Debian Bug report logs - #559803
CVE-2009-3736 local privilege escalation

version graph

Package: cvsnt; Maintainer for cvsnt is (unknown);

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 04:54:19 UTC

Severity: grave

Tags: patch, security

Fixed in version cvsnt/2.5.04.3236-1.2

Done: Thorsten Glaser <tg@mirbsd.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Mon, 07 Dec 2009 04:54:22 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Mon, 07 Dec 2009 04:54:22 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: CVE-2009-3736 local privilege escalation
Date: Sun, 6 Dec 2009 23:53:16 -0500
Package: cvsnt
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the package is not affected, please feel free to close the bug
with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736




Reply sent to Andreas Tscharner <andy@vis.ethz.ch>:
You have taken responsibility. (Mon, 07 Dec 2009 21:42:07 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 07 Dec 2009 21:42:07 GMT) Full text and rfc822 format available.

Message #10 received at 559803-done@bugs.debian.org (full text, mbox):

From: Andreas Tscharner <andy@vis.ethz.ch>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 559803-done@bugs.debian.org
Subject: Re: Bug#559803: CVE-2009-3736 local privilege escalation
Date: Mon, 07 Dec 2009 22:04:02 +0100
Package: cvsnt
Severity: grave
Tags: security
Version: 2.5.04.3236-1


> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool.  I have determined that this package embeds a
> vulnerable copy of the libtool source code.  However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the package is not affected, please feel free to close the bug
> with a message containing the details of what you did to check.

cvsnt only uses the embeded libtool if it is not installed on the 
system. If it is installed, it uses the installed one.

Best regards
	Andreas
-- 
      ("`-''-/").___..--''"`-._
       `o_ o  )   `-.  (     ).`-.__.`)
       (_Y_.)'  ._   )  `._ `. ``-..-'
     _..`--'_..-_/  /--'_.' .'
    (il).-''  (li).'  ((!.-'

Andreas Tscharner   andy@vis.ethz.ch   ICQ-No. 14356454




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Sat, 12 Dec 2009 23:09:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Sat, 12 Dec 2009 23:09:12 GMT) Full text and rfc822 format available.

Message #15 received at 559803@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org
Subject: CVE-2009-3736 update
Date: Sat, 12 Dec 2009 18:07:00 -0500
Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Sun, 13 Dec 2009 01:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Sun, 13 Dec 2009 01:00:03 GMT) Full text and rfc822 format available.

Message #20 received at 559803@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 559803@bugs.debian.org
Subject: Re: Bug#559803: CVE-2009-3736 local privilege escalation
Date: Sat, 12 Dec 2009 19:57:23 -0500
reopen 559803
thanks

On Mon, 07 Dec 2009 22:04:02 +0100 Andreas Tscharner wrote:

> Package: cvsnt
> Severity: grave
> Tags: security
> Version: 2.5.04.3236-1
> 
> 
> > The following CVE (Common Vulnerabilities & Exposures) id was
> > published for libtool.  I have determined that this package embeds a
> > vulnerable copy of the libtool source code.  However, since this is a
> > mass bug filing (due to so many packages embedding libtool), I have not
> > had time to determine whether the vulnerable code is actually present
> > in any of the binary packages. Please determine whether this is the
> > case. If the package is not affected, please feel free to close the bug
> > with a message containing the details of what you did to check.
> 
> cvsnt only uses the embeded libtool if it is not installed on the 
> system. If it is installed, it uses the installed one.

your package does not currently have a dependency on libltdl, so i don't
see how this could be the case.  please make sure you have done enough
research before closing security issues. thank you.

mike




Bug No longer marked as fixed in versions cvsnt/2.5.04.3236-1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 15 Dec 2009 22:33:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Sun, 24 Jan 2010 16:54:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Sun, 24 Jan 2010 16:54:06 GMT) Full text and rfc822 format available.

