Your message dated Sat, 09 Jan 2021 09:18:39 +0000
with message-id <[email protected]>
and subject line Bug#969999: fixed in osc 0.169.1-1
has caused the Debian Bug report #969999,
regarding osc: CVE-2019-3681
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
969999: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969999
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: osc
Version: 0.168.2-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.suse.com/show_bug.cgi?id=1122675
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for osc.
CVE-2019-3681[0]:
| A External Control of File Name or Path vulnerability in osc of SUSE
| Linux Enterprise Module for Development Tools 15, SUSE Linux
| Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise
| Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory
| allowed remote attackers that can change downloaded packages to
| overwrite arbitrary files. This issue affects: SUSE Linux Enterprise
| Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1.
| SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions
| prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development
| Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1
| osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc
| versions prior to 0.169.0 .
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-3681
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3681
[1] https://bugzilla.suse.com/show_bug.cgi?id=1122675
[2]
https://github.com/openSUSE/osc/commit/a79c54418baf9b9785123bd07f350f12bd729ed3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: osc
Source-Version: 0.169.1-1
Done: Andrej Shadura <[email protected]>
We believe that the bug you reported is fixed in the latest version of
osc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrej Shadura <[email protected]> (supplier of updated osc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Jan 2021 10:08:08 +0100
Source: osc
Architecture: source
Version: 0.169.1-1
Distribution: unstable
Urgency: high
Maintainer: RPM packaging team <[email protected]>
Changed-By: Andrej Shadura <[email protected]>
Closes: 969999
Changes:
osc (0.169.1-1) unstable; urgency=high
.
* New upstream release (Closes: #969999, CVE-2019-3681)
Checksums-Sha1:
de89d9132385711cc746ba1805cf401eb15207b6 1711 osc_0.169.1-1.dsc
bd48b6368d7285b53339ebabcb63c6b1ba835572 366149 osc_0.169.1.orig.tar.gz
d16469277a016692a4f46ed86ff35ba9f3d3c59e 6236 osc_0.169.1-1.debian.tar.xz
Checksums-Sha256:
0086619d7f51d9fee02d4594c9ebb6f7bc5291d9fbaf1f990682c06a8762869d 1711
osc_0.169.1-1.dsc
5bde475627e42cb65286d35f02f996bdb9348854b5aa5d176847a8bceb6cfaa6 366149
osc_0.169.1.orig.tar.gz
b8fbbe3bc14956cfa6ae548d380881aea1067c5e475a15128f815c3a9be3d797 6236
osc_0.169.1-1.debian.tar.xz
Files:
aa21f42616b4ae8d2342f142b621875c 1711 devel optional osc_0.169.1-1.dsc
2c9f6258635798e8c0774af2e0c9c30f 366149 devel optional osc_0.169.1.orig.tar.gz
dedd77b5a05b141cb2da80077be79d4d 6236 devel optional
osc_0.169.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEeuS9ZL8A0js0NGiOXkCM2RzYOdIFAl/5crgACgkQXkCM2RzY
OdLkqAgAlm+VEG8Iv8+byiqKRpHR+vSQbkdFq3wseoNamvNdVGl+OHGZ0HwsbHzT
fmJVMPOkEkkNOKGqXLyRMXdsf0legjYEatkblDhU1O97MUQjbF/bvm83/4ZieDJU
0mUfAKyer1ShxmB5Wf56viMa0t8aymLh0BG4YOIC3wI4RM1E6cpBe+XtIyqB8FG/
OPv0JULONQn25vg5QiycpN5NLB8ccYQR2dYndXrkU3o6YLy3Hh9k6q2MLpuV6YYR
Asca7Kd45HDsxUc07dEp7qa+HJQ0lFciJZLAR4tY85j8gZA0uCM2VDm9xJBa72Fb
wOBVZl2oTCHU652+gH0HQ7OEmsOF9Q==
=O8ew
-----END PGP SIGNATURE-----
--- End Message ---
