Debian Bug report logs - #448519
libdspam7-drv-mysql: CVE-2007-6418 cron job may disclose dspam database password to users

version graph

Package: libdspam7-drv-mysql; Maintainer for libdspam7-drv-mysql is Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>; Source for libdspam7-drv-mysql is src:dspam.

Reported by: Tobias Gruetzmacher <tobias@portfolio16.de>

Date: Mon, 29 Oct 2007 19:03:01 UTC

Severity: grave

Tags: security

Found in version dspam/3.6.8-5

Fixed in versions dspam/3.6.8-5.1, dspam/3.6.8-6, dspam/3.6.8-5etch1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
Bug#448519; Package libdspam7-drv-mysql. Full text and rfc822 format available.

Acknowledgement sent to Tobias Gruetzmacher <tobias@portfolio16.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tobias Gruetzmacher <tobias@portfolio16.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libdspam7-drv-mysql: cron job may disclose dspam database password to users
Date: Mon, 29 Oct 2007 20:01:04 +0100
Package: libdspam7-drv-mysql
Version: 3.6.8-5
Severity: grave
Tags: security
Justification: user security hole

The cron job in /etc/cron.daily/libdspam7-drv-mysql calls mysql like
this:

   /usr/bin/mysql --user=$MYSQL_USER --password=$MYSQL_PASS

This makes the database password of the dspam database user visible in
the command line, so users may see it using ps. A malicious local user
can use this to connect to the dspam databse and read all recent mail of
dspam users. This bug is easily fixed my using a config file or
environment variable to pass the password to mysql.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.18-5-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages libdspam7-drv-mysql depends on:
ii  dbconfig-common        1.8.29+etch1      common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.11            Debian configuration management sy
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  libdspam7              3.6.8-5           DSPAM is a scalable and statistica
ii  libldap2               2.1.30-13.3       OpenLDAP libraries
ii  libmysqlclient15off    5.0.32-7etch1     mysql database client library
ii  mysql-client-5.0 [mysq 5.0.32-7etch1     mysql database client binaries
ii  ucf                    2.0020            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3-13        compression library - runtime

Versions of packages libdspam7-drv-mysql recommends:
ii  mysql-server-5.0 [mysql-se 5.0.32-7etch1 mysql database server binaries

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
Bug#448519; Package libdspam7-drv-mysql. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 448519@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 448519@bugs.debian.org
Subject: CVE id assigned
Date: Thu, 20 Dec 2007 22:58:09 +0100
[Message part 1 (text/plain, inline)]
Hi,
CVE-2007-6418[0] was assigned to this issue, please include 
the CVE id in your changelog if you fix this issue.
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `libdspam7-drv-mysql: CVE-2007-6418 cron job may disclose dspam database password to users' from `libdspam7-drv-mysql: cron job may disclose dspam database password to users'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 20 Dec 2007 22:33:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
Bug#448519; Package libdspam7-drv-mysql. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #17 received at 448519@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 448519@bugs.debian.org
Cc: matthijs@cacholong.nl, haas@debian.org, kbk@shore.net, mooch@debian.org, rudolf@faveve.uni-stuttgart.de, aurelien.labrosse@free.fr
Subject: RC/security issue open for 2,5 months
Date: Fri, 11 Jan 2008 10:36:56 +0100 (CET)
Dear dspam maintainers,

This security issue of RC severity has been open for 2,5 months without a
single maintainer response. Is there anything more known about this issue
and is a fix in preparation?


thanks,
Thijs







Information forwarded to debian-bugs-dist@lists.debian.org, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
Bug#448519; Package libdspam7-drv-mysql. Full text and rfc822 format available.

Acknowledgement sent to Tobias Klauser <tklauser@access.unizh.ch>:
Extra info received and forwarded to list. Copy sent to Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #22 received at 448519@bugs.debian.org (full text, mbox):

From: Tobias Klauser <tklauser@access.unizh.ch>
To: 448519@bugs.debian.org
Date: Sun, 13 Jan 2008 00:25:04 +0100
[Message part 1 (text/plain, inline)]
According to the MySQL Reference Manual, Section 5.5.6 [0] the only
solution to securely pass a password to mysql seems to be either by
entering it at the prompt (which is not an option here) or by
specifiying it in a properly protected config file.

