Your message dated Fri, 04 Jun 2021 19:19:07 +0000 with message-id <e1lpflx-0006zx...@fasolo.debian.org> and subject line Bug#989429: fixed in policykit-1 0.119-1 has caused the Debian Bug report #989429, regarding policykit-1: CVE-2021-3560: local privilege escalation using polkit_system_bus_name_get_creds_sync() to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 989429: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989429 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: policykit-1 Version: 0.105-30 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://gitlab.freedesktop.org/polkit/polkit/-/issues/140 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 0.105-26 Hi, The following vulnerability was published for policykit-1. CVE-2021-3560[0]: | local privilege escalation using | polkit_system_bus_name_get_creds_sync() The issue was introduced upstream with [2] in 0.113 but the introducing change is in Debian as well (and Ubuntu[3]). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3560 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3560 [1] https://gitlab.freedesktop.org/polkit/polkit/-/issues/140 [2] https://gitlab.freedesktop.org/polkit/polkit/-/commit/bfa5036bfb93582c5a87c44b847957479d911e38 [3] https://ubuntu.com/security/notices/USN-4980-1 [4] https://bugzilla.redhat.com/show_bug.cgi?id=1961710 Can you fix this targetted please for bullseye and ask the release team for an unblock? Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: policykit-1 Source-Version: 0.119-1 Done: Simon McVittie <s...@debian.org> We believe that the bug you reported is fixed in the latest version of policykit-1, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 989...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Simon McVittie <s...@debian.org> (supplier of updated policykit-1 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 04 Jun 2021 19:49:26 +0100 Source: policykit-1 Architecture: source Version: 0.119-1 Distribution: experimental Urgency: medium Maintainer: Utopia Maintenance Team <pkg-utopia-maintain...@lists.alioth.debian.org> Changed-By: Simon McVittie <s...@debian.org> Closes: 989429 Changes: policykit-1 (0.119-1) experimental; urgency=medium . * New upstream release - Fixes local privilege escalation involving polkit_system_bus_name_get_creds_sync() (CVE-2021-3560) (Closes: #989429) * d/missing, d/rules: Work around missing docs/polkit/overview.xml etc. in 0.119 tarball * Build using Meson * d/p/build-Remove-redundant-computation-of-dbus-data-directory.patch, d/p/build-Don-t-require-dbus-development-files.patch, d/p/meson_post_install-Use-geteuid-instead-of-getpass.patch, d/p/meson_post_install-Don-t-fail-if-the-polkitd-user-doesn-t.patch, d/p/meson_post_install-If-installation-steps-are-skipped-say-.patch, d/p/meson_post_install-Don-t-install-pkexec-group-writable.patch, d/p/meson_post_install-Don-t-make-programs-setuid-if-we-are-n.patch, d/p/meson_post_install-Respect-DESTDIR-for-absolute-paths.patch, d/p/build-Make-the-directory-for-helper-executables-consisten.patch: Add some patches to improve the Meson build system * d/missing, d/rules: Get mocklibc into the right layout for the build * Stop providing static libraries. The Meson build infrastructure only supports shared libraries, and the static libraries built by Autotools were already not particularly useful, because they indirectly depend on the libmount shared library. Checksums-Sha1: 6a066bf8828ddcae334130550d3a92001b1c712c 3244 policykit-1_0.119-1.dsc 0794825e31a0a6e4859f93596d3f475b9d08f9e1 1387409 policykit-1_0.119.orig.tar.gz 47d895979e37865981b8ef39bf277e6ebdb111a5 488 policykit-1_0.119.orig.tar.gz.asc ba4129eb28425798b75f79b94aac66e61b51215d 215904 policykit-1_0.119-1.debian.tar.xz df5288dbabbeaeafa1af670176505ac4683b95ca 8691 policykit-1_0.119-1_source.buildinfo Checksums-Sha256: 20500fa173e18933eaf8dca3a4983567fbee04e07209ca5f6c9d66b9e7993f05 3244 policykit-1_0.119-1.dsc c8579fdb86e94295404211285fee0722ad04893f0213e571bd75c00972fd1f5c 1387409 policykit-1_0.119.orig.tar.gz b2f5dcca6ef93693d87b96945b84c94f3621427e3e4a6e59dbcac9fb11134cb8 488 policykit-1_0.119.orig.tar.gz.asc 447fc435efea7a43586f7bada70fc86551b131fa094bb5a934ec01952aadda22 215904 policykit-1_0.119-1.debian.tar.xz 96939466024c48778c279caff3aa60a76c3a591432839ca6fd13f585c5770cb7 8691 policykit-1_0.119-1_source.buildinfo Files: 8d2dd615f39c74f6950fc86e3f6c333b 3244 admin optional policykit-1_0.119-1.dsc b945e683eb5d633745864af6c5746726 1387409 admin optional policykit-1_0.119.orig.tar.gz 470fe78c7ea966b81d4d8f44ec95186a 488 admin optional policykit-1_0.119.orig.tar.gz.asc 84812dbac6e4664d21c5cc710fcdaed9 215904 admin optional policykit-1_0.119-1.debian.tar.xz 4fca23741f87e4fa817d3e47a4403a81 8691 admin optional policykit-1_0.119-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmC6eLIACgkQ4FrhR4+B TE+WGQ//ZYtcr9HXDEdfF5UbZ7tAyEx+6AbCAsa1cqF01BAaxp+BXQDosAXuos7q lmDLy3ROPv6U49FK7TxN1/ZzYj3r41m3TTYEgHXpbwx92df0WghqYg7nu7X4ezKl tq3k1U0pD72ELYAx1BdqdalNqMML+M3itWbYcSedbg9jM3lGp5djRxOgyOmb6d4L RXOu8X7Y0gTkWP+6+2560gg9X+AgG5KQHrn4y3x4Fw8YHYSngD6vzPFBOk+KjBc4 h16icCyaomvrKjJ5PN/dLtNGk6M/oUQWYyH1l2Ftd9CjACtq4XGWcRJGEynK+UiF 8302oqKzSvlqEHO0s8gJbQOo3hYC8Alog3+KIndiiCA5no920fc5JevseHAF/eH6 pgvCz+GljBOfoAx0BfZ03TXCcR0bo9heMcE1SW/fJSsCPl5kysDSgc7uZp411DPY K1nGSCxHsrb9HiW4BD/LqLAupOo01cgPWVzxWbuzvpt7nDypkrYPeyPgSDuAcjnw H9+hOPVtQpaJv2NI79uJhS8DCaQD2GxmgB68TB7mxr27WCg0ZP33QRGDEy7LZG4j yYYmKoE3YnM4RY6Nfo1X7Czsx3mWEDoEH+eoh795FX8loQCp39TideWBsUk4nrlB NjKt8pjQ/FEJVFXB67njRFeuW6kYzEj4/GQ9styJZza2EN1UipI= =bYVJ -----END PGP SIGNATURE-----
--- End Message ---
