Debian Bug report logs - #605092
Denial of Service vulnerability in the RRDtool and RRDCacheD plugins.

version graph

Package: collectd; Maintainer for collectd is Sebastian Harl <tokkee@debian.org>; Source for collectd is src:collectd.

Reported by: Florian Forster <octo@collectd.org>

Date: Sat, 27 Nov 2010 12:03:05 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version collectd/4.4.2-3

Fixed in versions collectd/4.10.1-2.1, collectd/4.10.1-1+squeeze2, collectd/4.4.2-3+lenny1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#605092; Package collectd. (Sat, 27 Nov 2010 12:03:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Florian Forster <octo@collectd.org>:
New Bug report received and forwarded. Copy sent to Sebastian Harl <tokkee@debian.org>. (Sat, 27 Nov 2010 12:03:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Forster <octo@collectd.org>
To: submit@bugs.debian.org
Subject: Denial of Service vulnerability in the RRDtool and RRDCacheD plugins.
Date: Sat, 27 Nov 2010 12:49:40 +0100
[Message part 1 (text/plain, inline)]
Package: collectd
Version: 4.4.2-3
Severity: important
Tags: patch, security, upstream, fixed-upstream

When creating a new RRD file, the RRDtool and RRDCacheD plugins
assert(3) that the timestamp included with a value is greater than 10
(i.e. after January 1st, 1970, 00:00:10 UTC). However, this condition is
not actually checked anywhere, making it possible for this assertion to
fail.

In the common scenario that data is received via the Network plugin and
written to disk via the RRDtool or RRDCacheD plugin, it is easily
possible to trigger this problem by sending a specifically crafted
Network packet. If the Network plugin is configured with the "Sign" or
"Encrypt" "security levels", an attacker needs to know the pre-shared
key to trigger the problem. Other plugins, for example the UnixSock and
Exec plugins, can be used to trigger the problem as well. However,
access to these mechanisms is usually not available to the general
public.

The existence of this problem has only been verified in version
4.10.1-1+squeeze1~bpo50+1 of the package, but the offending code first
appeared in version 4.0.8 of collectd (commit 9d52ed5f). It is therefore
safe to assume that all versions since 4.0.8 are vulnerable, including
version 4.4.2-3 included in Debian Lenny.

The issue has been fixed upstream in commit 11893a7c. The fix is
included in the new upstream versions 4.9.4 and 4.10.2. Porting the fix
back to 4.10.1-1+squeeze1 should be trivial.

Regards,
—octo

[0] <http://git.verplant.org/?p=collectd.git;a=commitdiff;h=11893a7c85389e6d8a07d1ee8473294767c7ccb9>
-- 
Florian octo Forster
Hacker in training
GnuPG: 0x0C705A15
http://octo.it/
[signature.asc (application/pgp-signature, inline)]

Bug Marked as found in versions 1.2.2-1. Request was from Iain Lane <laney@ubuntu.com> to control@bugs.debian.org. (Mon, 29 Nov 2010 14:09:05 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 0.10.2-1. Request was from Iain Lane <laney@ubuntu.com> to control@bugs.debian.org. (Mon, 29 Nov 2010 14:09:05 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions 1.2.2-1. Request was from Iain Lane <laney@ubuntu.com> to control@bugs.debian.org. (Mon, 29 Nov 2010 14:15:06 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions 0.10.2-1. Request was from Iain Lane <laney@ubuntu.com> to control@bugs.debian.org. (Mon, 29 Nov 2010 14:15:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#605092; Package collectd. (Thu, 02 Dec 2010 12:30:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <didier@raboud.com>:
Extra info received and forwarded to list. Copy sent to Sebastian Harl <tokkee@debian.org>. (Thu, 02 Dec 2010 12:30:14 GMT) Full text and rfc822 format available.

Message #18 received at 605092@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <didier@raboud.com>
To: Ruud Baart <r.j.baart@prompt.nl>, 605092@bugs.debian.org
Subject: Re: when sh is linked to dash /usr/sbin/amavisd-new-cronjob will not work
Date: Thu, 2 Dec 2010 13:29:19 +0100
[Message part 1 (text/plain, inline)]
reassign 605092 amavisd-new 1:1:2.6.4-2
thanks

