Debian Bug report logs - #439392
backup-manager: password disclosure in backup uploads

version graph

Package: backup-manager; Maintainer for backup-manager is Sven Joachim <svenjoac@gmx.de>; Source for backup-manager is src:backup-manager.

Reported by: Micha Lenk <micha@lenk.info>

Date: Fri, 24 Aug 2007 19:06:02 UTC

Severity: critical

Tags: security

Found in version backup-manager/0.7.5-3

Fixed in versions backup-manager/0.7.6-3, backup-manager/0.5.7-1sarge2, backup-manager/0.7.5-4

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://bugzilla.backup-manager.org/cgi-bin/show_bug.cgi?id=173

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Micha Lenk <micha@lenk.info>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Micha Lenk <micha@lenk.info>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backup-manager: password disclosure in backup uploads
Date: Fri, 24 Aug 2007 21:02:58 +0200
Package: backup-manager
Version: 0.7.5-3
Severity: critical
Tags: security
Justification: root security hole

Hi,

I just discovered that backup-manager disclosures the FTP password
during a running FTP upload in the process list.

A user which has shell access on the computer simply needs to run the command

   ps wax | grep backup-manager
   
to get the FTP username, hostname and password. The output is something
like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS):

 3796 pts/1    SN+    0:00 /bin/bash /usr/sbin/backup-manager -v
12647 pts/1    RN+    0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v --ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ...

With these data the attacking user is able to login into the same FTP
space where the archives created by backup-manager are uploaded to. So
the attacking user is also able to simply download these archive and
extract them as a normal user -- with full access on all included files,
even on those originally accessible by root only. :-(

Have a nice day
   Micha


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages backup-manager depends on:
ii  debconf [debconf-2.0]         1.5.11     Debian configuration management sy
ii  findutils                     4.2.28-1   utilities for finding files--find,
ii  gzip                          1.3.5-15   The GNU compression utility
ii  ucf                           2.0020     Update Configuration File: preserv

backup-manager recommends no packages.

-- debconf information excluded



Noted your statement that Bug has been forwarded to http://bugzilla.backup-manager.org/cgi-bin/show_bug.cgi?id=173. Request was from Micha Lenk <micha@lenk.info> to control@bugs.debian.org. (Sun, 26 Aug 2007 18:00:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #12 received at 439392@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 439392-submitter@bugs.debian.org, 439392@bugs.debian.org, team@security.debian.org
Subject: [backup-manager] Fix proposed upstream
Date: Wed, 29 Aug 2007 11:49:26 +0200
Hello,

A fix has been proposed and is waiting for approval by the development 
team upstream. We welcome very much the Debian's point of view of the 
solution submited here.

patch:
  http://bugzilla.backup-manager.org/cgi-bin/attachment.cgi?id=64

  use private temp file for passing the password to b-m-u

  This way we hide the password in a file which is readable only by the
  user who launched backup-manager, and saved in his home directory.
  backup-manager-upload is passed the path to that file instead of the
  password itself.

Feel free to comment on.

Regards,

-- 
Alexis Sukrieh



Message sent on to Micha Lenk <micha@lenk.info>:
Bug#439392. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #20 received at 439392@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 439392@bugs.debian.org
Cc: 439392-submitter@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#439392: [backup-manager] Fix proposed upstream
Date: Wed, 29 Aug 2007 12:06:15 +0200
Alexis Sukrieh wrote:
> Hello,
> 
> A fix has been proposed and is waiting for approval by the development 
> team upstream. We welcome very much the Debian's point of view of the 
> solution submited here.

Please, ignore that patch. There is cleaner solution which is using the 
environement variable already exported by the first script.

Sorry for the noise.

The patch that will be procvided upstream will be about reading 
$ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.

Regards.

-- 
Alexis Sukrieh



Message sent on to Micha Lenk <micha@lenk.info>:
Bug#439392. Full text and rfc822 format available.

