Your message dated Sat, 06 Mar 2010 21:40:22 +0000
with message-id <e1no1js-00040t...@ries.debian.org>
and subject line Bug#559822: fixed in mp4h 1.3.1-4.1
has caused the Debian Bug report #559822,
regarding CVE-2009-3736 local privilege escalation
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
559822: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559822
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: mp4h
Severity: grave
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool. I have determined that this package embeds a
vulnerable copy of the libtool source code. However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.
CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.
Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
http://security-tracker.debian.org/tracker/CVE-2009-3736
--- End Message ---
--- Begin Message ---
Source: mp4h
Source-Version: 1.3.1-4.1
We believe that the bug you reported is fixed in the latest version of
mp4h, which is due to be installed in the Debian FTP archive:
mp4h_1.3.1-4.1.diff.gz
to main/m/mp4h/mp4h_1.3.1-4.1.diff.gz
mp4h_1.3.1-4.1.dsc
to main/m/mp4h/mp4h_1.3.1-4.1.dsc
mp4h_1.3.1-4.1_i386.deb
to main/m/mp4h/mp4h_1.3.1-4.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 559...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Glaser <t...@mirbsd.de> (supplier of updated mp4h package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384
Format: 1.8
Date: Thu, 04 Mar 2010 19:30:06 +0000
Source: mp4h
Binary: mp4h
Architecture: source i386
Version: 1.3.1-4.1
Distribution: unstable
Urgency: high
Maintainer: Felipe Augusto van de Wiel (faw) <f...@debian.org>
Changed-By: Thorsten Glaser <t...@mirbsd.de>
Description:
mp4h - Macro processor for HTML documents
Closes: 559822
Changes:
mp4h (1.3.1-4.1) unstable; urgency=high
.
* Non-maintainer upload.
* Update the autotools/libtool subsystem, use libltdl from
the system instead of our own. (CVE-2009-3736) (Closes: #559822)
* Fix lintian copyright-without-copyright-notice (possible REJECT cause)
* Add missing ${misc:Depends} for debhelper to get them right
Checksums-Sha1:
687ae666b726b6479ef3f05b07af361ee0607446 1699 mp4h_1.3.1-4.1.dsc
2684832bf6aa5ce3febe36ce89252140ebd1c9f0 6167 mp4h_1.3.1-4.1.diff.gz
34800394c7d19ab23d3dcc6df51ef3bbe98a28ab 147118 mp4h_1.3.1-4.1_i386.deb
Checksums-Sha256:
066d702af8c2fb198a337f0fa6f6c0b045238ea0cfbc9d7307b12168c56bea3b 1699
mp4h_1.3.1-4.1.dsc
bdf386812f1e7218d5d17e6dab186aad600c8e9b170400a852352bb6d1fb06a9 6167
mp4h_1.3.1-4.1.diff.gz
8bd67962ab5825942ca8daeacaaf1a758bb1d8809d961a40be43dc64dc17f0fc 147118
mp4h_1.3.1-4.1_i386.deb
Files:
33b17a54875628fa6cceaa554dba93bb 1699 web optional mp4h_1.3.1-4.1.dsc
b7689650170fb3ed2e492a0b5ca6141d 6167 web optional mp4h_1.3.1-4.1.diff.gz
5e663343b24434cdccd3d14b2e0fed6f 147118 web optional mp4h_1.3.1-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)
iQIVAwUBS5APgXa1NLLpkAfgAQmX9xAAp5zBscPBQSXoVKAt7YtGlb5Hs2aPawo0
ttpvod/fh+jsa/XQMiLIGhUlP8u+R8BDino1iQkff0NSuxT4vb7X9ExXFT0epEC+
VV7UmT1mNmH3+RumdZj115tecPzTEj1VyS34cg/blJslWM1lTZPCEAA/gqVkSVUU
1+eYIjMSDsxWKmAjfzPc2cO2yzcVm27x0GJgN6XikhBQ9iPndpjdEJpop67h2lY4
CcadPOnS/G2n5hS6vLn0wmq6+QBAyIolruYC2NEkF7Z0GI0fNxuS4eUUNcDABLRA
F6iZgAZ3XpuiA7i6n5Yo31MbEn4DDzuXTfe450vsRo3qs0s3Iwhxz2U/XomihxEX
dkzojY6PQCxeRMVXShkrB9NcqOpjdOCCoR+MGc7ANEELCOXY9fhWWeLG14AYzUki
3Rx31fcVNlyNRlT4ORRECAaSBUa5Gqhr+qm/NGqqqSkkdqVPqs1oANlLCJ7OlP4X
YPzrhkX7nyflkxzH8zpBY4tssTRu/fQy963PZdlnvXAIh+OgVq2ctoHOkTrRsCmA
9DomRxekVvTzaEwmOTakVlgLV6OXW9jLhGJ51Chxh+UgmpaB5WEkcK/Q4gowt6MF
chM8yyyUGbxxqfOKAyiWReuBLMVaQNYkr32Nr01lLn+ReBPUxn9eKHiWZw333SAd
r+W2k3A1IFU=
=Symq
-----END PGP SIGNATURE-----
--- End Message ---