Le Thursday 2 December 2010 13:12:14 Ruud Baart, vous avez écrit : 
> In /usr/sbin/amavisd-new-cronjob:
> 
> do_amavis_cmd() {
>    if [ "$(id -u -n)" != "${SUUSER}" ]; then
>       exec /bin/su -s /bin/sh - "${SUUSER}" -c "$*" >/dev/null
>    else
>       # to get the same quoting level as the su path
>       CMD="$*"
>       exec ${CMD} >/dev/null
>    fi
> }
> 
> does not work. Change it to:
> 
> do_amavis_cmd() {
>    if [ "$(id -u -n)" != "${SUUSER}" ]; then
>       exec /bin/su -s /bin/bash - "${SUUSER}" -c "$*" >/dev/null
>    else
>       # to get the same quoting level as the su path
>       CMD="$*"
>       exec ${CMD} >/dev/null
>    fi
> }
> 
> and it works again.
> 
> This script is called /etc/cron.daily/amavisd-/usr/sbin/amavisd-new:
> /usr/sbin/amavisd-new-cronjob sa-clean
> 
> This problem can also be seen as an amavisd-new problem.

It is an amavisd-new problem… Hence reassigning.

Cheers, 
OdyX

-- 
Didier Raboud, proud Debian Maintainer (DM).
CH-1020 Renens
didier@raboud.com
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'collectd' to 'amavisd-new'. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:30:16 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions collectd/4.4.2-3. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:30:17 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 1:1:2.6.4-2. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:30:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@snoopy.debian.net>:
Bug#605092; Package amavisd-new. (Thu, 02 Dec 2010 12:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Didier 'OdyX' Raboud" <didier@raboud.com>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@snoopy.debian.net>. (Thu, 02 Dec 2010 12:39:03 GMT) Full text and rfc822 format available.

Message #29 received at 605092@bugs.debian.org (full text, mbox):

From: "Didier 'OdyX' Raboud" <didier@raboud.com>
To: 605092@bugs.debian.org
Subject: Sorry for the noise
Date: Thu, 2 Dec 2010 13:36:04 +0100
[Message part 1 (text/plain, inline)]
reassign 605092 collectd 4.4.2-3
thanks

Sorry for the typo; fixing hereby.

Cheers, OdyX
-- 
Didier Raboud, proud Debian Maintainer (DM).
CH-1020 Renens
didier@raboud.com
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'amavisd-new' to 'collectd'. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:39:04 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions 1:1:2.6.4-2. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:39:05 GMT) Full text and rfc822 format available.

Bug Marked as found in versions collectd/4.4.2-3. Request was from "Didier 'OdyX' Raboud" <didier@raboud.com> to control@bugs.debian.org. (Thu, 02 Dec 2010 12:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sebastian Harl <tokkee@debian.org>:
Bug#605092; Package collectd. (Wed, 08 Dec 2010 07:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Sebastian Harl <tokkee@debian.org>. (Wed, 08 Dec 2010 07:42:05 GMT) Full text and rfc822 format available.

Message #40 received at 605092@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 605092@bugs.debian.org
Subject: nmu patch
Date: Wed, 8 Dec 2010 18:38:15 +1100
[Message part 1 (text/plain, inline)]
Hi,

Please find attached the NMU patch I've uploaded for the DoS issue.

Cheers,
Steffen
[nmu.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Wed, 08 Dec 2010 07:51:09 GMT) Full text and rfc822 format available.

Notification sent to Florian Forster <octo@collectd.org>:
Bug acknowledged by developer. (Wed, 08 Dec 2010 07:51:09 GMT) Full text and rfc822 format available.

Message #45 received at 605092-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 605092-close@bugs.debian.org
Subject: Bug#605092: fixed in collectd 4.10.1-2.1
Date: Wed, 08 Dec 2010 07:47:15 +0000
Source: collectd
Source-Version: 4.10.1-2.1

We believe that the bug you reported is fixed in the latest version of
collectd, which is due to be installed in the Debian FTP archive:

collectd-core_4.10.1-2.1_amd64.deb
  to main/c/collectd/collectd-core_4.10.1-2.1_amd64.deb
collectd-dbg_4.10.1-2.1_amd64.deb
  to main/c/collectd/collectd-dbg_4.10.1-2.1_amd64.deb
collectd-dev_4.10.1-2.1_all.deb
  to main/c/collectd/collectd-dev_4.10.1-2.1_all.deb
collectd-utils_4.10.1-2.1_amd64.deb
  to main/c/collectd/collectd-utils_4.10.1-2.1_amd64.deb
collectd_4.10.1-2.1.diff.gz
  to main/c/collectd/collectd_4.10.1-2.1.diff.gz
collectd_4.10.1-2.1.dsc
  to main/c/collectd/collectd_4.10.1-2.1.dsc
collectd_4.10.1-2.1_amd64.deb
  to main/c/collectd/collectd_4.10.1-2.1_amd64.deb
libcollectdclient-dev_4.10.1-2.1_amd64.deb
  to main/c/collectd/libcollectdclient-dev_4.10.1-2.1_amd64.deb
libcollectdclient0_4.10.1-2.1_amd64.deb
  to main/c/collectd/libcollectdclient0_4.10.1-2.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated collectd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Dec 2010 17:45:50 +1100
Source: collectd
Binary: collectd-core collectd collectd-utils collectd-dbg collectd-dev libcollectdclient-dev libcollectdclient0
Architecture: source amd64 all
Version: 4.10.1-2.1
Distribution: unstable
Urgency: high
Maintainer: Sebastian Harl <tokkee@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 collectd   - statistics collection and monitoring daemon
 collectd-core - statistics collection and monitoring daemon (core system)
 collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
 collectd-dev - statistics collection and monitoring daemon (development files)
 collectd-utils - statistics collection and monitoring daemon (utilities)
 libcollectdclient-dev - client library for collectd's control interface (development file
 libcollectdclient0 - client library for collectd's control interface
Closes: 605092
Changes: 
 collectd (4.10.1-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS in RRD file creation (Closes: #605092)
     Fixes: CVE-2010-4336
     Thanks to Florian Forster
Checksums-Sha1: 
 d4c3c1422dc9ef3a115032599829054d7b77560c 2501 collectd_4.10.1-2.1.dsc
 934e821151cbaea0667b94dde33d03a92a70216b 58515 collectd_4.10.1-2.1.diff.gz
 e0db5f2c7e4b110e2325639260fc78fc1d82568e 819464 collectd-core_4.10.1-2.1_amd64.deb
 dbfbc288e7b6339b5048031ad8b8f077c7107262 66634 collectd_4.10.1-2.1_amd64.deb
 f18e25e6af943c621284c6404ce509b61a3c0f7c 68606 collectd-utils_4.10.1-2.1_amd64.deb
 fc2f53ff1c6faffc22ffb07100856a8a9dcf004a 840040 collectd-dbg_4.10.1-2.1_amd64.deb
 ed0cbfc4e86cdc6241ff2a7117f89cd158ad5b2c 61254 libcollectdclient-dev_4.10.1-2.1_amd64.deb
 d7e53a3a9518704bf1aef23f36be2c4cda194d83 66860 libcollectdclient0_4.10.1-2.1_amd64.deb
 fe09cbd70ebb918ba5ea846d18427b1e23846b86 101538 collectd-dev_4.10.1-2.1_all.deb
Checksums-Sha256: 
 716660b06c587e5cc6525b53b14b40efd6f8320fe58cc89fe24d8251b8706bb0 2501 collectd_4.10.1-2.1.dsc
 76de98ea03f09c00581fd43ce0c8ee392ca9bd0c7613482669714a27e585709a 58515 collectd_4.10.1-2.1.diff.gz
 c6ae951c01813829e1fceda1ff11360820bcf62a9cc9151b2683c8f7fd9023d1 819464 collectd-core_4.10.1-2.1_amd64.deb
 e50c8a37b0accba4d22414ca31198f8190e0730056e7dd7e2949101e273ff8d9 66634 collectd_4.10.1-2.1_amd64.deb
 4702c2e16c5272bdb6b0a20bbd88a606dd37229e7356ec83e8f4bda78643d233 68606 collectd-utils_4.10.1-2.1_amd64.deb
 f56e186af6f05f7528373d21712fdc07980d47d16fd611c2621a76e2d13bf11b 840040 collectd-dbg_4.10.1-2.1_amd64.deb
 a693400bebe7b171d2b8b4cfcd0cc42bbdaf01faae8041335b71d3bbe9b2c971 61254 libcollectdclient-dev_4.10.1-2.1_amd64.deb
 e8255c900a400d1b0d6b82084cfdf10baf9f2774dd663d5f7acb99fff53b5105 66860 libcollectdclient0_4.10.1-2.1_amd64.deb
 130c33bb47a4798f2abda8d5dffafd285f67de37bbd33fb3fb97bf7e821320b0 101538 collectd-dev_4.10.1-2.1_all.deb
Files: 
 64c9ffe7bd915aeceec342c4fb09c656 2501 utils optional collectd_4.10.1-2.1.dsc
 945faa15b8c8eb86d62725e53a3e5137 58515 utils optional collectd_4.10.1-2.1.diff.gz
 e325e82f8e03c3bac364ccc0d53cf1b0 819464 utils optional collectd-core_4.10.1-2.1_amd64.deb
 795a09cbb0aef3faaae0d1656fb61771 66634 utils optional collectd_4.10.1-2.1_amd64.deb
 2aeebb8a5869baea4cbfebe5977cbb51 68606 utils optional collectd-utils_4.10.1-2.1_amd64.deb
 783ee1916509bbb82ae60ddb58bd784f 840040 debug extra collectd-dbg_4.10.1-2.1_amd64.deb
 797c2081d4fc673e9dd8d692756eea4b 61254 libdevel optional libcollectdclient-dev_4.10.1-2.1_amd64.deb
 db08bf77a8c12bc21177480218530230 66860 libs optional libcollectdclient0_4.10.1-2.1_amd64.deb
 a506ab778a6fd361764ae49883227f49 101538 utils optional collectd-dev_4.10.1-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkz/NPEACgkQ62zWxYk/rQeGrQCfToLOgOm1qPPCSirgVSqs9U/V
0V0An0L/cJixXacR7MQodaCnd8Ihd6Zm
=1eT1
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Thu, 09 Dec 2010 23:36:04 GMT) Full text and rfc822 format available.