Message #27 received at 559803@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559803@bugs.debian.org
Cc: control@bugs.debian.org
Subject: cvsnt: diff for NMU version 2.5.04.3236-1.2
Date: Sun, 24 Jan 2010 16:52:25 +0000 (UTC)
[Message part 1 (text/plain, inline)]
tags 559803 + patch
thanks

Dear Andreas,

I have prepared an NMU for cvsnt (version 2.5.04.3236-1.2) to use
the system libtool/libltdl instead of its own bundled version,
according to Policy §4.13, thus fixing CVE-2009-3736.

As was suggested here at the BSP, I’ll have it uploaded into
unstable instead of a DELAYED/2, since it’s a security issue.

bye,
//mirabilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"
[cvsnt_2.5.04.3236-1.2.debdiff (text/plain, ATTACHMENT)]
reverted: cvsnt-2.5.04.3236/config.sub
reverted: cvsnt-2.5.04.3236/config.guess
(note, these will be auto-reverted by debian/rules clean anyway, hence
the diff for these is not included for brevity)
diff -u cvsnt-2.5.04.3236/debian/control cvsnt-2.5.04.3236/debian/control
--- cvsnt-2.5.04.3236/debian/control
+++ cvsnt-2.5.04.3236/debian/control
@@ -3,7 +3,8 @@
 Priority: optional
 Maintainer: Andreas Tscharner <andy@vis.ethz.ch>
 Uploaders: Christian Bayle <bayle@debian.org>
-Build-Depends: debhelper (>= 7.0.17), autotools-dev, zlib1g-dev, libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev, libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch
+Build-Depends: debhelper (>= 7.0.17), autotools-dev, zlib1g-dev, libexpat1-dev, libssl-dev, libkrb5-dev, comerr-dev, libpcre3-dev, libxml2-dev, libpam0g-dev, unixodbc-dev, libpq-dev, libsqlite3-dev, dpatch, autoconf (>= 2.61~), automake1.10, libltdl-dev, libtool
+Build-Conflicts: autoconf2.13, automake1.4
 Standards-Version: 3.8.1
 Homepage: http://www.cvsnt.org/wiki/Download
 
diff -u cvsnt-2.5.04.3236/debian/changelog cvsnt-2.5.04.3236/debian/changelog
--- cvsnt-2.5.04.3236/debian/changelog
+++ cvsnt-2.5.04.3236/debian/changelog
@@ -1,3 +1,11 @@
+cvsnt (2.5.04.3236-1.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Use autoreconf in order to use system libltdl instead of the bundled
+    one (upgrading from 1.x to 2.2). (Closes: #559803) (CVE-2009-3736)
+
+ -- Thorsten Glaser <tg@mirbsd.de>  Sun, 24 Jan 2010 15:40:34 +0000
+
 cvsnt (2.5.04.3236-1.1) unstable; urgency=medium
 
   [Jari Aalto]
diff -u cvsnt-2.5.04.3236/debian/rules cvsnt-2.5.04.3236/debian/rules
--- cvsnt-2.5.04.3236/debian/rules
+++ cvsnt-2.5.04.3236/debian/rules
@@ -27,15 +27,16 @@
 	CFLAGS += -O2
 endif
 
-config.status: configure
+config.status: patch-stamp configure.in
 	dh_testdir
+	autoreconf -fvi
 	# Add here commands to configure the package.
-	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info
+	CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --without-included-ltdl
 
 
 build: build-stamp
 
-build-stamp:  config.status patch-stamp
+build-stamp:  config.status
 	dh_testdir
 
 	# Add here commands to compile the package.
@@ -51,13 +52,22 @@
 
 	# Add here commands to clean up after the build process.
 	[ ! -f Makefile ] || $(MAKE) distclean
-ifneq "$(wildcard /usr/share/misc/config.sub)" ""
-	cp -f /usr/share/misc/config.sub config.sub
-endif
-ifneq "$(wildcard /usr/share/misc/config.guess)" ""
-	cp -f /usr/share/misc/config.guess config.guess
-endif
 