[0] http://dev.mysql.com/doc/refman/5.0/en/password-security.html
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
Bug#448519; Package libdspam7-drv-mysql. Full text and rfc822 format available.

Acknowledgement sent to Adrian Friedli <adi@koalatux.ch>:
Extra info received and forwarded to list. Copy sent to Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 448519@bugs.debian.org (full text, mbox):

From: Adrian Friedli <adi@koalatux.ch>
To: 448519@bugs.debian.org
Subject: NMU-diff for dspam 3.6.8-5.1
Date: Sun, 13 Jan 2008 18:13:21 +0100
[Message part 1 (text/plain, inline)]
Hallo

I've fixed the cron job for libdspam7-drv-mysql, it fixes CVE-2007-6418[0]. 
Attached is the NMU-diff.

Regards, Adrian
[448519-NMU.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Adrian Friedli <adi@koalatux.ch>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tobias Gruetzmacher <tobias@portfolio16.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 448519-close@bugs.debian.org (full text, mbox):

From: Adrian Friedli <adi@koalatux.ch>
To: 448519-close@bugs.debian.org
Subject: Bug#448519: fixed in dspam 3.6.8-5.1
Date: Sun, 13 Jan 2008 17:47:03 +0000
Source: dspam
Source-Version: 3.6.8-5.1

We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:

dspam-doc_3.6.8-5.1_all.deb
  to pool/main/d/dspam/dspam-doc_3.6.8-5.1_all.deb
dspam-webfrontend_3.6.8-5.1_all.deb
  to pool/main/d/dspam/dspam-webfrontend_3.6.8-5.1_all.deb
dspam_3.6.8-5.1.diff.gz
  to pool/main/d/dspam/dspam_3.6.8-5.1.diff.gz
dspam_3.6.8-5.1.dsc
  to pool/main/d/dspam/dspam_3.6.8-5.1.dsc
dspam_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/dspam_3.6.8-5.1_i386.deb
libdspam7-dev_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7-dev_3.6.8-5.1_i386.deb
libdspam7-drv-db4_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-5.1_i386.deb
libdspam7-drv-mysql_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-5.1_i386.deb
libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
libdspam7_3.6.8-5.1_i386.deb
  to pool/main/d/dspam/libdspam7_3.6.8-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Friedli <adi@koalatux.ch> (supplier of updated dspam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Jan 2008 14:59:25 +0100
Source: dspam
Binary: libdspam7-dev libdspam7-drv-pgsql dspam libdspam7-drv-mysql dspam-webfrontend dspam-doc libdspam7-drv-db4 libdspam7 libdspam7-drv-sqlite3
Architecture: source i386 all
Version: 3.6.8-5.1
Distribution: unstable
Urgency: high
Maintainer: Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>
Changed-By: Adrian Friedli <adi@koalatux.ch>
Description: 
 dspam      - is a scalable, fast and statistical anti-spam filter
 dspam-doc  - Documentation for dspam
 dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
 libdspam7  - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 448519
Changes: 
 dspam (3.6.8-5.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Giving the password in libdspam7-drv-mysql cronjob in a file instead of
     the command line. CVE-2007-6418[0] (Closes: #448519)
Files: 
 8246293f4d13a40a7ad0186f1f653e80 1127 mail optional dspam_3.6.8-5.1.dsc
 c39d122f28e17b8198ea86f2c23df593 54695 mail optional dspam_3.6.8-5.1.diff.gz
 12f23fcc3939199503ca1739bf3bc9c1 317708 mail optional dspam_3.6.8-5.1_i386.deb
 ecb9159afddfaf9a3fce06b8e2a4494a 109204 libs optional libdspam7_3.6.8-5.1_i386.deb
 b7067dd0cfbb22953eb6d1d259a79152 123080 mail optional libdspam7-dev_3.6.8-5.1_i386.deb
 b7fa735d51a861143a1df8b82fb48a8c 103798 mail optional libdspam7-drv-pgsql_3.6.8-5.1_i386.deb
 35aa7a10b97997f7aa417f668d3855e0 96912 mail optional libdspam7-drv-mysql_3.6.8-5.1_i386.deb
 0834619c691bd4cea72f3bd4268d7cda 71234 mail optional libdspam7-drv-db4_3.6.8-5.1_i386.deb
 9c1c35d6fb4e26e8a6c607bd3eb5e7d9 84914 mail optional libdspam7-drv-sqlite3_3.6.8-5.1_i386.deb
 97498de9bacde92196cc4e95a6cef7b7 110054 mail optional dspam-webfrontend_3.6.8-5.1_all.deb
 6753561eeac3105e216780e86b23cb22 94612 doc optional dspam-doc_3.6.8-5.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHikr4+C5cwEsrK54RAphHAKC4kaPTw1YXuFTZi0wlHlzuok9/kQCfSlYI
9jlfgRFfC+zQWKsl7lf1E78=
=CbJw
-----END PGP SIGNATURE-----