Notification sent to Florian Forster <octo@collectd.org>:
Bug acknowledged by developer. (Thu, 09 Dec 2010 23:36:04 GMT) Full text and rfc822 format available.

Message #50 received at 605092-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 605092-close@bugs.debian.org
Subject: Bug#605092: fixed in collectd 4.10.1-1+squeeze2
Date: Thu, 09 Dec 2010 23:32:05 +0000
Source: collectd
Source-Version: 4.10.1-1+squeeze2

We believe that the bug you reported is fixed in the latest version of
collectd, which is due to be installed in the Debian FTP archive:

collectd-core_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/collectd-core_4.10.1-1+squeeze2_amd64.deb
collectd-dbg_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/collectd-dbg_4.10.1-1+squeeze2_amd64.deb
collectd-dev_4.10.1-1+squeeze2_all.deb
  to main/c/collectd/collectd-dev_4.10.1-1+squeeze2_all.deb
collectd-utils_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/collectd-utils_4.10.1-1+squeeze2_amd64.deb
collectd_4.10.1-1+squeeze2.diff.gz
  to main/c/collectd/collectd_4.10.1-1+squeeze2.diff.gz
collectd_4.10.1-1+squeeze2.dsc
  to main/c/collectd/collectd_4.10.1-1+squeeze2.dsc
collectd_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/collectd_4.10.1-1+squeeze2_amd64.deb
libcollectdclient-dev_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/libcollectdclient-dev_4.10.1-1+squeeze2_amd64.deb
libcollectdclient0_4.10.1-1+squeeze2_amd64.deb
  to main/c/collectd/libcollectdclient0_4.10.1-1+squeeze2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated collectd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 09 Dec 2010 17:46:44 +1100
Source: collectd
Binary: collectd-core collectd collectd-utils collectd-dbg collectd-dev libcollectdclient-dev libcollectdclient0
Architecture: source amd64 all
Version: 4.10.1-1+squeeze2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Sebastian Harl <tokkee@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 collectd   - statistics collection and monitoring daemon
 collectd-core - statistics collection and monitoring daemon (core system)
 collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
 collectd-dev - statistics collection and monitoring daemon (development files)
 collectd-utils - statistics collection and monitoring daemon (utilities)
 libcollectdclient-dev - client library for collectd's control interface (development file
 libcollectdclient0 - client library for collectd's control interface
Closes: 605092
Changes: 
 collectd (4.10.1-1+squeeze2) testing-proposed-updates; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS in RRD file creation (Closes: #605092)
     Fixes: CVE-2010-4336
     Thanks to Florian Forster
Checksums-Sha1: 
 217d46bd8a23b0cdc30e85e5cade341dca201e62 2529 collectd_4.10.1-1+squeeze2.dsc
 d75dd9f51e05b964b2026fd6b05a000f99cbc3e2 58643 collectd_4.10.1-1+squeeze2.diff.gz