+	rm -rf aclocal.m4 libltdl config.guess config.sub pcre/aclocal.m4 \
+	    pcre/config.h.in pcre/configure pcre/ltmain.sh zlib/zconf.h \
+	    INSTALL config.h.in configure depcomp install-sh ltmain.sh \
+	    missing mkinstalldirs
+	find . -name Makefile.in | while read name; do \
+		test '!' -e "$${name%in}am" || rm -f "$$name"; \
+	done
+	cd libxml && rm -f INSTALL aclocal.m4 config.guess config.h.in \
+	    config.sub configure depcomp install-sh ltmain.sh missing \
+	    mkinstalldirs
+	cd protocols/ntlm && rm -f m4/libtool.m4 m4/ltoptions.m4 \
+	    m4/ltsugar.m4 m4/ltversion.m4 m4/'lt~obsolete.m4' INSTALL \
+	    aclocal.m4 config.guess config.h.in config.sub configure \
+	    depcomp install-sh ltmain.sh missing mkinstalldirs
+	mkdir libltdl
 
 	dh_clean version_check
 
diff -u cvsnt-2.5.04.3236/debian/patches/01_config.dpatch cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
--- cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
+++ cvsnt-2.5.04.3236/debian/patches/01_config.dpatch
@@ -1,28 +1,54 @@
-#! /bin/sh -e
+#! /bin/sh /usr/share/dpatch/dpatch-run
 ## config.dpatch
-## Ralf Treinen <treinen@debian.org>
+## Thorsten Glaser <tg@mirbsd.org>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: replace all config.{guess,sub} by the vesion installed in
-## DP: /usr/share/misc
+## DP: fix autoconf system to work with libtool 2.2
 
-dpatch_patch ()
-{
-	find . -name config.guess -o -name config.sub \
-	 	| tar cf debian/patched/config.guess+sub.tar -T -
-	find . -name config.guess \
-		-exec ln -sf /usr/share/misc/config.guess '{}' \;
-	find . -name config.sub \
-		-exec ln -sf /usr/share/misc/config.sub '{}' \;
-}
+@DPATCH@
 
-dpatch_unpatch ()
-{
-	tar xf debian/patched/config.guess+sub.tar
-}
-
-DPATCH_LIB_NO_DEFAULT=1
-
-. /usr/share/dpatch/dpatch.lib.sh
-
-# arch-tag: 8a610a57-687b-4395-8ff2-79265c0a4eb3
+--- cvsnt-2.5.04.3236.orig/acinclude.m4
++++ cvsnt-2.5.04.3236/acinclude.m4
+@@ -8,7 +8,7 @@
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.  */
+ 
+-AC_DEFUN(ACX_WITH_GSSAPI,[
++AC_DEFUN([ACX_WITH_GSSAPI],[
+ #
+ # Use --with-gssapi[=DIR] to enable GSSAPI support.
+ #
+@@ -487,7 +487,7 @@
+       [$2],
+       [echo "$as_me: failed program was:" >&AS_MESSAGE_LOG_FD
+ cat conftest.$ac_ext >&AS_MESSAGE_LOG_FD
+-m4_ifvaln([$3],[$3])dnl])dnl
++m4_ifvaln([$3],[$3])dnl])
+ ac_compile="$glib_ac_compile_save"
+ rm -f conftest.$ac_objext conftest.err m4_ifval([$1], [conftest.$ac_ext])[]dnl
+ ])# GLIB_CHECK_COMPILE_WARNINGS
+--- cvsnt-2.5.04.3236.orig/configure.in
++++ cvsnt-2.5.04.3236/configure.in
+@@ -23,19 +23,12 @@
+ CFLAGS="$CFLAGS $OPTFLAGS"
+ CXXFLAGS="$CXXFLAGS $OPTFLAGS"
+ 
+-AC_LIBTOOL_DLOPEN
+-AC_LIBLTDL_CONVENIENCE
+-AC_CONFIG_SUBDIRS(libltdl)
++LT_CONFIG_LTDL_DIR([libltdl])
++LT_INIT([dlopen])
++LTDL_INIT([subproject convenience])
+ AC_SUBST(INCLTDL)
+ AC_SUBST(LIBLTDL)
+ 
+-# For broken libtools (eg. the one in debian sarge) where AC_LIBTOOL_PICMODE
+-# is nonfunctional and the defaults are backwards..
+-if test "${with_pic+set}" != set; then
+-   with_pic="yes"
+-fi
+-AC_PROG_LIBTOOL
+-
+ AC_PATH_PROG(PERL, perl, no)
+ AC_PATH_PROG(CSH, csh, no)
+ AC_PATH_PROG(PR, pr, no)

