Bug#514386: marked as done (iceweasel-firegpg: Vulnerability Affecting FireGPG Passphrase and Cleartext Recovery)

Sun, 10 May 2009 00:50:18 -0700 

Your message dated Sun, 10 May 2009 09:27:35 +0200
with message-id <20090510072735.ga23...@deprecation.cyrius.com>
and subject line Removed
has caused the Debian Bug report #514386,
regarding iceweasel-firegpg: Vulnerability Affecting FireGPG Passphrase and 
Cleartext Recovery
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
514386: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514386
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: iceweasel-firegpg
Version: 0.5.dfsg-1
Severity: grave
Tags: security
Justification: user security hole

Hi, Debian is currently set to release iceweasel-firegpg in Lenny. 
Unfortunately,
as the firegpg home page explains, version 0.5 suffers from some serious 
security
problems. It seems that the gist of it is the unsafe creation and destruction 
of 
3 temp files.

http://securityvulns.com/Udocument757.html

Upstream did not label their fixing of this in the upstream svn between 0.5.3 
and
0.6.0. Three revisions are candidates for the fix: r464, r465, or r467. r467 is 
the
most likely from a brief glance at the code. However, I do not have the time or
skill to pull the patch from those revisions that will fix this.

I am hopeful that we can get this resolved before Lenny releases without the 
need
to pull the severely outdated iceweasel-firegpg package, but I'm not sure if 
that
is possible.

Cheers,
Daniel

-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.28-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---
--- Begin Message --- 
Version: 0.5.dfsg-1+rm

This package was removed from Debian because of security issues.

-- 
Martin Michlmayr
http://www.cyrius.com/

--- End Message ---

Reply via email to