 c0a4d0b557cc1c8ac38c66b89737158c533eb864 819458 collectd-core_4.10.1-1+squeeze2_amd64.deb
 4007e5200337df4ac8c2f803a4aec43c319db97a 66658 collectd_4.10.1-1+squeeze2_amd64.deb
 3dcb8a6eacea4e137a73fe4e955f3f6576f3e75e 68644 collectd-utils_4.10.1-1+squeeze2_amd64.deb
 5dc4698ad78046d0f7b4acb15a0d1cf5c2deea67 840062 collectd-dbg_4.10.1-1+squeeze2_amd64.deb
 a463b3013747b4efc162f825cdcc0e981bd99dbd 61288 libcollectdclient-dev_4.10.1-1+squeeze2_amd64.deb
 69a74e23b0c714ee38bff8fe1fb2c196789f7c79 66878 libcollectdclient0_4.10.1-1+squeeze2_amd64.deb
 85a52d353266d01c1509c7b2b73f89c674ea15e3 101578 collectd-dev_4.10.1-1+squeeze2_all.deb
Checksums-Sha256: 
 ace2dda4c8f05b8e50a1a8d6cc2167bb1b15421399523c101c2d5ed10ff48e45 2529 collectd_4.10.1-1+squeeze2.dsc
 8bd7a1739b7a27efc9e28fc8b68d09df1ba3584528dd2cf486485fe651a6d777 58643 collectd_4.10.1-1+squeeze2.diff.gz
 c73f7960b245ee291c84894bdb8fb87a1d8561f3f5037a8d693db15279a109d0 819458 collectd-core_4.10.1-1+squeeze2_amd64.deb
 22ce7582ef2dc266018f3e5aef9415680ae2e3fadd811d1e3c8f2a8cbdeea16c 66658 collectd_4.10.1-1+squeeze2_amd64.deb
 82f3482590cfa55da46f36d0444dee5da6f169db1dee463e66adb63d5a56ed84 68644 collectd-utils_4.10.1-1+squeeze2_amd64.deb
 61e43f4828c988afecf75b67b8cc48810c5314c36f88a7c23d81f4c991874d76 840062 collectd-dbg_4.10.1-1+squeeze2_amd64.deb
 dbde0c98e4e5470eaa495aa365023b2f4b2d6e8c33b535d0898577182ceb31fd 61288 libcollectdclient-dev_4.10.1-1+squeeze2_amd64.deb
 6a53c6e2cda6664e1c5f20b81cb51e710a9a498a7cfe37d1e194259917e491ca 66878 libcollectdclient0_4.10.1-1+squeeze2_amd64.deb
 1593b364d143fbadfd8863b452cbff408c42cc5ab8b0a313b49e196722d9d9a8 101578 collectd-dev_4.10.1-1+squeeze2_all.deb
Files: 
 27e16cfe30ec8108f73f2243df641b01 2529 utils optional collectd_4.10.1-1+squeeze2.dsc
 5d9552357cd0683dbd0b8f4c631e0f2b 58643 utils optional collectd_4.10.1-1+squeeze2.diff.gz
 05bdc3ea8d88a8efd74bee24f22ea161 819458 utils optional collectd-core_4.10.1-1+squeeze2_amd64.deb
 4913ca949c7921faf6a18da4bdab271d 66658 utils optional collectd_4.10.1-1+squeeze2_amd64.deb
 a276b99a65d6f74d60177bec1d89851c 68644 utils optional collectd-utils_4.10.1-1+squeeze2_amd64.deb
 2b2dbd0b516ec131cf9a3e8712e3d505 840062 debug extra collectd-dbg_4.10.1-1+squeeze2_amd64.deb
 3237e3e366d318a8123052551f1a78e3 61288 libdevel optional libcollectdclient-dev_4.10.1-1+squeeze2_amd64.deb
 fe4dfaf1a972eb2cbe316895c5aca668 66878 libs optional libcollectdclient0_4.10.1-1+squeeze2_amd64.deb
 97cb6ce8644fb68a07951d3d1542e6b5 101578 utils optional collectd-dev_4.10.1-1+squeeze2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0BZL0ACgkQ62zWxYk/rQf45QCghu32269fec3h5MU5tpkZX9eI
kmkAoIRm7DhA97rGYOKu1OoM6YnlXvs7
=zak/
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. (Thu, 16 Dec 2010 01:57:04 GMT) Full text and rfc822 format available.

Notification sent to Florian Forster <octo@collectd.org>:
Bug acknowledged by developer. (Thu, 16 Dec 2010 01:57:04 GMT) Full text and rfc822 format available.

