Your message dated Sat, 15 Jul 2017 21:49:18 +0000 with message-id <e1dwuwa-000ahe...@fasolo.debian.org> and subject line Bug#862689: fixed in flightgear 3.0.0-5+deb8u2 has caused the Debian Bug report #862689, regarding flightgear: CVE-2017-8921 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 862689: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862689 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: flightgear Version: 1:2016.4.4+dfsg-2 Severity: grave Tags: upstream patch security Control: found -1 3.0.0-5 Hi, the following vulnerability was published for flightgear. CVE-2017-8921[0]: | In FlightGear before 2017.2.1, the FGCommand interface allows | overwriting any file the user has write access to, but not with | arbitrary data: only with the contents of a FlightGear flightplan | (XML). A resource such as a malicious third-party aircraft could | exploit this to damage files belonging to the user. Both this issue and | CVE-2016-9956 are directory traversal vulnerabilities in | Autopilot/route_mgr.cxx - this one exists because of an incomplete fix | for CVE-2016-9956. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8921 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8921 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: flightgear Source-Version: 3.0.0-5+deb8u2 We believe that the bug you reported is fixed in the latest version of flightgear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 862...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Wanner <mar...@bluegap.ch> (supplier of updated flightgear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 02 Jul 2017 13:54:58 +0200 Source: flightgear Binary: flightgear Architecture: source amd64 Version: 3.0.0-5+deb8u2 Distribution: jessie Urgency: high Maintainer: Debian FlightGear Crew <pkg-fgfs-c...@lists.alioth.debian.org> Changed-By: Markus Wanner <mar...@bluegap.ch> Description: flightgear - Flight Gear Flight Simulator Closes: 862689 Changes: flightgear (3.0.0-5+deb8u2) jessie; urgency=high . * Add patch restrict-save-flightplan-secu-fix-faf872.patch: prevent overriding arbitrary files from the "save-flightplan" FGCommand. Closes: #862689 (CVE-2017-8921). Checksums-Sha1: 7075f4ea2969cb632828db9717dd574ecde12c17 3255 flightgear_3.0.0-5+deb8u2.dsc 6af27a9fb2b6df0ca8c447ec4338d6ea883377ba 29628 flightgear_3.0.0-5+deb8u2.debian.tar.xz 90406a0b4ce81121ca5e3fb01837c41fe0518a0c 3941262 flightgear_3.0.0-5+deb8u2_amd64.deb Checksums-Sha256: c7bcab75113db0dfecfd38265ebe0fa1b04c8ca43f3dd00934c593f2f122074e 3255 flightgear_3.0.0-5+deb8u2.dsc 5f5b973ab45c95250e58e976136807f3724951939883f8d2f017b860f93b3ebe 29628 flightgear_3.0.0-5+deb8u2.debian.tar.xz 4716f9a91ae80ced0c248a84dd7671828042d301a3fb4a6edf325f1fd2b8beba 3941262 flightgear_3.0.0-5+deb8u2_amd64.deb Files: 89ffddfdc07aef56c3e1b0522ea41444 3255 games extra flightgear_3.0.0-5+deb8u2.dsc 13dbc7a59a1c18470ed363fb758884f5 29628 games extra flightgear_3.0.0-5+deb8u2.debian.tar.xz e9257fb7208d6ee762d8b3b03f47a7c2 3941262 games extra flightgear_3.0.0-5+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQQzBAEBCAAdFiEE7WdiNgeE4zHiUwPWAlr+layd8xsFAllY7XkACgkQAlr+layd 8xsjgCAAoTJ+iEYfoPpRRUsT7p2t1WH56A7K2QoGFAoHX42re09SD3gkxBdLbmiC Git7xCAecStRdj2vOxtkhvJUcCWLhHvJS4Q6LIk9GqiZZwYkkF1NkkIZwAaOhl50 dJ1CrtLSLBnop4EbctKQsCqcF6w+CdhcDTlX2ptRG2xXRIQpKy/0QbIEng/lqh2V 0KA+mCtleP1aal86HS9/dArRo0tQ8V/Y41ciwAofKk0Gp3+pdE768Fi2B+5HvKdY eIKxSvdhUjQtkg8bmWbKczJrDFCgbLUZExyhiQ2YKnthA84lmv5NE09Gc2AQoyd0 0BBglqUUVdFcONOPKSOuVgZ6jWzz5V5zOoJt1MMcqHq5ybAST3DP+yRod/uo19h/ iuUvLULHZyU5uJx+aDuP9mIUFAdD872F2EC2/GM78HitjkM5ZdMAdVNt5vu24AVt 3O1N88UM/unZU8DNq2/bwM3jC4DoJpOie6CcUp/6BWFdBWvVGq16iCFsVAfNI7xt k/QrQBfvZGaX8oIw588qUIPeezckHzizyvukrBac+ryog0/nBEBgAJwHvIZmZuu2 ClE9UYW7i/U0oli1ghm2dDNz/dlNtP7KwFoe/d5Tkyq982y0OTjWmkVJm6T10Ojo h/73ZJZyBzV+lffS0ZSunTuaK7zD7kyORFohu3bMa1r6jkaAc371sA+QUMJuUTr6 QMDEUn4qQor+DFGN5SygjuCafNZfL5wc3I3cqcreomTtwgH+EsxIsUH4cUr9uKKy TI0sezuPwrdXQidNX/5SBVx36wAnwwnkFycL7fuN1XAs+jXX00iuPhLchTviFF+h dpPIvgJ57S0JI/6RyZfMD+Ygf+niMzkV/3MvkDzK1H8z0FjSrwqCDu/MOaxgJunL wYEZvP4LKnE+5kQ5u/kmyi4quK+lUiRAdNbJsD80JKSFbLs15VCM1ZbKJBduby5q EFPvpPb44C8EMoSX5KjJPcxfZw9nuMjY8sXJY1JEcZx+x4L9YQMA8Q0SwvF6e3Te kMqIl6rxvn+1caIcO5tOQDr4M93UwZzr6xSjwWecQgCtwJbK1P4Ccyrikv1Hmv6e /KZzUGez00qjG/1MKZVYckIIZDMwprmtZP95BXNZMQlGdkhsiuo6XBE3X0O+zj81 V9nbVs/jj/GbrM0OM/kY/mtn7E8EGIoH5Y1mWgqcP2PdcMsO8vtrg33l/H7ZCtKY aFtt9rdNxo8kBWW3XUWUZzgm+o4+wZM6hU/tTyL8gBAUdSWYxyAvZSX7ttldEjP6 sy7O3wenlWC6kae80yFBqX7GmDVgmNJ9D98S8nZw0H1Z99IuA2A0xx7ShOmdITQz iD6mH4bXW6F3bmVqYgzrg70Q4+T/8w== =oHhG -----END PGP SIGNATURE-----
--- End Message ---
