Your message dated Mon, 14 Jun 2010 15:38:04 +0000
with message-id <e1oobjg-0007tr...@ries.debian.org>
and subject line Bug#585773: fixed in pyftpd 0.8.5
has caused the Debian Bug report #585773,
regarding pyftpd: Insecure usage of temporary directory
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
585773: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pyftpd
Version: 0.8.4.6
Severity: critical
Justification: causes serious data loss
*** Please type your report below this line ***
Pyftpd creates log-file to a temporary directory using predictable
name. This allows a local attacker to create a denial of service
condition and discloses sensitive information to unprivileged users.
For example accounts of other users connecting to server and paths they
visit.
One should use tempfile.mkstemp
<http://docs.python.org/library/tempfile.html#tempfile.mkstemp> or
use /var/log/ -directory instead of /tmp/ and use proper file system
modes for the log-file.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash
Versions of packages pyftpd depends on:
ii python 2.5.2-3 An interactive high-level
object-o ii python-central 0.6.8 register and
build utility for Pyt
Versions of packages pyftpd recommends:
ii python-tk 2.5.2-1 Tkinter - Writing Tk
applications
pyftpd suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: pyftpd
Source-Version: 0.8.5
We believe that the bug you reported is fixed in the latest version of
pyftpd, which is due to be installed in the Debian FTP archive:
pyftpd_0.8.5.dsc
to main/p/pyftpd/pyftpd_0.8.5.dsc
pyftpd_0.8.5.tar.gz
to main/p/pyftpd/pyftpd_0.8.5.tar.gz
pyftpd_0.8.5_all.deb
to main/p/pyftpd/pyftpd_0.8.5_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 585...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Radovan Garabík <gara...@kassiopeia.juls.savba.sk> (supplier of updated pyftpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 14 Jun 2010 16:09:53 +0200
Source: pyftpd
Binary: pyftpd
Architecture: source all
Version: 0.8.5
Distribution: unstable
Urgency: high
Maintainer: Radovan Garabík <gara...@kassiopeia.juls.savba.sk>
Changed-By: Radovan Garabík <gara...@kassiopeia.juls.savba.sk>
Description:
pyftpd - ftp daemon with advanced features
Closes: 585275 585773 585776
Changes:
pyftpd (0.8.5) unstable; urgency=high
.
* get rid of one last forgotten string exception (closes: #585275)
* SECURITY: change default configuration - do not include any default users,
disable
anonymous access (closes: #585776)
* SECURITY: change default logging file to /dev/null (closes: #585773)
Checksums-Sha1:
b082bc7e797d576783a5dd3dad35062ba06eee73 757 pyftpd_0.8.5.dsc
a57dd1d1ac117ab58b0e67444f887ac5f925a3d9 46452 pyftpd_0.8.5.tar.gz
cfd1e15abcae9e39421bc866dcf9fa29be92a5ac 36230 pyftpd_0.8.5_all.deb
Checksums-Sha256:
736a39a685be0f16bab1a832fcbd4cd67eaba3ecad8cb076678c094e00a881c3 757
pyftpd_0.8.5.dsc
f7883c78a15c634792b0c48241cb41c29481cddb9bc129d163615c764b4c8d20 46452
pyftpd_0.8.5.tar.gz
1265d4acc4c751f42cc6c500302662cb9d50b4d50268da2bc45d523267a95a64 36230
pyftpd_0.8.5_all.deb
Files:
d369b949a92c9831ecb3a5b580c22eb2 757 net extra pyftpd_0.8.5.dsc
c431f57facb0defd404e5da99e2ca89a 46452 net extra pyftpd_0.8.5.tar.gz
b2c07caf8bfd1ff19c990ad6c9275e21 36230 net extra pyftpd_0.8.5_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkwWRNQACgkQUBQJxqD+WLjAFgCeORQM94DpwUobLRexAfpx3C2Q
0nMAnRM7iXJjNQrI7zHNl/3PsrNyAKjX
=OGNk
-----END PGP SIGNATURE-----
--- End Message ---
