Report forwarded to debian-bugs-dist@lists.debian.org, Brian Bassett <brianb@debian.org>: Bug#334350; Package flexbackup.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Brian Bassett <brianb@debian.org>.
(full text, mbox, link).
Package: flexbackup
Severity: grave
Tags: security
"ZATAZ Audits" has published an advisory concerning flexbackup. Based
on a cursory investigation of the source package, Debian is affected
as well.
From: ZATAZ Audits <exploits@zataz.net>
Subject: [Full-disclosure] flexbackup default config insecure temporary file
creation
Date: Mon, 17 Oct 2005 10:06:06 +0200
Organization: ZATAZ Audits
Message-ID: <43535B6E.2050005@zataz.net>
#########################################################
flexbackup default config insecure temporary file creation
Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low
#########################################################
The vulnerabilities ared due to insecure temporary files creations due
to a default config.
[...]
Information forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, secure-testing-team@lists.alioth.debian.org, Brian Bassett <brianb@debian.org>: Bug#334350; Package flexbackup.
(full text, mbox, link).
Acknowledgement sent to Alec Berryman <alec@thened.net>:
Extra info received and forwarded to list. Copy sent to security@debian.org, secure-testing-team@lists.alioth.debian.org, Brian Bassett <brianb@debian.org>.
(full text, mbox, link).
Source: flexbackup
Source-Version: 1.2.1-3
We believe that the bug you reported is fixed in the latest version of
flexbackup, which is due to be installed in the Debian FTP archive:
flexbackup_1.2.1-3.diff.gz
to pool/main/f/flexbackup/flexbackup_1.2.1-3.diff.gz
flexbackup_1.2.1-3.dsc
to pool/main/f/flexbackup/flexbackup_1.2.1-3.dsc
flexbackup_1.2.1-3_all.deb
to pool/main/f/flexbackup/flexbackup_1.2.1-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 334350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <anibal@debian.org> (supplier of updated flexbackup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 10 Sep 2006 11:23:47 +1000
Source: flexbackup
Binary: flexbackup
Architecture: source all
Version: 1.2.1-3
Distribution: unstable
Urgency: high
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Anibal Monsalve Salazar <anibal@debian.org>
Description:
flexbackup - Flexible backup tool for small to medium sized installations
Closes: 250615273750293884312259334350
Changes:
flexbackup (1.2.1-3) unstable; urgency=high
.
* QA upload.
* Fixed "CVE-2005-4802: default config insecure temporary file creation".
Patch by Alec Berryman <alec@thened.net>. Closes: #334350.
* Fixed "sub backup_dump does not use %path hash for dump". Patch by
Artem Chuprina <ran@ran.pp.ru>. Closes: #293884.
* Fixed "flexbackup unable to complete a backup". Patch by
Jose Luis Fernandez Barros <jlinform@worldonline.es>. Closes: #273750.
* Fixed man page errors. Closes: #250615, #312259.
* Fixed the following lintian messages:
W: out-of-date-standards-version 3.6.1 (current is 3.7.2)
E: build-depends-indep-should-be-build-depends debhelper
W: old-fsf-address-in-copyright-file
E: depends-on-essential-package-without-using-version recommends: tar
Files:
fbb3fd9c7ad9a5c33f0080d69aaea4df 575 admin optional flexbackup_1.2.1-3.dsc
0a99efeb959de0f051dbc2ba51ce29a6 4305 admin optional flexbackup_1.2.1-3.diff.gz
24034de62ec29936d4e08ef6d9e49563 76160 admin optional flexbackup_1.2.1-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFA3WVipBneRiAKDwRAnTPAJ44m33eVNgaXTP65joXd8uW9BqswgCeNQhR
xoZqtXr2WZ8KbjMOjfljiFc=
=od3E
-----END PGP SIGNATURE-----
Bug reopened, originator set to Anibal Monsalve Salazar <anibal@debian.org>.
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Aníbal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>: Bug#334350; Package flexbackup.
(full text, mbox, link).
Acknowledgement sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
Extra info received and forwarded to list. Copy sent to Debian QA Group <packages@qa.debian.org>.
(full text, mbox, link).
found 334350 1.2.1-2
close 334350 1.2.1-3
thanks
On Sun, Sep 10, 2006 at 01:26:21PM +1000, Aníbal Monsalve Salazar wrote:
> reopen 334350 Anibal Monsalve Salazar <anibal@debian.org>
> tags 334350 sarge
> thanks
I'm sorry, but this won't work anymore; if you reopen a bug, you remove all
its version tracking information, and it shows up as applicable to etch and
sid. I'm setting it as found in the stable version and fixed in
testing/unstable; this will mark it as “closed” with the old-style statuses,
but it's still marked as open in stable with the version tracking:
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=flexbackup;dist=stable
HTH :-)
/* Steinar */
--
Homepage: http://www.sesse.net/
Bug marked as found in version 1.2.1-2.
Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1.2.1-3, send any further explanations to Anibal Monsalve Salazar <anibal@debian.org>
Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to kbk@shore.net (Kurt B. Kaiser):
You have taken responsibility.
(full text, mbox, link).
Notification sent to Anibal Monsalve Salazar <anibal@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#334350: fixed in flexbackup 1.2.1-2sarge1
Date: Sat, 17 Feb 2007 12:10:01 +0000
Source: flexbackup
Source-Version: 1.2.1-2sarge1
We believe that the bug you reported is fixed in the latest version of
flexbackup, which is due to be installed in the Debian FTP archive:
flexbackup_1.2.1-2sarge1.diff.gz
to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1.diff.gz
flexbackup_1.2.1-2sarge1.dsc
to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1.dsc
flexbackup_1.2.1-2sarge1_all.deb
to pool/main/f/flexbackup/flexbackup_1.2.1-2sarge1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 334350@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt B. Kaiser <kbk@shore.net> (supplier of updated flexbackup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 7 Oct 2006 16:27:37 -0700
Source: flexbackup
Binary: flexbackup
Architecture: source all
Version: 1.2.1-2sarge1
Distribution: stable-security
Urgency: high
Maintainer: Kurt B. Kaiser <kbk@shore.net>
Changed-By: Kurt B. Kaiser <kbk@shore.net>
Description:
flexbackup - Flexible backup tool for small to medium sized installations
Closes: 334350
Changes:
flexbackup (1.2.1-2sarge1) stable-security; urgency=high
.
* Fix RC bug: unsafe use of temp file, CVE-2005-4802. (Closes: #334350)
http://bugs.gentoo.org/show_bug.cgi?id=105000http://bugs.gentoo.org/show_bug.cgi?id=116510
Files:
06539319d0534272e216306562677723 587 admin optional flexbackup_1.2.1-2sarge1.dsc
4955c89dbee354248f354a9bf0a480dd 80158 admin optional flexbackup_1.2.1.orig.tar.gz
3365f545bd49464f4e58bacc503f8b28 3546 admin optional flexbackup_1.2.1-2sarge1.diff.gz
240f8792a65a0d80b8ef85d4343a4827 75836 admin optional flexbackup_1.2.1-2sarge1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFYNAyXm3vHE4uyloRAvx+AJ9bbMoejBdIRB3IHA191ljBs7OmTwCeI43b
7CQ/3ZMVtoDDZHUhjjTGDQQ=
=dZMt
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 13:46:21 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.