Simon Horman
2007-Nov-01 06:35 UTC
[Secure-testing-team] CVE-2007-5740: Security Bug in Perdition
I wish to advise that a security vulnerability has been found in perdition which may lead to an attacker being able to execute arbitrary code on the machine running perdition without the need for authentication. Details of the bug can be found at http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0889.html A Patch to resolve the problem has been committed to CVS http://perdition.cvs.sourceforge.net/perdition/perdition/perdition/imap4_in.c?r1=1.45&r2=1.46 A bug-fix release, 1.17.1 has been made. This includes a minimal set of changes on top of 1.17 http://www.vergenet.net/linux/perdition/download/1.17.1/ There are also interim Debian packages under the URL above. This includes packages for testing-security, which can also be found by themselves at: http://packages.vergenet.net/lenny-security/perdition/ I have uploaded the sid packages (1.17.1-1), as well as the testing-stable and testing-unstable packages after consulting with the Debian Security Team. The bug will be hence forth tracked as CVE-2007-5740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5740 -- Horms H: http://www.vergenet.net/~horms/ W: http://www.valinux.co.jp/en/
Steffen Joeris
2007-Nov-01 07:56 UTC
[Secure-testing-team] CVE-2007-5740: Security Bug in Perdition
Hi Simon On Thu, 1 Nov 2007 05:35:36 pm Simon Horman wrote:> I wish to advise that a security vulnerability has been found in > perdition which may lead to an attacker being able to execute arbitrary > code on the machine running perdition without the need for > authentication.Thank you very much for the information and the great cooperation.> The bug will be hence forth tracked as CVE-2007-5740 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5740As soon as the CVE shows up in the tracker and on the mitre page, I will mark it as fixed in sid accordingly. Do you expect any problems with the migration from unstable to testing? The last uploads show that the package migrated after the quarantine time according to the urgency. Therefore, I suspect that the package should migrate after two days (assuming that all the buildds pick it up). Thus, there should be no need for a DTSA. I will inform you though, if that should change and then give you a go for an upload, if migration does not happen soonish. Thanks again for the efforts and communication. Cheers Steffen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part. Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071101/83520f45/attachment.pgp
Simon Horman
2007-Nov-01 09:45 UTC
[Secure-testing-team] CVE-2007-5740: Security Bug in Perdition
On Thu, Nov 01, 2007 at 06:56:33PM +1100, Steffen Joeris wrote:> Hi Simon > > On Thu, 1 Nov 2007 05:35:36 pm Simon Horman wrote: > > I wish to advise that a security vulnerability has been found in > > perdition which may lead to an attacker being able to execute arbitrary > > code on the machine running perdition without the need for > > authentication. > Thank you very much for the information and the great cooperation. > > > The bug will be hence forth tracked as CVE-2007-5740 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5740 > As soon as the CVE shows up in the tracker and on the mitre page, I will mark > it as fixed in sid accordingly. > > Do you expect any problems with the migration from unstable to testing? The > last uploads show that the package migrated after the quarantine time > according to the urgency. Therefore, I suspect that the package should > migrate after two days (assuming that all the buildds pick it up). Thus, > there should be no need for a DTSA. I will inform you though, if that should > change and then give you a go for an upload, if migration does not happen > soonish.Hi Steffen, thanks for getting back to me. I don''t expect any problems with the migration, as the change is quite minor and it already seems to have built successfully on many architectures. I guess the only problem might be some dependancy related blockage. We should know soon. Just for the record, the 1.17-8+lenny1 packages I prepared and and 1.17.1-1 are be very nearly the same thing. -- Horms H: http://www.vergenet.net/~horms/ W: http://www.valinux.co.jp/en/