Added tag(s) patch. Request was from Thorsten Glaser <tg@mirbsd.de> to control@bugs.debian.org. (Sun, 24 Jan 2010 16:54:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Sat, 13 Feb 2010 11:57:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Sat, 13 Feb 2010 11:57:09 GMT) Full text and rfc822 format available.

Message #34 received at 559803@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Thorsten Glaser <tg@mirbsd.de>
Cc: 559803@bugs.debian.org
Subject: Re: cvsnt: diff for NMU version 2.5.04.3236-1.2
Date: Sat, 13 Feb 2010 12:53:31 +0100
On Sun, Jan 24, 2010 at 04:52:25PM +0000, Thorsten Glaser wrote:
> tags 559803 + patch
> thanks
> 
> Dear Andreas,
> 
> I have prepared an NMU for cvsnt (version 2.5.04.3236-1.2) to use
> the system libtool/libltdl instead of its own bundled version,
> according to Policy §4.13, thus fixing CVE-2009-3736.
> 
> As was suggested here at the BSP, I’ll have it uploaded into
> unstable instead of a DELAYED/2, since it’s a security issue.

Apparently you didn't upload it?

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Tscharner <andy@vis.ethz.ch>:
Bug#559803; Package cvsnt. (Sat, 13 Feb 2010 13:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thorsten Glaser <tg@mirbsd.de>:
Extra info received and forwarded to list. Copy sent to Andreas Tscharner <andy@vis.ethz.ch>. (Sat, 13 Feb 2010 13:36:03 GMT) Full text and rfc822 format available.

Message #39 received at 559803@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: 559803@bugs.debian.org
Subject: Re: cvsnt: diff for NMU version 2.5.04.3236-1.2
Date: Sat, 13 Feb 2010 13:24:46 +0000 (UTC)
Moritz Muehlenhoff dixit:

>Apparently you didn't upload it?

Interesting. Must have slipped me to look after my sponsors
(I only became DD the weekend after, and have been first busy
then ill since), although I know I did for some.

I'll upload it ASAP. Thanks for the heads-up!

bye,
//mira"sudo cowbuilder --update"bilos
-- 
Sometimes they [people] care too much: pretty printers [and syntax highligh-
ting, d.A.] mechanically produce pretty output that accentuates irrelevant
detail in the program, which is as sensible as putting all the prepositions
in English text in bold font.	-- Rob Pike in "Notes on Programming in C"




Reply sent to Thorsten Glaser <tg@mirbsd.de>:
You have taken responsibility. (Sat, 13 Feb 2010 15:54:03 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sat, 13 Feb 2010 15:54:03 GMT) Full text and rfc822 format available.

Message #44 received at 559803-close@bugs.debian.org (full text, mbox):

From: Thorsten Glaser <tg@mirbsd.de>
To: 559803-close@bugs.debian.org
Subject: Bug#559803: fixed in cvsnt 2.5.04.3236-1.2
Date: Sat, 13 Feb 2010 15:51:39 +0000
Source: cvsnt
Source-Version: 2.5.04.3236-1.2

We believe that the bug you reported is fixed in the latest version of
cvsnt, which is due to be installed in the Debian FTP archive:

cvsnt_2.5.04.3236-1.2.diff.gz
  to main/c/cvsnt/cvsnt_2.5.04.3236-1.2.diff.gz
cvsnt_2.5.04.3236-1.2.dsc
  to main/c/cvsnt/cvsnt_2.5.04.3236-1.2.dsc
cvsnt_2.5.04.3236-1.2_i386.deb
  to main/c/cvsnt/cvsnt_2.5.04.3236-1.2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559803@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Glaser <tg@mirbsd.de> (supplier of updated cvsnt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA384

