modules - contains the dnssec module kamailio-extra-modules - extra modules for Kamailio kamailio-geoip-modules - contains the geoip module kamailio-ims-modules - IMS module for Kamailio kamailio-java-modules - contains the app_java module kamailio-json-modules - Json parser and jsonrpc modules for Kamailio kamailio-ldap-modules - LDAP modules for Kamailio kamailio-lua-modules - contains the app_lua module kamailio-memcached-modules - Provides the memcached module, an interface to the memcached serv kamailio-mono-modules - contains the app_mono module kamailio-mysql-modules - MySQL database connectivity module for Kamailio kamailio-outbound-modules - Outbound module for Kamailio kamailio-perl-modules - Perl extensions and database driver for Kamailio kamailio-postgres-modules - PostgreSQL database connectivity module for Kamailio kamailio-presence-modules - SIMPLE presence modules for Kamailio kamailio-python-modules - contains the app_python module kamailio-radius-modules - RADIUS modules for Kamailio kamailio-redis-modules - Redis database connectivity module for Kamailio kamailio-sctp-modules - sctp module for Kamailio kamailio-snmpstats-modules - SNMP AgentX subagent module for Kamailio kamailio-sqlite-modules - SQLite database connectivity module for Kamailio kamailio-tls-modules - contains the TLS kamailio transport module kamailio-unixodbc-modules - unixODBC database connectivity module for Kamailio kamailio-utils-modules - Provides a set utility functions for Kamailio kamailio-websocket-modules - Websocket module for kamailio kamailio-xml-modules - XML based extensions for Kamailio's Management Interface kamailio-xmpp-modules - XMPP gateway module for Kamailio Closes: 775681 Changes: kamailio (4.2.0-2) unstable; urgency=medium . * [d614569] fix fifo and ctl defaults pointing to unsecure /tmp dir Closes: #775681 Checksums-Sha1: 4d6193bfed84808dd4114dfe23ff5044d6a17d16 6310 kamailio_4.2.0-2.dsc 49ef0101dbc78b601e853205f131a9fce2c365c2 22872 kamailio_4.2.0-2.debian.tar.xz b9dc7df5427aca96ffc42e9db5465d0100732f78 6712524 kamailio_4.2.0-2_amd64.deb 2bf176e4d3dd1328b200fb240b9985dc2eadf8b5 15774748 kamailio-dbg_4.2.0-2_amd64.deb ff98d89dd16cc68a1c13b5c2698a47007bb15b34 131588 kamailio-geoip-modules_4.2.0-2_amd64.deb b6550b64eb5d8acfb5fea8e09c98cb7c4188dfb4 137424 kamailio-sqlite-modules_4.2.0-2_amd64.deb d353f13f8793392baac71adff5924de8be381c19 151762 kamailio-json-modules_4.2.0-2_amd64.deb e6d168174698de9a3e82e7f668e516b1d3e16852 139332 kamailio-memcached-modules_4.2.0-2_amd64.deb 2b16a50c4430c85504d8832117a4f744343a2734 226938 kamailio-lua-modules_4.2.0-2_amd64.deb 49602d4a36cfa33d4b3b52e73ed991d9da586086 