Message #55 received at 605092-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 605092-close@bugs.debian.org
Subject: Bug#605092: fixed in collectd 4.4.2-3+lenny1
Date: Thu, 16 Dec 2010 01:54:56 +0000
Source: collectd
Source-Version: 4.4.2-3+lenny1

We believe that the bug you reported is fixed in the latest version of
collectd, which is due to be installed in the Debian FTP archive:

collectd-dbg_4.4.2-3+lenny1_amd64.deb
  to main/c/collectd/collectd-dbg_4.4.2-3+lenny1_amd64.deb
collectd-dev_4.4.2-3+lenny1_all.deb
  to main/c/collectd/collectd-dev_4.4.2-3+lenny1_all.deb
collectd_4.4.2-3+lenny1.diff.gz
  to main/c/collectd/collectd_4.4.2-3+lenny1.diff.gz
collectd_4.4.2-3+lenny1.dsc
  to main/c/collectd/collectd_4.4.2-3+lenny1.dsc
collectd_4.4.2-3+lenny1_amd64.deb
  to main/c/collectd/collectd_4.4.2-3+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 605092@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated collectd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 08 Dec 2010 18:03:20 +1100
Source: collectd
Binary: collectd collectd-dbg collectd-dev
Architecture: source amd64 all
Version: 4.4.2-3+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Sebastian Harl <sh@tokkee.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 collectd   - statistics collection and monitoring daemon
 collectd-dbg - statistics collection and monitoring daemon (debugging symbols)
 collectd-dev - statistics collection and monitoring daemon (development files)
Closes: 605092
Changes: 
 collectd (4.4.2-3+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix DoS in RRD file creation (Closes: #605092)
     Fixes: CVE-2010-4336
     Thanks to Florian Forster
Checksums-Sha1: 
 080d2d651b49c985793e0cc03ba3699a91eac322 1742 collectd_4.4.2-3+lenny1.dsc
 ec7358daf3920563c8c650bcf1359e1c928accb5 1220408 collectd_4.4.2.orig.tar.gz
 d8d6f4dbef1ceffc5e81b5c792a2c552c94f4b94 38096 collectd_4.4.2-3+lenny1.diff.gz
 8e7909628b8309ed386a2ac14d83c16037b3752b 443120 collectd_4.4.2-3+lenny1_amd64.deb
 57d143ad07ad4c75dfe685047d402186a185afdd 496366 collectd-dbg_4.4.2-3+lenny1_amd64.deb
 950a3c6ed3ce446107d9f6265ad9f511a6182340 58100 collectd-dev_4.4.2-3+lenny1_all.deb
Checksums-Sha256: 
 ed0b4658246d6bb98767fea582e8462db38e27c9e9ba682e5a41d828ffd8b485 1742 collectd_4.4.2-3+lenny1.dsc
 bfcdc7f02cd91ef70933ab67ffaef0b9185c6cf65a617a5c3845273e8aefb286 1220408 collectd_4.4.2.orig.tar.gz
 28e6cbc6d583f51cf652f8e9904c9a0da10419261f780d327aba66e065d79d87 38096 collectd_4.4.2-3+lenny1.diff.gz
 0cd3c36b6bb887c3d891964a85fb20f1ee3608daf2220f789d20f919934d1c31 443120 collectd_4.4.2-3+lenny1_amd64.deb
 43fefe90a92c22e643de2af0794530794e4e47a12fa96913cb2b6813e0f66197 496366 collectd-dbg_4.4.2-3+lenny1_amd64.deb
 bf2b48dbb96dd524b85e90a48b7608ebec4bee49f28113c4776bcbe831ba417d 58100 collectd-dev_4.4.2-3+lenny1_all.deb
Files: 
 7eb809863e35c70e5da831ef83e5935b 1742 utils optional collectd_4.4.2-3+lenny1.dsc
 dbffe35a2d19840e86253c7052485ff0 1220408 utils optional collectd_4.4.2.orig.tar.gz
 6e0579c82d00a84da53d06eba261a157 38096 utils optional collectd_4.4.2-3+lenny1.diff.gz
 1ab233f04323751ced0078715dd82071 443120 utils optional collectd_4.4.2-3+lenny1_amd64.deb
 90685a47da1745e9bbc8dba2979cfe64 496366 utils extra collectd-dbg_4.4.2-3+lenny1_amd64.deb
 6ab2decfb0f6d4822bd399f83acde4bf 58100 utils optional collectd-dev_4.4.2-3+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkz/NxwACgkQ62zWxYk/rQf5ygCcCtavryLWf+KDp5BAnUV5fZqW
cKYAnjxV6T0UJQ9eXuHMo4x7nhnUEK2s
=JlaG
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 13 Jan 2011 07:34:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:15:29 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.