Format: 1.8
Date: Sun, 24 Jan 2010 15:40:34 +0000
Source: cvsnt
Binary: cvsnt
Architecture: source i386
Version: 2.5.04.3236-1.2
Distribution: unstable
Urgency: high
Maintainer: Andreas Tscharner <andy@vis.ethz.ch>
Changed-By: Thorsten Glaser <tg@mirbsd.de>
Description: 
 cvsnt      - Improved multiplatform version of the original CVS
Closes: 559803
Changes: 
 cvsnt (2.5.04.3236-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Use autoreconf in order to use system libltdl instead of the bundled
     one (upgrading from 1.x to 2.2). (Closes: #559803) (CVE-2009-3736)
Checksums-Sha1: 
 7a96eb3f6f5d32965d1a7f971ff9ed2e92d02614 1978 cvsnt_2.5.04.3236-1.2.dsc
 55425edb83180e27491d834d877f9928792866dd 11515 cvsnt_2.5.04.3236-1.2.diff.gz
 1472e50d17716d3cfbdc809533c3ef78f68689a3 1214486 cvsnt_2.5.04.3236-1.2_i386.deb
Checksums-Sha256: 
 79b7f611804954b23217504f044a78a2d8face33c5a160f1eca169f97c744bbe 1978 cvsnt_2.5.04.3236-1.2.dsc
 f827a004df7a789be4f4d57bd5a2aa525c2c9aa1f05abf2d6207c52beb39a563 11515 cvsnt_2.5.04.3236-1.2.diff.gz
 500662f210453b3a74176a24014c46a4d920a4cb2571b9502fe095613d6617fb 1214486 cvsnt_2.5.04.3236-1.2_i386.deb
Files: 
 8b38fce33e2522331db63bc972e96068 1978 devel optional cvsnt_2.5.04.3236-1.2.dsc
 d51cc863e40d65ed3ab2ab8c0f3540d2 11515 devel optional cvsnt_2.5.04.3236-1.2.diff.gz
 e5a3b50dc16655996d538b66c241bd96 1214486 devel optional cvsnt_2.5.04.3236-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MirBSD)

iQIVAwUBS3a0pna1NLLpkAfgAQlzDw//SpaNb5IdnNBxNj6VzwRYfvX6nUgJEd+W
/5ax1p+F6Zlxbt6yzAJaAcyuDQVfW9HNI4CZV1zBqqvLADbuqyTcL7FkCST1XWkt
AMiBZvsAS0Vpe3+/t684tovWMEocnJctxXZgfnnu8wr8GKMOCwSq1FXiFqXCb/98
ND201EVueQmlbAKfI23J4EiBdkaHTDilFjfCF+Sioh9YISW/zBZsSY6dXGGSRF/m
eHJv5nt/r127xW3kbNGp2vXZNG6bqpJOOoHspEP3G94mYULbhHEixISb9EY2KcHG
Ll4mpc/SAo8AT2k+fEpeb+2hR/eF09yfwkOVLxD2JIQQVuYMHLapBSYe9onhdXLW
VY+EN1TRXdicBAlDevkY0j+yutJCxGJkDz8fmpkT8uM6lJGG3uEP0ms4/asRWhTS
XJuWlYySiO+fNtD+3DG8rQM1wTa7O4xqrcZuu19s36qDzAtmcPwjteAaV/ueqKeG
K2cNj4Xb0A8NxPLfLymsB35GebEe2YbLVaJbxFp1DbyU4pGXEl5wkigeFiZC3Pim
vXduEiEr0tRElBMwiVrFwNeVrYOK5eRehdSnz7fC5cQYSN4se8F67yhc3rkMYUog
4mX/beLx7oxUjarXLI7QfCQdpiUqyfK2wc9l7rHGr52PHd0eouVi6TfGCAZefZU0
nhUdHWxbEo8=
=1S96
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Nov 2010 07:28:50 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:30:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.