142486 kamailio-mono-modules_4.2.0-2_amd64.deb 61023e60d3807d7d17cd30935c6ad01fbbea1696 140236 kamailio-python-modules_4.2.0-2_amd64.deb 91f19660ec9f1d11d934d4215c611a9076be53da 146094 kamailio-redis-modules_4.2.0-2_amd64.deb 771f87b25bd15321fe87be10805998876e9ff7fe 198892 kamailio-mysql-modules_4.2.0-2_amd64.deb ddaaccb3a8a13e3b222a407f594c4f43c6413063 231142 kamailio-postgres-modules_4.2.0-2_amd64.deb 434a4f6b016c9907ceafbdd342f3fb18b4f1e2e5 318366 kamailio-cpl-modules_4.2.0-2_amd64.deb 54d7ebf94ff573d78a383afca281a8969d405f7e 204178 kamailio-radius-modules_4.2.0-2_amd64.deb d72dd4b6376d3f9fda87e7aaf48e00bf9be15242 155456 kamailio-unixodbc-modules_4.2.0-2_amd64.deb 03e400e2a908584b865aef434c98072c71e3166c 972508 kamailio-presence-modules_4.2.0-2_amd64.deb 1b91df5e00b64c5f165841a6323dca71ea39a801 195820 kamailio-perl-modules_4.2.0-2_amd64.deb 87b2bebf211076d82999546ba32c59aef7a00869 199934 kamailio-snmpstats-modules_4.2.0-2_amd64.deb 14c6944eda2f7bfb2d18d0fa042867a21b22fba5 182258 kamailio-xmpp-modules_4.2.0-2_amd64.deb c09e77fee6e81197b4861492235d5cfcc5bcbaea 303742 kamailio-xml-modules_4.2.0-2_amd64.deb d89465746e8845faa902b0743f837fdd6fb4a610 257948 kamailio-carrierroute-modules_4.2.0-2_amd64.deb ac725b0a70e2af7270d568d0d193f315c41ee76a 234644 kamailio-berkeley-modules_4.2.0-2_amd64.deb 5e86c34ef34b940af59cee95e641157bbb35a5de 127030 kamailio-berkeley-bin_4.2.0-2_amd64.deb e0d36e3409ce018dd9aff76f9dd6fd083d652959 246354 kamailio-ldap-modules_4.2.0-2_amd64.deb 2f4babd7795ad7f7603a053bb10d69593a16f90c 1533402 kamailio-ims-modules_4.2.0-2_amd64.deb b8d3ad5174744a865336fbc4d812977a92cbb14c 166378 kamailio-utils-modules_4.2.0-2_amd64.deb ddd9cf2ded9e250d07e9fcda3f2c14af0ad81471 127386 kamailio-sctp-modules_4.2.0-2_amd64.deb be247616409b670e9bfc2faa8e10d50713d89cf7 152312 kamailio-java-modules_4.2.0-2_amd64.deb 3012d3101ace0b45aec1a538bbcbd3b4e9764080 329458 kamailio-tls-modules_4.2.0-2_amd64.deb af1422f2ce336e7a0df6ee788de2b064c2e4e466 138298 kamailio-outbound-modules_4.2.0-2_amd64.deb 0b77ddec8335a62433448da83bd1e4293208ab78 180258 kamailio-websocket-modules_4.2.0-2_amd64.deb 420a3ed16ade1b45d46fd3624af183a5d97bd678 127554 kamailio-dnssec-modules_4.2.0-2_amd64.deb 84fa69a13e9617fc6bf97bb54fd2de287daa553d 156174 kamailio-autheph-modules_4.2.0-2_amd64.deb 8b811e0ca3773ea7cc01083d5886e40a6481d5c6 155128 kamailio-extra-modules_4.2.0-2_amd64.deb Checksums-Sha256: bc3c3ff59212db91ec4a0d7306d7e8248530732596440fb85bbb45f30401d20c 6310 kamailio_4.2.0-2.dsc 4ac4dd63611ac80b4804fc23dacecad3e682cb367e85b0f2ed60efb83677d45a 22872 kamailio_4.2.0-2.debian.tar.xz 78c41a577e22297d698c5b4dc4f4a8cbae75dec985c5ae8a1aa07f3727e505b8 