Your message dated Sat, 12 May 2018 21:20:39 +0000
with message-id <[email protected]>
and subject line Bug#884136: fixed in lilypond 2.19.81+really-2.18.2-13
has caused the Debian Bug report #884136,
regarding lilypond: CVE-2017-17523
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
884136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884136
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lilypond
Version: 2.18.2-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for lilypond.
For a description of the issue see [1], in the "Similar
vulnerabilities in other packages" section.
CVE-2017-17523[0]:
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings
| before launching the program specified by the BROWSER environment
| variable, which allows remote attackers to conduct argument-injection
| attacks via a crafted URL, as demonstrated by a --proxy-pac-file
| argument.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17523
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523
[1] https://bugs.debian.org/881767
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lilypond
Source-Version: 2.19.81+really-2.18.2-13
We believe that the bug you reported is fixed in the latest version of
lilypond, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <[email protected]> (supplier of updated lilypond package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 12 May 2018 21:22:39 +0200
Source: lilypond
Binary: lilypond lilypond-data lilypond-doc lilypond-doc-pdf lilypond-doc-html
lilypond-doc-html-cs lilypond-doc-html-de lilypond-doc-html-es
lilypond-doc-html-fr lilypond-doc-html-hu lilypond-doc-html-it
lilypond-doc-html-ja lilypond-doc-html-nl lilypond-doc-html-zh
lilypond-doc-pdf-de lilypond-doc-pdf-es lilypond-doc-pdf-fr lilypond-doc-pdf-hu
lilypond-doc-pdf-it lilypond-doc-pdf-nl
Architecture: source
Version: 2.19.81+really-2.18.2-13
Distribution: unstable
Urgency: medium
Maintainer: Don Armstrong <[email protected]>
Changed-By: Dr. Tobias Quathamer <[email protected]>
Description:
lilypond - program for typesetting sheet music
lilypond-data - LilyPond music typesetter (data files)
lilypond-doc - LilyPond Documentation in info format (and metapackage)
lilypond-doc-html - LilyPond HTML Documentation
lilypond-doc-html-cs - LilyPond HTML Documentation in Czech
lilypond-doc-html-de - LilyPond HTML Documentation in German
lilypond-doc-html-es - LilyPond HTML Documentation in Spanish
lilypond-doc-html-fr - LilyPond HTML Documentation in French
lilypond-doc-html-hu - LilyPond HTML Documentation in Hungarian
lilypond-doc-html-it - LilyPond HTML Documentation in Italian
lilypond-doc-html-ja - LilyPond HTML Documentation in Japanese
lilypond-doc-html-nl - LilyPond HTML Documentation in Dutch
lilypond-doc-html-zh - LilyPond HTML Documentation in Chinese
lilypond-doc-pdf - LilyPond PDF Documentation
lilypond-doc-pdf-de - LilyPond PDF Documentation in German
lilypond-doc-pdf-es - LilyPond PDF Documentation in Spanish
lilypond-doc-pdf-fr - LilyPond PDF Documentation in French
lilypond-doc-pdf-hu - LilyPond PDF Documentation in Hungarian
lilypond-doc-pdf-it - LilyPond PDF Documentation in Italian
lilypond-doc-pdf-nl - LilyPond PDF Documentation in Dutch
Closes: 884136
Changes:
lilypond (2.19.81+really-2.18.2-13) unstable; urgency=medium
.
* New upload to override the accidental upload of the
experimental version to unstable, effectivly canceling the
2.18.2-13 upload two days ago.
We avoid using an epoch because lilypond is expected to release
their stable version 2.20 before the freeze of buster. The
"+really" workaround in the Debian version number could be
removed then.
* Update script for doc packages
* Add Multi-Arch: foreign to pdf packages
* Run wrap-and-sort and cme fix dpkg
* Update Standards-Version to 4.1.4, no changes needed
* Use debhelper v11
* Fix lintian warning: Remove '--with quilt' from debhelper call
in debian/rules. The package is already using the 3.0 (quilt)
source format.
* Remove unneeded patches
.
lilypond (2.18.2-13) unstable; urgency=medium
.
* Switch lilypond-invoke-editor to use system* instead of system to fix
CVE-2017-17523 for non textedit:// URIs. (Closes: #884136)
This fixes the newly assigned CVE-2018-10992.