Reply sent to Alexis Sukrieh <sukria@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 439392-close@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@debian.org>
To: 439392-close@bugs.debian.org
Subject: Bug#439392: fixed in backup-manager 0.7.6-3
Date: Thu, 30 Aug 2007 16:47:02 +0000
Source: backup-manager
Source-Version: 0.7.6-3

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager-doc_0.7.6-3_all.deb
  to pool/main/b/backup-manager/backup-manager-doc_0.7.6-3_all.deb
backup-manager_0.7.6-3.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.7.6-3.diff.gz
backup-manager_0.7.6-3.dsc
  to pool/main/b/backup-manager/backup-manager_0.7.6-3.dsc
backup-manager_0.7.6-3_all.deb
  to pool/main/b/backup-manager/backup-manager_0.7.6-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexis Sukrieh <sukria@debian.org> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 30 Aug 2007 18:24:14 +0200
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.6-3
Distribution: unstable
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Alexis Sukrieh <sukria@debian.org>
Description: 
 backup-manager - command-line backup tool
 backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes: 
 backup-manager (0.7.6-3) unstable; urgency=high
 .
   * Backport from the stable upstream branch for closing a security issue
     (password disclosure during FTP uploads).
     (closes: #439392)
Files: 
 a0a7141e7f973718eb493d9896521dc3 744 admin optional backup-manager_0.7.6-3.dsc
 a0f986c3b4a015b63786f4ab124efb8e 82039 admin optional backup-manager_0.7.6-3.diff.gz
 6d1c683b8896acad01d013e31259b118 114594 admin optional backup-manager_0.7.6-3_all.deb
 31f731a074c1e0bd69725ca1aaf69a14 212468 doc optional backup-manager-doc_0.7.6-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1vDzRg1L1x7l3TQRAnZuAJ4nZwKDjX9AXoYw8G7tBh6Jc8rq3QCfYELY
Tn9lEJjQRXB9DugMoNbza/I=
=6aXp
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #33 received at 439392@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: team@security.debian.org
Cc: 439392@bugs.debian.org
Subject: Re: Bug#439392: [backup-manager] Fix proposed upstream
Date: Thu, 30 Aug 2007 18:57:51 +0200
[Message part 1 (text/plain, inline)]
Alexis Sukrieh wrote:
> The patch that will be procvided upstream will be about reading 
> $ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.

Hi,

I've just uploaded a patched version to sid (0.7.6-4) and have prepared 
a fix for the stable package.

Find attached a patch to apply to the stable package (0.7.5-3).
I also attached the .dsc and .diff.gz resulting of the build for stable.

Feel free to tell me if you need anything else for closing the bug in 
stable.

PS: I did as it's documented in the developer's reference and did not 
upload anything to stable-proposed-update as this is about security:

http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security

I hope I did right.

Regards,

-- 
Alexis Sukrieh
[backup-manager-patch.439392.diff (text/plain, inline)]
diff -ubBrN backup-manager-0.7.5-3/debian/changelog backup-manager-0.7.5-4/debian/changelog
--- backup-manager-0.7.5-3/debian/changelog	2007-08-30 18:51:51.000000000 +0200
+++ backup-manager-0.7.5-4/debian/changelog	2007-08-30 18:51:38.000000000 +0200
@@ -1,3 +1,10 @@
+backup-manager (0.7.5-4) stable; urgency=low
+
+  * Backport from unstable (version 0.7.6-4) for closing a security issue: FTP
+    password disclosure during FTP uploads.
+
+ -- Alexis Sukrieh <sukria@debian.org>  Thu, 30 Aug 2007 18:44:17 +0200
+
 backup-manager (0.7.5-3) unstable; urgency=low
 