6712524 kamailio_4.2.0-2_amd64.deb 68dc3d8afe74c7b9b9054450ba76b537e9a5db1c61349b46749452a839a80ff5 15774748 kamailio-dbg_4.2.0-2_amd64.deb 222eed5cedb9727038a2490bbdda1482e5c69472fbc28bfb786d8882702d6b78 131588 kamailio-geoip-modules_4.2.0-2_amd64.deb afa843e8d2abccec8261296d1d97c1d604f982fb8fc885bd6b431e9d9ce2d324 137424 kamailio-sqlite-modules_4.2.0-2_amd64.deb e0c72a2c5f020a5c779c220f4328e6300206513ae30523bd4c390a6ab78d862d 151762 kamailio-json-modules_4.2.0-2_amd64.deb aaed753fe9a22fbf1755126da93849548992196faa6cebb6c2ed8e510a7eb3a1 139332 kamailio-memcached-modules_4.2.0-2_amd64.deb d06a8834407d4d970e3c79697166ae61736ea037c53d44950fb1f16e51973d1a 226938 kamailio-lua-modules_4.2.0-2_amd64.deb a4fc7c235bbff1ee4ba136b5778221182e2e6a149ae10304d0cdd2d53e469254 142486 kamailio-mono-modules_4.2.0-2_amd64.deb 80393aa45cd5caa3464c44fba369ac635c257d9989e5d4118000d338a0fd2d3a 140236 kamailio-python-modules_4.2.0-2_amd64.deb f25a2e47d1889a70c357adbabfaf68ef5b5745c371aa3062aa06867dffbd1cbc 146094 kamailio-redis-modules_4.2.0-2_amd64.deb b1937a2b596a1d96441ff5f48e80840a181ef1a65bb8c792b37526fae860974b 198892 kamailio-mysql-modules_4.2.0-2_amd64.deb d02be42b96bee4dd03f1a81a7b66b9d63ed2ac9113a15e804671731c8537b13e 231142 kamailio-postgres-modules_4.2.0-2_amd64.deb 018b1d60f5cc505438ec59efd2e6249e55287ddfb933378a99b5c018cca0b071 318366 kamailio-cpl-modules_4.2.0-2_amd64.deb 701ee5d05647b20ec16c706a7264c4c806439c3bf48e9bb9897192d5ca746516 204178 kamailio-radius-modules_4.2.0-2_amd64.deb 32fc9d0e0d359c53930aba96555ecfdd279ddd8c0dc36149aa56525c2ce1a0df 155456 kamailio-unixodbc-modules_4.2.0-2_amd64.deb 122a4b005aaf11ffe824904e5c3e8367134ca8b96540c6ef22fe1d1a53aacda1 972508 kamailio-presence-modules_4.2.0-2_amd64.deb 000a0d4c35069e998c9c339c2095e1b28081283c4295b5331a4f50a1a648ad00 195820 kamailio-perl-modules_4.2.0-2_amd64.deb 9fbd467d7c0ce99337d979fca790eec5d70c2d7d9e8dd592795c65279301287a 199934 kamailio-snmpstats-modules_4.2.0-2_amd64.deb d4b70c0fe8cf65477e50fe024581028435da6f7d296578509e10344f0836b41c 182258 kamailio-xmpp-modules_4.2.0-2_amd64.deb 813cf20e2a87d1bc179950c6838c6258a4c77f50467af71af8cc1580ee5b4002 303742 kamailio-xml-modules_4.2.0-2_amd64.deb f0ec17d0965316b46bac824009dc7bf47b769bf31135aac4536e4aac48cf45e8 257948 kamailio-carrierroute-modules_4.2.0-2_amd64.deb 810362a4afc356955970546454c5f396e3a38ce243b04f461a8263b6ef52f3d2 234644 kamailio-berkeley-modules_4.2.0-2_amd64.deb 238e3725445d1a63270003cfcd92306ca313a72484b8944e216a01870bb8c7b9 127030 kamailio-berkeley-bin_4.2.0-2_amd64.deb 8fe001734793ff508a5d3c90c525682f95b81187015c5e17a9c0b8129d45ac0e 246354 kamailio-ldap-modules_4.2.0-2_amd64.deb 