Your message dated Thu, 03 Jun 2021 17:33:43 +0000 with message-id <e1lordz-0001ww...@fasolo.debian.org> and subject line Bug#989429: fixed in policykit-1 0.105-31 has caused the Debian Bug report #989429, regarding policykit-1: CVE-2021-3560: local privilege escalation using polkit_system_bus_name_get_creds_sync() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989429 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: policykit-1 Version: 0.105-30 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://gitlab.freedesktop.org/polkit/polkit/-/issues/140 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.105-26 Hi, The following vulnerability was published for policykit-1. CVE-2021-3560[0]: | local privilege escalation using | polkit_system_bus_name_get_creds_sync() The issue was introduced upstream with [2] in 0.113 but the introducing change is in Debian as well (and Ubuntu[3]). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3560 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560 [1] https://gitlab.freedesktop.org/polkit/polkit/-/issues/140 [2] https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38 [3] https://ubuntu.com/security/notices/USN-4980-1 [4] https://bugzilla.redhat.com/show_bug.cgi?id=1961710 Can you fix this targetted please for bullseye and ask the release team for an unblock? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: policykit-1 Source-Version: 0.105-31 Done: Simon McVittie <s...@debian.org> We believe that the bug you reported is fixed in the latest version of policykit-1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated policykit-1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 03 Jun 2021 17:06:34 +0100 Source: policykit-1 Architecture: source Version: 0.105-31 Distribution: unstable Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 989429 Changes: policykit-1 (0.105-31) unstable; urgency=medium . [ Salvatore Bonaccorso ] * d/p/CVE-2021-3560.patch: Fix local privilege escalation involving polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) (Closes: #989429) Checksums-Sha1: 411172a7575bfa5bf2dce620e8a3af9ca6d3b133 2909 policykit-1_0.105-31.dsc 2b7ca8544bfaac041243d6063b9bf054890fd036 74920 policykit-1_0.105-31.debian.tar.xz ae443e362b5cff12ba4b6a510e4e73292dceb34f 8293 policykit-1_0.105-31_source.buildinfo Checksums-Sha256: 3982b73f8ad50a603f4b70c152250d0df466d4e58db4dbe89394c56cd68d32b6 2909 policykit-1_0.105-31.dsc 8b3f1e791f9f371f5f58a19e9900cb677213345c26077f7fc0fb521e992ff540 74920 policykit-1_0.105-31.debian.tar.xz 91c90865ff9403c0096f80cd6a6b589add962fddf9a8d2fdd300f10d33b0969a 8293 policykit-1_0.105-31_source.buildinfo Files: 2233b4fe04689439205f3e068f5f53a8 2909 admin optional policykit-1_0.105-31.dsc ec98f43dc8a9a66767da37f3bf3cbfde 74920 admin optional policykit-1_0.105-31.debian.tar.xz 93740d30968abc324079cdc1ecc692e7 8293 admin optional policykit-1_0.105-31_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmC5EAUACgkQ4FrhR4+B TE+aPw/+IDg6Hb+rItI0CVGffxGGNToyTlY020M6X370wx6WKBGOVGo5HbsLzo97 ynjYlx/hd8QWcqVecdKkjhUI8vIKmyktcV/1CUuYINefYIP1lX/6dZYqR0La/8In pw2gQbLbtnnAjH8k6dS8El9gET21MZMiqKmz41dWFXMuMh2OdtkII5qftoQkCQ8d uSWtAcaYig0IcO9yQfPnAL8b1n+hCeFNljmT9pAa2sYW7DDEiJNvVwlmxiUiBGqB mu/M0Gs/e55aWWyGnZztJAlTj3SWL7qnHD+wy8fjYFr9QK9gtGP5qLtEFWAVvtej 9uh9UnqlibChlLWwxMEYFlFBLNOrW7oM+uEiJ1iiUGFZwWlkXQuI83vorbbAmPT+ T7ohEg9zFS8bBRqKsxvJHBbirXx907DDp2cNgLaYD7ra0xZjMDo8oTMZrkjhi/Wg nxsSXAnfAzFjhK7WK6c1bNBjiW+fxGxF5poYXZ9NcRf82VxMZOPrieuvfX/MB2Jb kdlI2i74O9Wbng33XJBsQkyGwaqEQd39RHx+8+meRiXo4tNyhflKYaybj4QOMkci U3gmyWe5x4+y0chBfD8WfCPbR+nqhOkYANU3OJL1cVdq+dstdDO+ML0JFNbHIjs/ mjtrGMBduanVlZ6oh0zABCJYfOPfJfyukHGCEsQQDoc7L6Howfk= =dYCY -----END PGP SIGNATURE-----
--- End Message ---