   * Fixed typo in the spanish debconf translation (thanks to David Gil).
diff -ubBrN backup-manager-0.7.5-3/debian/patches/00list backup-manager-0.7.5-4/debian/patches/00list
--- backup-manager-0.7.5-3/debian/patches/00list	2007-08-30 18:51:51.000000000 +0200
+++ backup-manager-0.7.5-4/debian/patches/00list	2007-08-30 18:51:38.000000000 +0200
@@ -3,3 +3,4 @@
 04_backup-manager.conf.tpl.dpatch
 05_cdrecord_to_wodim.dpatch
 06_VERSION.dpatch
+07_security_439392.dpatch
diff -ubBrN backup-manager-0.7.5-3/debian/patches/07_security_439392.dpatch backup-manager-0.7.5-4/debian/patches/07_security_439392.dpatch
--- backup-manager-0.7.5-3/debian/patches/07_security_439392.dpatch	1970-01-01 01:00:00.000000000 +0100
+++ backup-manager-0.7.5-4/debian/patches/07_security_439392.dpatch	2007-08-30 18:51:38.000000000 +0200
@@ -0,0 +1,58 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 07_security_439392.dpatch by Alexis Sukrieh <sukria@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Backport from unstable for closing the security issue (bug #439392)
+
+@DPATCH@
+diff -urNad backup-manager-0.7.5~/backup-manager-upload backup-manager-0.7.5/backup-manager-upload
+--- backup-manager-0.7.5~/backup-manager-upload	2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/backup-manager-upload	2007-08-30 18:43:03.000000000 +0200
+@@ -904,13 +904,24 @@
+ }
+ 
+ if ($g_protocol eq 'ftp' and not defined $g_pass) {
+-	print $BackupManager::Config::usage, "\n";
+-	exit E_INVALID;
++    # try to read the password from the environment
++    if (defined $ENV{BM_UPLOAD_FTP_PASSWORD}) {
++        $g_pass = $ENV{BM_UPLOAD_FTP_PASSWORD};
++    }
++    else {
++    	print $BackupManager::Config::usage, "\n";
++    	exit E_INVALID;
++    }
+ }
+ 
+ if ($g_protocol eq 's3' and (not defined $g_bucket or not defined $g_pass)) {
+-	print $BackupManager::Config::usage, "\n";
+-	exit E_INVALID;
++    if (! defined $g_pass && defined $ENV{BM_UPLOAD_S3_SECRET_KEY}) {
++        $g_pass = $ENV{BM_UPLOAD_S3_SECRET_KEY};
++    }
++    else {
++	    print $BackupManager::Config::usage, "\n";
++	    exit E_INVALID;
++    }
+ }
+ 
+ if ($g_protocol eq 'ssh-gpg' and (not defined $g_gpg_recipient)) {        
+diff -urNad backup-manager-0.7.5~/lib/upload-methods.sh backup-manager-0.7.5/lib/upload-methods.sh
+--- backup-manager-0.7.5~/lib/upload-methods.sh	2006-09-16 18:48:17.000000000 +0200
++++ backup-manager-0.7.5/lib/upload-methods.sh	2007-08-30 18:42:16.000000000 +0200
+@@ -133,7 +133,6 @@
+         -m="ftp" \
+         -h="$bm_upload_hosts" \
+         -u="$BM_UPLOAD_FTP_USER" \
+-        -p="$BM_UPLOAD_FTP_PASSWORD" \
+         -d="$BM_UPLOAD_FTP_DESTINATION" \
+         -r="$BM_REPOSITORY_ROOT" today 2>$logfile|| 
+     error "Error reported by backup-manager-upload for method \"ftp\", check \"\$logfile\"."
+@@ -164,7 +163,6 @@
+         -m="s3" \
+         -h="$bm_upload_hosts" \
+         -u="$BM_UPLOAD_S3_ACCESS_KEY" \
+-        -p="$BM_UPLOAD_S3_SECRET_KEY" \
+         -b="$BM_UPLOAD_S3_DESTINATION" \
+         -r="$BM_REPOSITORY_ROOT" today 2>$logfile || 
+     error "Error reported by backup-manager-upload for method \"s3\", check \"\$logfile\"."
[backup-manager_0.7.5-4.diff.gz (application/x-gzip, inline)]
[backup-manager_0.7.5-4.dsc (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.0
Source: backup-manager
Binary: backup-manager, backup-manager-doc
Architecture: all
Version: 0.7.5-4
Maintainer: Alexis Sukrieh <sukria@debian.org>
Standards-Version: 3.7.2
Build-Depends: po-debconf, debhelper (>= 5), dpatch
Build-Depends-Indep: debiandoc-sgml, tetex-bin, tetex-extra
Files: 
 76e1c9cea0b8fb210d3862fd89e09c08 159855 backup-manager_0.7.5.orig.tar.gz
 1a5a05204716f704b1cc92b7c774bcdd 97176 backup-manager_0.7.5-4.diff.gz
Vcs-Svn: svn://svn.debian.org/svn/pkg-backup-mngr/trunk/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1vTVRg1L1x7l3TQRAnoyAJ90FuOqC3YwUBOPyRoiHmnJelMLNwCfa6lm
LUkBcKEjme4WVQhdlSWXg5w=
=e1b6
-----END PGP SIGNATURE-----
[backup-manager_0.7.5-4_i386.changes (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 30 Aug 2007 18:44:17 +0200
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable
Urgency: low
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Alexis Sukrieh <sukria@debian.org>
Description: 
 backup-manager - command-line backup tool
 backup-manager-doc - documentation package for Backup Manager
Changes: 
 backup-manager (0.7.5-4) stable; urgency=low
 .
   * Backport from unstable (version 0.7.6-4) for closing a security issue: FTP
     password disclosure during FTP uploads.
Files: 
 e54f240d0f2f6d5883be06564ce607e4 744 admin optional backup-manager_0.7.5-4.dsc
 1a5a05204716f704b1cc92b7c774bcdd 97176 admin optional backup-manager_0.7.5-4.diff.gz
 901d1a4754e836a965378b87fd7073c3 109546 admin optional backup-manager_0.7.5-4_all.deb
 6345abaf592fcb35e4594d31677010dd 206202 doc optional backup-manager-doc_0.7.5-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1vTaRg1L1x7l3TQRAoRnAJsHZ8b3A0tmNzy7qcv0aHNH4HewFQCeL3ki
c/vZixlGSSL3FD+eVTZ+VcQ=
=jRl3
-----END PGP SIGNATURE-----