Reply sent to Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tobias Gruetzmacher <tobias@portfolio16.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 448519-close@bugs.debian.org (full text, mbox):

From: Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>
To: 448519-close@bugs.debian.org
Subject: Bug#448519: fixed in dspam 3.6.8-6
Date: Sat, 26 Jan 2008 14:47:03 +0000
Source: dspam
Source-Version: 3.6.8-6

We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:

dspam-doc_3.6.8-6_all.deb
  to pool/main/d/dspam/dspam-doc_3.6.8-6_all.deb
dspam-webfrontend_3.6.8-6_all.deb
  to pool/main/d/dspam/dspam-webfrontend_3.6.8-6_all.deb
dspam_3.6.8-6.diff.gz
  to pool/main/d/dspam/dspam_3.6.8-6.diff.gz
dspam_3.6.8-6.dsc
  to pool/main/d/dspam/dspam_3.6.8-6.dsc
dspam_3.6.8-6_i386.deb
  to pool/main/d/dspam/dspam_3.6.8-6_i386.deb
libdspam7-dev_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-dev_3.6.8-6_i386.deb
libdspam7-drv-db4_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-6_i386.deb
libdspam7-drv-mysql_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-6_i386.deb
libdspam7-drv-pgsql_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-6_i386.deb
libdspam7-drv-sqlite3_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-6_i386.deb
libdspam7_3.6.8-6_i386.deb
  to pool/main/d/dspam/libdspam7_3.6.8-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org> (supplier of updated dspam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 26 Jan 2008 13:03:18 +0100
Source: dspam
Binary: dspam dspam-webfrontend libdspam7 libdspam7-dev libdspam7-drv-pgsql libdspam7-drv-mysql libdspam7-drv-db4 libdspam7-drv-sqlite3 dspam-doc
Architecture: source i386 all
Version: 3.6.8-6
Distribution: unstable
Urgency: low
Maintainer: matthijs@cacholong.nl
Changed-By: Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>
Description: 
 dspam      - is a scalable, fast and statistical anti-spam filter
 dspam-doc  - Documentation for dspam
 dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
 libdspam7  - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 385353 419312 421944 429967 448519 449530 461133 461134 461135 461137
Changes: 
 dspam (3.6.8-6) unstable; urgency=low
 .
   [Kurt B. Kaiser]
   * Acknowledge NMU. Thanks Adrian Friedli.  (Closes: #448519)
   * dspamc should be setgid. (Closes: #449530, Closes: #461133)
   * Daemon crashes sometimes, can't determine user. (Closes: #385353)