Checksums-Sha1:
e18455a50764a35cc33e0d4cf02c9ebac7bee155 4230
lilypond_2.19.81+really-2.18.2-13.dsc
13b37383e69d96123630fc7519af4cd8b0feadb0 2510038
lilypond_2.19.81+really-2.18.2.orig-guile18.tar.gz
09d3a1e0e9fadeb8ef6e279227a2b30812c7ee9b 16027977
lilypond_2.19.81+really-2.18.2.orig.tar.gz
aaf9d16892de2426aec3837bfe0506b938eb17ca 56688
lilypond_2.19.81+really-2.18.2-13.debian.tar.xz
702f4867977cae28dd2b492a1b8b4939d27ddf5b 20664
lilypond_2.19.81+really-2.18.2-13_amd64.buildinfo
Checksums-Sha256:
af6be7d4eef8c2a1dc9ca40d426742d82dd80919bed9408c265ff90d624dc532 4230
lilypond_2.19.81+really-2.18.2-13.dsc
55ff45dd426c58ef7a5530b4e701c2a6a1e54043c2b69c64206fc105ddd247db 2510038
lilypond_2.19.81+really-2.18.2.orig-guile18.tar.gz
329d733765b0ba7be1878ae3f457dbbb875cc2840d2b75af4afc48c9454fba07 16027977
lilypond_2.19.81+really-2.18.2.orig.tar.gz
128ea3e3f6a7dbba74c8b2ac96d49e35c87d3cd1ac18ce6196885bec02013f23 56688
lilypond_2.19.81+really-2.18.2-13.debian.tar.xz
b8e4dcbab5f7721967fc1d63bca50d0e16e874712d714816c682a5728411388e 20664
lilypond_2.19.81+really-2.18.2-13_amd64.buildinfo
Files:
bb99bd9150c9fe547d3acfe782ab0651 4230 tex optional
lilypond_2.19.81+really-2.18.2-13.dsc
2863f46023dd38e33ac37978302c078f 2510038 tex optional
lilypond_2.19.81+really-2.18.2.orig-guile18.tar.gz
3c4bcbb708d12644668b32bfe82ebf25 16027977 tex optional
lilypond_2.19.81+really-2.18.2.orig.tar.gz
380a283e24bfe87bf1bc7fb9ebe3f6a7 56688 tex optional
lilypond_2.19.81+really-2.18.2-13.debian.tar.xz
b3c0116657356c5e22f1465beb0e6047 20664 tex optional
lilypond_2.19.81+really-2.18.2-13_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlr3Vk4ACgkQEwLx8Dbr
6xkjkg/+NokeFZclCpiAzDa1PFAr1cEB5oC83GwOBH+uslPkZTTI/BtxtAqibcfB
k1P6/s4mjPmoq1rXEsH0IK/ppQisOq5VzrQsDRSyrg1igRkgr3JkXzXnUv6wdeV/
5tet7Ivi2M9aMyN4a0f8pVdKg9Z54Yttx5Xu8CvCCJSqP9UWpdoiNtJw41AyNn7l
M6joE5i4u1n/vmwNLmzyk81yUmxiAcabybnVtvZdND3draZVqqbwSmObs2PfOHvR
K8wLC+gsMQWP/tKY9iB1mYM913v4pSwZIjwVvRls6CpnNtL50wy9rOh7Hu9954AU
2iRwRc3Bq/8320Kkyylly80t7Bj0WqxZ/Ppvf+7Sned1Ai8qyu9dNfLaCDx6CGB7
ACXBtfckSvAZczHrwSSwfLe/SP9CTc0mEMbQU89ciovRcmkOnl12esj9r9QR6Z1u
sKFSXh9gfv6vhjvuaVhMut65gPCVnzydf++1FP10gZcffamrpkj549y7hhczByCf
Zafu8qMeEy2ERsEW2wUtudvfRAXOBtazf2r4VmiXpFMQM3NvkrPLYcPHH4WtvZJ5
JTYA0q4R2QijzkDskn0Y62n1ixk9SkkT5yoU267AhNtDWjXGMPdWGGouPKQ3n4bw
x2P3eZHaJyeg0Nz8KmNf470PZLPGMPQdJ7huF0DsNTpWzkqFWCM=
=h/WT
-----END PGP SIGNATURE-----
--- End Message ---