Information forwarded to Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Micha Lenk <micha@lenk.info>:
Extra info received and forwarded to maintainer. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #38 received at 439392-maintonly@bugs.debian.org (full text, mbox):

From: Micha Lenk <micha@lenk.info>
To: 439392-maintonly@bugs.debian.org
Subject: Security Update for Etch?
Date: Tue, 04 Sep 2007 23:10:37 +0200
Hi Alexis,

when will there be a security update available for Debian Etch?

Thanks for your support

Micha



Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #43 received at 439392@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: Micha Lenk <micha@lenk.info>, 439392@bugs.debian.org
Subject: Re: Bug#439392: Security Update for Etch?
Date: Wed, 05 Sep 2007 09:59:00 +0200
Micha Lenk wrote:
> Hi Alexis,
> 
> when will there be a security update available for Debian Etch?
> 
> Thanks for your support

Hi,

I've submitted a patch for the etch package to the security team. It's 
in their hands and is waiting for approval.

I'm waiting to see it going into the security updates as well ;)

Regards,

-- 
Alexis Sukrieh




Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #48 received at 439392@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 439392@bugs.debian.org
Subject: Updates for etch and sarge?
Date: Sun, 9 Sep 2007 16:15:47 +0200
Hi,

Thanks for fixing this promptly. Do you intend to supply fixed packages for 
etch and sarge, or are they not vulnerable?


Thanks
Thijs




Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>:
Bug#439392; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>. Full text and rfc822 format available.