   * Don't ignore make clean error in rules. (Closes: #461134)
   * Move to Standards Version 3.7.3.
   * libdspam7-dev should be Section: libdevel.
   * Switch from ${Source-Version} to ${binary:Version} in control file.
   * Remove postgresql-dev, no longer in archive. (Closes: #429967)
   * Add XS-DM-Upload-Allowed field to control file.
   * Eliminate a bashism from libdspam7-drv-mysql.cron.daily (Closes: #461137)
   * dspam-init: create directory for PIDFILE, if it does not exist.
     (Closes: #461135)
   * Eliminate postgresql-client-8.1 dependency. (Closes: #419312)
   * Move from db4.2 to db4.5 build dependency. (Closes: #421944)
   * dspam-init: Remove 'S' from Default-Stop (Lintian).
   * Remove unused dirs from libdspam7-drv-db4, libdspam7-dev,
     and dspam-webfrontend (Lintian).
 .
   [ Matthijs Mohlmann ]
   * Fix lintian warnings.
   * Fix manpages which had a missing NAME section.
   * Remove overrides for mysql and pgsql, not needed anymore.
Files: 
 dc559754f3ed24402f65bba6d022ec50 1127 mail optional dspam_3.6.8-6.dsc
 dc0190bc6c582b157ce2da1e0e9e4b22 54293 mail optional dspam_3.6.8-6.diff.gz
 4acd16f6fa5d798f9daf472d5fac67be 316792 mail optional dspam_3.6.8-6_i386.deb
 fae2459b30ae9103f968400c7f1bc69f 109734 libs optional libdspam7_3.6.8-6_i386.deb
 374fe0632404dce1a7b011c4b37a7611 123302 libdevel optional libdspam7-dev_3.6.8-6_i386.deb
 0435d13b4534205313158259a5aac746 103884 mail optional libdspam7-drv-pgsql_3.6.8-6_i386.deb
 196a0e3cecafd655fcbd70e6cd735c92 96676 mail optional libdspam7-drv-mysql_3.6.8-6_i386.deb
 3dee46e3b6bec14231cf8a3789b8aa87 71568 mail optional libdspam7-drv-db4_3.6.8-6_i386.deb
 3380261015cf2a9e59013e6151dacaaf 85140 mail optional libdspam7-drv-sqlite3_3.6.8-6_i386.deb
 0052ead23f56a10b860dc8b8d83692b0 108598 mail optional dspam-webfrontend_3.6.8-6_all.deb
 0d360378480f18403e2d7ffffcb54782 94216 doc optional dspam-doc_3.6.8-6_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHm0Xx2n1ROIkXqbARAt5NAJ9LCSU43COJlZt6kk2jsesfYodBEgCgqdxF
zSQLE2TQgGbsMmwBprCyIRs=
=vc70
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tobias Gruetzmacher <tobias@portfolio16.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 448519-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 448519-close@bugs.debian.org
Subject: Bug#448519: fixed in dspam 3.6.8-5etch1
Date: Fri, 11 Apr 2008 19:52:26 +0000
Source: dspam
Source-Version: 3.6.8-5etch1

We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:

dspam-doc_3.6.8-5etch1_all.deb
  to pool/main/d/dspam/dspam-doc_3.6.8-5etch1_all.deb
dspam-webfrontend_3.6.8-5etch1_all.deb
  to pool/main/d/dspam/dspam-webfrontend_3.6.8-5etch1_all.deb
dspam_3.6.8-5etch1.diff.gz
  to pool/main/d/dspam/dspam_3.6.8-5etch1.diff.gz
dspam_3.6.8-5etch1.dsc
  to pool/main/d/dspam/dspam_3.6.8-5etch1.dsc
dspam_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/dspam_3.6.8-5etch1_i386.deb
libdspam7-dev_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-dev_3.6.8-5etch1_i386.deb
libdspam7-drv-db4_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_i386.deb
libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
libdspam7_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7_3.6.8-5etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated dspam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Feb 2008 14:50:03 +0100
Source: dspam
Binary: libdspam7-dev libdspam7-drv-pgsql dspam libdspam7-drv-mysql dspam-webfrontend dspam-doc libdspam7-drv-db4 libdspam7 libdspam7-drv-sqlite3
Architecture: source i386 all
Version: 3.6.8-5etch1
Distribution: stable-security
Urgency: high
Maintainer: Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 dspam      - is a scalable, fast and statistical anti-spam filter
 dspam-doc  - Documentation for dspam
 dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
 libdspam7  - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 448519
Changes: 
 dspam (3.6.8-5etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix leaking of the MySQL password of the dspam database in the
     libdspam7-drv-mysql cronjob (CVE-2007-6418, closes: #448519).
     Thanks Adrian Friedli for the patch.
Files: 
 aca91c929ec1c4e3f575e7e8eb37ba55 1425 mail optional dspam_3.6.8-5etch1.dsc
 c4b1a7079690ee16d8b0f36b2a2a90a4 743275 mail optional dspam_3.6.8.orig.tar.gz
 9e4fa44cfd9154eeea77a895d08e2952 53607 mail optional dspam_3.6.8-5etch1.diff.gz
 b55be9404b573b18b0fc7c21bf0247e8 320328 mail optional dspam_3.6.8-5etch1_i386.deb
 5eb5bcf9b8cd0fdf7e5dbdeec8b052c5 110686 libs optional libdspam7_3.6.8-5etch1_i386.deb
 e2a75400b747b2bc6f06dcb5548ac6a9 126340 mail optional libdspam7-dev_3.6.8-5etch1_i386.deb
 85ceb515c9581c294060f78a50959cba 103912 mail optional libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
 b96896e5ffc7617774a97fe968de4643 96566 mail optional libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
 42ea48af401d4b1d1eaa2d0e5251c38b 71254 mail optional libdspam7-drv-db4_3.6.8-5etch1_i386.deb
 655c55837cdccd7d70048f2ba74b6adc 85084 mail optional libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
 2fcf87ed0a9d0a82b984f1d7a83fd92a 109488 mail optional dspam-webfrontend_3.6.8-5etch1_all.deb
 22874dcda2fff6d04a0c644338dcf848 94508 doc optional dspam-doc_3.6.8-5etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR7g8TWz0hbPcukPfAQLBIAf+M9xDH8s15yeRYwsaSBi7dFXije+UV3P9
KqKHhUtPTkDzuvUOpYowSZPY1HCwI+rcfcssLwuVgXJ/N6zS6hWa/srrtnA9SCgZ
29+lpUE4L15XKh7MmbfF9+Tbep4EiFBCPCyzh1fkfKiLQmdeAujFu63sHoNBSDFQ
NX5GdP3xxqCMlT5uDM5qrIyIWlJm9B5d53fAyFA/nSU+fcSUqQc+bLSmGF8CxV+q
z8Mcb2Ub/VeQaQJJP1l9LiPXTfPf7haEUAh7dLkZbL+4rstYCHRWQNRrvBZ6HDsn
OtIMK8/X5WOy66bKQpEK0IJia8hT/71BlCC0jKb82wedA+GzWMXWSQ==
=bq2l
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tobias Gruetzmacher <tobias@portfolio16.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 448519-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 448519-close@bugs.debian.org
Subject: Bug#448519: fixed in dspam 3.6.8-5etch1
Date: Sat, 26 Jul 2008 09:40:28 +0000
Source: dspam
Source-Version: 3.6.8-5etch1

We believe that the bug you reported is fixed in the latest version of
dspam, which is due to be installed in the Debian FTP archive:

dspam-doc_3.6.8-5etch1_all.deb
  to pool/main/d/dspam/dspam-doc_3.6.8-5etch1_all.deb
dspam-webfrontend_3.6.8-5etch1_all.deb
  to pool/main/d/dspam/dspam-webfrontend_3.6.8-5etch1_all.deb
dspam_3.6.8-5etch1.diff.gz
  to pool/main/d/dspam/dspam_3.6.8-5etch1.diff.gz
dspam_3.6.8-5etch1.dsc
  to pool/main/d/dspam/dspam_3.6.8-5etch1.dsc
dspam_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/dspam_3.6.8-5etch1_i386.deb
libdspam7-dev_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-dev_3.6.8-5etch1_i386.deb
libdspam7-drv-db4_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-db4_3.6.8-5etch1_i386.deb
libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
libdspam7_3.6.8-5etch1_i386.deb
  to pool/main/d/dspam/libdspam7_3.6.8-5etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated dspam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Feb 2008 14:50:03 +0100
Source: dspam
Binary: libdspam7-dev libdspam7-drv-pgsql dspam libdspam7-drv-mysql dspam-webfrontend dspam-doc libdspam7-drv-db4 libdspam7 libdspam7-drv-sqlite3
Architecture: source i386 all
Version: 3.6.8-5etch1
Distribution: stable-security
Urgency: high
Maintainer: Debian DSPAM Maintainers <pkg-dspam-misc@lists.alioth.debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 dspam      - is a scalable, fast and statistical anti-spam filter
 dspam-doc  - Documentation for dspam
 dspam-webfrontend - DSPAM is a scalable and statistical anti-spam filter
 libdspam7  - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-dev - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-db4 - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-mysql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-pgsql - DSPAM is a scalable and statistical anti-spam filter
 libdspam7-drv-sqlite3 - DSPAM is a scalable and statistical anti-spam filter
Closes: 448519
Changes: 
 dspam (3.6.8-5etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team.
   * Fix leaking of the MySQL password of the dspam database in the
     libdspam7-drv-mysql cronjob (CVE-2007-6418, closes: #448519).
     Thanks Adrian Friedli for the patch.
Files: 
 aca91c929ec1c4e3f575e7e8eb37ba55 1425 mail optional dspam_3.6.8-5etch1.dsc
 c4b1a7079690ee16d8b0f36b2a2a90a4 743275 mail optional dspam_3.6.8.orig.tar.gz
 9e4fa44cfd9154eeea77a895d08e2952 53607 mail optional dspam_3.6.8-5etch1.diff.gz
 b55be9404b573b18b0fc7c21bf0247e8 320328 mail optional dspam_3.6.8-5etch1_i386.deb
 5eb5bcf9b8cd0fdf7e5dbdeec8b052c5 110686 libs optional libdspam7_3.6.8-5etch1_i386.deb
 e2a75400b747b2bc6f06dcb5548ac6a9 126340 mail optional libdspam7-dev_3.6.8-5etch1_i386.deb
 85ceb515c9581c294060f78a50959cba 103912 mail optional libdspam7-drv-pgsql_3.6.8-5etch1_i386.deb
 b96896e5ffc7617774a97fe968de4643 96566 mail optional libdspam7-drv-mysql_3.6.8-5etch1_i386.deb
 42ea48af401d4b1d1eaa2d0e5251c38b 71254 mail optional libdspam7-drv-db4_3.6.8-5etch1_i386.deb
 655c55837cdccd7d70048f2ba74b6adc 85084 mail optional libdspam7-drv-sqlite3_3.6.8-5etch1_i386.deb
 2fcf87ed0a9d0a82b984f1d7a83fd92a 109488 mail optional dspam-webfrontend_3.6.8-5etch1_all.deb
 22874dcda2fff6d04a0c644338dcf848 94508 doc optional dspam-doc_3.6.8-5etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR7g8TWz0hbPcukPfAQLBIAf+M9xDH8s15yeRYwsaSBi7dFXije+UV3P9
KqKHhUtPTkDzuvUOpYowSZPY1HCwI+rcfcssLwuVgXJ/N6zS6hWa/srrtnA9SCgZ
29+lpUE4L15XKh7MmbfF9+Tbep4EiFBCPCyzh1fkfKiLQmdeAujFu63sHoNBSDFQ
NX5GdP3xxqCMlT5uDM5qrIyIWlJm9B5d53fAyFA/nSU+fcSUqQc+bLSmGF8CxV+q
z8Mcb2Ub/VeQaQJJP1l9LiPXTfPf7haEUAh7dLkZbL+4rstYCHRWQNRrvBZ6HDsn
OtIMK8/X5WOy66bKQpEK0IJia8hT/71BlCC0jKb82wedA+GzWMXWSQ==
=bq2l
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:28:36 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 16:34:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.