454c9b47bb3ab188b8078fd64212ee94985e1827303fa2a0beb9ef7423ea0d6a 1533402 kamailio-ims-modules_4.2.0-2_amd64.deb d9e5683c6d5b94d01454db2a1618e4894288836c1cfe77e5127fadf4de15a454 166378 kamailio-utils-modules_4.2.0-2_amd64.deb 132602df755abdcc325eadc1edc297f62fb40cf3ac4f19e3edb452665ac0b989 127386 kamailio-sctp-modules_4.2.0-2_amd64.deb e7044dae858feda1abd3cd5136d62e4178719abea2560a7d476d7c7226e8920d 152312 kamailio-java-modules_4.2.0-2_amd64.deb ab9f08da7f600468f9831a2db19b079961c0450f0ba388fc075eebf5269b5ac4 329458 kamailio-tls-modules_4.2.0-2_amd64.deb adace6d23f59a2b2a9b9c723454d045f774d24742d32eb50fe353e40607d3282 138298 kamailio-outbound-modules_4.2.0-2_amd64.deb 3a1cec76bcd06ddf00e88d18ebafaf7ec9123bab90931996d9f9bd75c46bc75c 180258 kamailio-websocket-modules_4.2.0-2_amd64.deb 313f262cdbeb3abc009157f836bfb76e603f1c9dbf72a26fd6c22273099cffaf 127554 kamailio-dnssec-modules_4.2.0-2_amd64.deb 8ff9f72c51842723d63427b52ed7fc0178508d8effedcb8c5a36c061ef0883a2 156174 kamailio-autheph-modules_4.2.0-2_amd64.deb 4ffcada8c9caab1edd4da9108adacb873ebf67187cdbc15d80c7c9b0f5a1b1d3 155128 kamailio-extra-modules_4.2.0-2_amd64.deb Files: e147d7a20bd09a306d38436b3cb83f4f 6310 net optional kamailio_4.2.0-2.dsc ffccdbe028e1bd7816007531fb6564a9 22872 net optional kamailio_4.2.0-2.debian.tar.xz a70cf5d6fba25dfbfb6facbc5bf385be 6712524 net optional kamailio_4.2.0-2_amd64.deb 73f0970356ab3e54178b2c83854d1ff5 15774748 debug extra kamailio-dbg_4.2.0-2_amd64.deb f25723561fdc3c8d5acbbb8652ee7e63 131588 net optional kamailio-geoip-modules_4.2.0-2_amd64.deb 8d141445cfd18ce9b8419ab617440fe0 137424 net optional kamailio-sqlite-modules_4.2.0-2_amd64.deb ccbf7c46e0e52eae86731fe1239c1ba8 151762 net optional kamailio-json-modules_4.2.0-2_amd64.deb 74b2c8a63607187e78abe03a7c45d539 139332 net optional kamailio-memcached-modules_4.2.0-2_amd64.deb 5be7bd041fea648490f3886a8d839496 226938 net optional kamailio-lua-modules_4.2.0-2_amd64.deb 48b1d80013cea3ee19a5a4787657002f 142486 net optional kamailio-mono-modules_4.2.0-2_amd64.deb a41562378e7de37683f7d53f11f8cad3 140236 net optional kamailio-python-modules_4.2.0-2_amd64.deb 44184cd7d26215e4cd6d497f89de076a 146094 net optional kamailio-redis-modules_4.2.0-2_amd64.deb c5e06581be9f5623c27bb8c0c87d6226 198892 net optional kamailio-mysql-modules_4.2.0-2_amd64.deb 583e3d25a22daee16a23b421db6acf28 231142 net optional kamailio-postgres-modules_4.2.0-2_amd64.deb ee2ef1f6dbc4d03b06014bdb18b4875a 318366 net optional kamailio-cpl-modules_4.2.0-2_amd64.deb 288ee93aae79c711d93f2d96ecd5764f 204178 net optional kamailio-radius-modules_4.2.0-2_amd64.deb 9fdfca744d19deac125f4ecb13883bb6 155456 net optional