Message #53 received at 439392@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: Thijs Kinkhorst <thijs@debian.org>, 439392@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#439392: Updates for etch and sarge?
Date: Mon, 10 Sep 2007 09:54:27 +0200
Thijs Kinkhorst wrote:
> Hi,
> 
> Thanks for fixing this promptly. Do you intend to supply fixed packages for 
> etch and sarge, or are they not vulnerable?

Hi,

The stable package has been submitted to the Security Team. It's 
wqaiting for approval.

Regards,

-- 
Alexis Sukrieh





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #58 received at 439392-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 439392-close@bugs.debian.org
Subject: Bug#439392: fixed in backup-manager 0.5.7-1sarge2
Date: Fri, 21 Mar 2008 07:52:22 +0000
Source: backup-manager
Source-Version: 0.5.7-1sarge2

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager_0.5.7-1sarge2.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes: 
 backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix FTP password disclosure during FTP uploads, based on
     maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files: 
 fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
 4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
 05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh3U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih2NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #63 received at 439392-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 439392-close@bugs.debian.org
Subject: Bug#439392: fixed in backup-manager 0.7.5-4
Date: Fri, 21 Mar 2008 07:52:17 +0000
Source: backup-manager
Source-Version: 0.7.5-4

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager-doc_0.7.5-4_all.deb
  to pool/main/b/backup-manager/backup-manager-doc_0.7.5-4_all.deb
backup-manager_0.7.5-4.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.7.5-4.diff.gz
backup-manager_0.7.5-4.dsc
  to pool/main/b/backup-manager/backup-manager_0.7.5-4.dsc
backup-manager_0.7.5-4_all.deb
  to pool/main/b/backup-manager/backup-manager_0.7.5-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 22:34:06 +0100
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 backup-manager - command-line backup tool
 backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes: 
 backup-manager (0.7.5-4) stable-security; urgency=high
 .
   * Backport from unstable (version 0.7.6-4) for closing a security issue:
     FTP password disclosure during FTP uploads. Uses maintainer-supplied
     patch. Closes: #439392. CVE-2007-4656.
Files: 
 e63192d8ad7753a47baaae9c9df26f25 1036 admin optional backup-manager_0.7.5-4.dsc
 76e1c9cea0b8fb210d3862fd89e09c08 159855 admin optional backup-manager_0.7.5.orig.tar.gz
 4c4e6282b938b98e9488d44243d7bb96 98048 admin optional backup-manager_0.7.5-4.diff.gz
 bcb8c5d8902e36ac0348c94a84cf04cb 109278 admin optional backup-manager_0.7.5-4_all.deb
 d97a5222cf45f9feb451ffb9c0c66164 219546 doc optional backup-manager-doc_0.7.5-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xBVmz0hbPcukPfAQJeUwf8Cxh8WlsiwpC4NvECul6ExmFbaID+UDS+
JF2tENyO9r9TnZAlzTKlHCQK8FdFHndO+/bFM3nzhTGD/2EX9uRSetWPtlzn/eXB
fmP7AtkYoq+pb0ihGYNLhN89z2EeRitVW7OQxr9aZh6un6IGWiwSSpqaV1VTs3mn
h1GB+mIlLbA3FA03uVgN56rHMjsP6oeOJiLA/HyBYpP94w6TtkQyH89wggcH6wvg
SQG9Nqwet8ELq/D9KmYAZevtQE5OTNXSUaJaADhc7JSoGgrHcIA9HchoJklI2VWf
M93gQpSa23CPlquwsvFTaqqY5FX5pgFWrUZ0pch8A7SvDbLK4Xi6Cw==
=1W4A
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #68 received at 439392-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 439392-close@bugs.debian.org
Subject: Bug#439392: fixed in backup-manager 0.5.7-1sarge2
Date: Sat, 12 Apr 2008 17:54:36 +0000
Source: backup-manager
Source-Version: 0.5.7-1sarge2

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager_0.5.7-1sarge2.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
  to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes: 
 backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix FTP password disclosure during FTP uploads, based on
     maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files: 
 fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
 4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
 05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh3U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih2NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:32:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:19:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.