Your message dated Mon, 24 Feb 2020 00:49:53 +0000
with message-id <[email protected]>
and subject line Bug#951390: fixed in sarg 2.4.0-1
has caused the Debian Bug report #951390,
regarding sarg: CVE-2019-18932
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
951390: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951390
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: sarg
Version: 2.3.11-1
Severity: important
Tags: security upstream
Control: found -1 2.3.10-2
Hi,
The following vulnerability was published for sarg.
CVE-2019-18932[0]:
| log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows
| local privilege escalation. By default, it uses a fixed temporary
| directory /tmp/sarg. As the root user, sarg creates this directory or
| reuses an existing one in an insecure manner. An attacker can pre-
| create the directory, and place symlinks in it (after winning a
| /tmp/sarg/denied.int_unsort race condition). The outcome will be
| corrupted or newly created files in privileged file system locations.
The issue was fixed upstream in [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-18932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18932
[1]
https://sourceforge.net/p/sarg/code/ci/8ec6d20be8c0da3c885aba78e63251f2e5080748
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: sarg
Source-Version: 2.4.0-1
Done: Luigi Gangitano <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sarg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luigi Gangitano <[email protected]> (supplier of updated sarg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 24 Feb 2020 00:27:10 +0100
Source: sarg
Architecture: source
Version: 2.4.0-1
Distribution: unstable
Urgency: medium
Maintainer: Luigi Gangitano <[email protected]>
Changed-By: Luigi Gangitano <[email protected]>
Closes: 897855 940124 951390
Changes:
sarg (2.4.0-1) unstable; urgency=medium
.
* New upstream version 2.4.0
- Fixes local privilege escalation vulnerability (Closes: #951390)
(Ref: CVE-2019-18932)
- Fixes FTBFS with gcc-8 (Closes: #897855)
.
* debian/control
- Remove Xs-Vcs-Git field
- Bumped Standard-Version to 4.5.0 (no change needed)
.
* debian/patches/0003-Fix-FTCBFS.patch
- Fix FTCBFS, thanks to Helmut Grohne (Closes: #940124)
Checksums-Sha1:
7b94204382cf15816b7f16676973cb4a29c419eb 1794 sarg_2.4.0-1.dsc
1cd127597f9c1cfbb7175004807afdf122fcc735 1366934 sarg_2.4.0.orig.tar.gz
8bdfc8bca95dec4b1052b0cae7bb281eb3da173c 22060 sarg_2.4.0-1.debian.tar.xz
3e849ab85e39cc725ef987c42e920bdb89f6b3a2 7416 sarg_2.4.0-1_amd64.buildinfo
Checksums-Sha256:
e16a3b528920e26c6a681cebfe6c604be21b5ac943aded5c9070a32b1f0aaf38 1794
sarg_2.4.0-1.dsc
c952501ee0b6c4f6abe47833e971cdb781cdd06717a4f3a10e07e221c751a5f8 1366934
sarg_2.4.0.orig.tar.gz
1f776625d53c8bf9d2722a225766c49b527c8067f8e02fd76cf571d8794b4a9b 22060
sarg_2.4.0-1.debian.tar.xz
03540cc9a6dfaa167b1ac59731a7adc50123b4c155c2831016a6f58bf3f746fc 7416
sarg_2.4.0-1_amd64.buildinfo
Files:
6254d00cb7ed93b4c056d849b6ae213d 1794 web optional sarg_2.4.0-1.dsc
0236aca351ef572c6d8ddf178ea964b3 1366934 web optional sarg_2.4.0.orig.tar.gz
795a643ea9cc71c667dbb6910a2ac187 22060 web optional sarg_2.4.0-1.debian.tar.xz
a90bb42fb2fc91927575346a8086236e 7416 web optional sarg_2.4.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEjUhaNf8ebreQ5Q9tAoTyDCupfO0FAl5TFooACgkQAoTyDCup
fO2boRAAnk8MUH5vSF5YOX/s4NqA9w1bN1ujVR5/nBWyBBjRRTCVu4RSrnlPUiCM
udIXdVHGIcmMIFDhzAkThZQkKEkIaeTBIH1D/qrcVIo7IDbTgbkcu/0O+fqVhaEC
zzCyQOeMnAOYsP9JeVsN2+Cdi4jsS5N6ov9NCsvphPX4IEkQJOERMAiyKftZAZ1v
T3Rdlka33Ay5lfB1fDoz6d2KyK23688A+N2xK2BJGTmoViwrVp3WXrC2SMkSkEf2
NLm9HcId0274TIMH7wJGbFRpeIsr3naBIrd3mBTSYLgXq2UMVkKH+gnAZ+NVtYls
Dlrk7YqdN2jG74Va5UoQ0L4/a7GRINv3RW3N39MJMtnd2NPPtk7GT4oiJcNJ2ywd
XAhTMFxcD3w+/xGszvrwPIOXdmUAaEuOnUxQEWxfb76DMosBp/sOqiNY8G3e08nu
bNKQ2Ot8Ra1w58MZSJD9yD8Sb2L5/gaJ9nonFrxXBU/lEklX8wImGqfFSCLNHneL
wRXf7wZ4LzECtZ+cs1LHdmJAPKU8soPQJJa7XWyUQ1o87tS2XWoThtZ4aRsZo+3X
cNA6Ywj2sBofgF6qs+3Oy79aT9VaBMVutceBQZ6eG/3Gm/18FYUkAsX/Uf5f1C/F
IOkWKLGMnDOUSgVxXkbo5B2THTiFOH13JIvAwfrDPpgLWxEvZ90=
=NGNF
-----END PGP SIGNATURE-----
--- End Message ---