kamailio-unixodbc-modules_4.2.0-2_amd64.deb 71ecf1bec2ebca9967013327abdd3898 972508 net optional kamailio-presence-modules_4.2.0-2_amd64.deb 1129d7e03ba93445a22999cd6c8f6a11 195820 net optional kamailio-perl-modules_4.2.0-2_amd64.deb 6e6d24154b928c0b3533446e2feeb140 199934 net optional kamailio-snmpstats-modules_4.2.0-2_amd64.deb 151b7d9884d8f39aa62ff864e3c65799 182258 net optional kamailio-xmpp-modules_4.2.0-2_amd64.deb e715e60c144e4aefd8bfd495b57b283a 303742 net optional kamailio-xml-modules_4.2.0-2_amd64.deb 3e8cdf7bc50003b2fa4883df8102e4c3 257948 net optional kamailio-carrierroute-modules_4.2.0-2_amd64.deb 5d4bd1aa4d74e7a475d8253076d220d8 234644 net optional kamailio-berkeley-modules_4.2.0-2_amd64.deb 1108d2f90ff5a554f4a80e4c8de7a073 127030 net optional kamailio-berkeley-bin_4.2.0-2_amd64.deb eab5289d02e0252c0d5cae81ad65a4f4 246354 net optional kamailio-ldap-modules_4.2.0-2_amd64.deb 5a8a37c316aed878a484ae1af35fc4c2 1533402 net optional kamailio-ims-modules_4.2.0-2_amd64.deb ca4af1135cfc10a3990ceb8712e0fea4 166378 net optional kamailio-utils-modules_4.2.0-2_amd64.deb 2e40ca6b9bd29ab98da324e4cc2f70fb 127386 net optional kamailio-sctp-modules_4.2.0-2_amd64.deb 577d52e0d9fb08ec53ccf2297fe72c75 152312 net optional kamailio-java-modules_4.2.0-2_amd64.deb 55d5e50147ae021253669cec659b2931 329458 net optional kamailio-tls-modules_4.2.0-2_amd64.deb 2a6724d89c0ea5869220505daf07fd9b 138298 net optional kamailio-outbound-modules_4.2.0-2_amd64.deb f2a39421d6d9ea5178621ea1b76400d1 180258 net optional kamailio-websocket-modules_4.2.0-2_amd64.deb f656b1a83d4a732ab71c89eac5c7216d 127554 net optional kamailio-dnssec-modules_4.2.0-2_amd64.deb 20811db90dfe9ccd77022a7d9ac8ec8b 156174 net optional kamailio-autheph-modules_4.2.0-2_amd64.deb 0dc6d0da7c72500daeddf99e834ee3dd 155128 net optional kamailio-extra-modules_4.2.0-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUyn2CAAoJEFGgmxjPWlBoceIP+wWzCRbw9LYrv7ceIWZQXhdR L0DObR9sEw013F5HmBSLM8NsQnowW/MJMZlo6ONfC5c/36gv6vNqzOBCg2U1/FUw XPZKYrP71GkuYSQ36nTxTmPaMlEEW55nbwDWiRsXZAx2uGRFYevnaxa+gOS6aL+u hHAR2SAhFPu00Duud7y+ayVGZ6tvWAgWIEouaEMYcAvdCzAfSE0m06Ej5pSuWHtn gf+SHeWIT3eptr2gy8LsgYwfqWBTjs2L33lDCsc+KybRnc3ZMXmsdVnarLAvwO9H ukPgYvMhhB0Ci092k/5BeuHLTnso8ix37WEOX40liAuc+VPGIBcHPYUEt+BBE2y/ 0lWzUvZibrfkaSmM/LZ+Tm2KEnUwk5AEhvUxgi3QKpY/K8TQNPRpqxmrHZkJqLT7 iEtBRhdhduuUMGHOuhu0LajsTUK5LIktg9sxMtvkrI3HoGgqUrttMDQmBvRUMuPh Wx9Vj00sbQnWgXqct5b56l+Rr+x4xmFHgjQoyG+fP2WbF1xmwlVRJ6yuxGbD2OVl FihiOvzFd0bV2WzAFxN4gV2VS8KS/wToCk0l59pS6vdrQgSmI0imi6dn5o8Nd+q4 yStoZFWeFD7PlvH0xp0vFxhSsUAyfY+65V7iUFQ3Z9uTUv7iupWbCnp5p6fSfU5A KLCYVPMQ2sfmqROqcMNf =mdAx -----END PGP SIGNATURE-----
--- End Message ---

