Your message dated Sat, 14 Jan 2017 12:37:03 +0000 with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk> and subject line Closing requests included in today's point release has caused the Debian Bug report #849467, regarding jessie-pu: package hplip/3.14.6-1+deb8u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 849467: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849467 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu Dear RT, I'd like to get CVE-2015-0839 fixed in jessie, it's a no-DSA issue, and security team members suggested to get it fixed through stable updates. This bug is a simple 'fetching gpg key from keyservers with a short keyid' problem, and upstream's fix is to use the full fingerprint. The debdiff is attached. Cheers, OdyXdiff -Nru hplip-3.14.6/debian/changelog hplip-3.14.6/debian/changelog --- hplip-3.14.6/debian/changelog 2014-06-15 09:24:19.000000000 +0200 +++ hplip-3.14.6/debian/changelog 2016-12-27 09:13:54.000000000 +0100 @@ -1,3 +1,11 @@ +hplip (3.14.6-1+deb8u1) stable; urgency=medium + + * Backport CVE-2015-0839 fix from upstream's 3.15.7: use full gpg key + fingerprint when fetching key from keyservers + (Closes: #787353, LP: #1432516) + + -- Didier Raboud <o...@debian.org> Tue, 27 Dec 2016 09:13:54 +0100 + hplip (3.14.6-1) unstable; urgency=low * New upstream release diff -Nru hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch --- hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 1970-01-01 01:00:00.000000000 +0100 +++ hplip-3.14.6/debian/patches/cve-2015-0839-insecure-binary-driver-verification.patch 2016-12-27 09:10:11.000000000 +0100 @@ -0,0 +1,19 @@ +Description: Use the full key fingerprint, to fix insecure binary driver verification +Bug-CVE: CVE-2015-0839 +Bug-Upstream: https://bugs.launchpad.net/hplip/+bug/1432516 +Bug-Debian: https://bugs.debian.org/787353 +Origin: vendor +Last-Update: 2015-07-15 + +--- a/base/validation.py ++++ b/base/validation.py +@@ -40,8 +40,7 @@ + + + class GPG_Verification(DigiSign_Verification): +- +- def __init__(self, pgp_site = 'pgp.mit.edu', key = 0xA59047B9): ++ def __init__(self, pgp_site = 'pgp.mit.edu', key = 0x4ABA2F66DBD5A95894910E0673D770CDA59047B9): + self.__pgp_site = pgp_site + self.__key = key + self.__gpg = utils.which('gpg',True) diff -Nru hplip-3.14.6/debian/patches/series hplip-3.14.6/debian/patches/series --- hplip-3.14.6/debian/patches/series 2014-04-04 17:05:13.000000000 +0200 +++ hplip-3.14.6/debian/patches/series 2016-12-27 09:04:13.000000000 +0100 @@ -18,3 +18,4 @@ #hp-mkuri-libnotify-so-4-support.dpatch hpaio-option-duplex.diff musb-c-do-not-crash-on-usb-failure.patch +cve-2015-0839-insecure-binary-driver-verification.patch
--- End Message ---
--- Begin Message ---Version: 8.7 Hi, Each of these bugs refers to an update that was included in today's 8.7 point release. Regards, Adam
--- End Message ---
