Debian Bug report logs - #612035
vulnerability: rewrite arbitrary user file

version graph

Package: feh; Maintainer for feh is Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>; Source for feh is src:feh.

Reported by: Kees Cook <kees@debian.org>

Date: Sat, 5 Feb 2011 00:57:11 UTC

Severity: grave

Tags: security

Found in versions feh/1.10-1, feh/1.3.4.dfsg.1-1

Fixed in version feh/1.12-1

Done: Andreas Tille <andreas@an3as.eu>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Sat, 05 Feb 2011 00:57:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Kees Cook <kees@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sat, 05 Feb 2011 00:57:14 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kees Cook <kees@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vulnerability: rewrite arbitrary user file
Date: Fri, 04 Feb 2011 16:54:14 -0800
Package: feh
Version: 1.10-1
Severity: grave
Tags: security
Justification: user security hole
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu natty

This bug report was also filed in Ubuntu and can be found at
http://launchpad.net/bugs/607328
The description, from segooon, follows:

Binary package hint: feh

Hi, I've just discovered that feh is vulnerable to rewriting any user file:

      tmpname_timestamper =
         estrjoin("", "/tmp/feh_", cppid, "_", basename, NULL);
....
            execlp("wget", "wget", "-N", "-O", tmpname_timestamper, newurl,
                   quiet, (char*) NULL);

If attacker knows PID of feh and knows the URL, it can create the link to any user file. wget would overwrite it.

Thanks.

-- System Information:
Debian Release: squeeze/sid
  APT prefers natty
  APT policy: (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Bug Marked as found in versions feh/1.3.4.dfsg.1-1. Request was from Jonathan Wiltshire <jmw@debian.org> to control@bugs.debian.org. (Wed, 09 Feb 2011 23:09:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Sun, 13 Mar 2011 06:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Friesel <derf@finalrewind.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sun, 13 Mar 2011 06:03:03 GMT) Full text and rfc822 format available.

Message #12 received at 612035@bugs.debian.org (full text, mbox):

From: Daniel Friesel <derf@finalrewind.org>
To: 612035@bugs.debian.org
Subject: Fixed in 1.12
Date: Sun, 13 Mar 2011 06:52:24 +0100
[Message part 1 (text/plain, inline)]
Hi,

feh 1.12 has just been released, which fixes this bug by switching from wget
to mkstemp + libcurl.

<http://feh.finalrewind.org/changelog>
<http://feh.finalrewind.org/feh-1.12.tar.bz2>

--Daniel
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Fri, 15 Apr 2011 20:21:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Francesco Poli <invernomuto@paranoici.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Fri, 15 Apr 2011 20:21:07 GMT) Full text and rfc822 format available.

Message #17 received at 612035@bugs.debian.org (full text, mbox):

From: Francesco Poli <invernomuto@paranoici.org>
To: 612035@bugs.debian.org
Cc: Daniel Friesel <derf@finalrewind.org>
Subject: Re: Fixed in 1.12
Date: Fri, 15 Apr 2011 22:08:22 +0200
[Message part 1 (text/plain, inline)]
On Sun, 13 Mar 2011 06:52:24 +0100 Daniel Friesel wrote:

> Hi,
> 
> feh 1.12 has just been released, which fixes this bug by switching from wget
> to mkstemp + libcurl.
> 
> <http://feh.finalrewind.org/changelog>
> <http://feh.finalrewind.org/feh-1.12.tar.bz2>


Hi, if the security team confirms that the vulnerability is really
fixed in feh version 1.12, I think that this bug report should be
closed as fixed in feh/1.12-1 ...

Or am I wrong?

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Andreas Tille <andreas@an3as.eu>:
You have taken responsibility. (Mon, 18 Apr 2011 06:39:04 GMT) Full text and rfc822 format available.

Notification sent to Kees Cook <kees@debian.org>:
Bug acknowledged by developer. (Mon, 18 Apr 2011 06:39:05 GMT) Full text and rfc822 format available.

Message #22 received at 612035-done@bugs.debian.org (full text, mbox):

From: Andreas Tille <andreas@an3as.eu>
To: 612035-done@bugs.debian.org
Cc: Francesco Poli <invernomuto@paranoici.org>
Subject: Bug#612035: Fixed in 1.12
Date: Mon, 18 Apr 2011 08:35:55 +0200
Hi,

as Francesco correctly pointed out this bug should be closed (just
forgot to mention it in the changelog).  Thanks for the hint

     Andreas.

----- Forwarded message from Francesco Poli <invernomuto@paranoici.org> -----

X-Debian-PR-Message: followup 612035
X-Debian-PR-Package: feh
X-Debian-PR-Keywords: security
X-Debian-PR-Source: feh
Date: Fri, 15 Apr 2011 22:08:22 +0200
From: Francesco Poli <invernomuto@paranoici.org>
To: 612035@bugs.debian.org
Cc: Daniel Friesel <derf@finalrewind.org>
Subject: [Pkg-phototools-devel] Bug#612035: Fixed in 1.12

On Sun, 13 Mar 2011 06:52:24 +0100 Daniel Friesel wrote:

> Hi,
> 
> feh 1.12 has just been released, which fixes this bug by switching from wget
> to mkstemp + libcurl.
> 
> <http://feh.finalrewind.org/changelog>
> <http://feh.finalrewind.org/feh-1.12.tar.bz2>


Hi, if the security team confirms that the vulnerability is really
fixed in feh version 1.12, I think that this bug report should be
closed as fixed in feh/1.12-1 ...

Or am I wrong?

----- End forwarded message -----

-- 
http://fam-tille.de




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Mon, 18 Apr 2011 16:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Francesco Poli <invernomuto@paranoici.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Mon, 18 Apr 2011 16:42:06 GMT) Full text and rfc822 format available.

Message #27 received at 612035@bugs.debian.org (full text, mbox):

From: Francesco Poli <invernomuto@paranoici.org>
To: 612035@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#612035: Fixed in 1.12
Date: Mon, 18 Apr 2011 18:38:46 +0200
[Message part 1 (text/plain, inline)]
fixed 612035 feh/1.12-1
thanks


On Mon, 18 Apr 2011 08:35:55 +0200 Andreas Tille wrote:

> Hi,
> 
> as Francesco correctly pointed out this bug should be closed (just
> forgot to mention it in the changelog).

OK, I am therefore marking version 1.12-1 as fixed.

>  Thanks for the hint

You are welcome!
Bye.

-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE
[Message part 2 (application/pgp-signature, inline)]

Bug Marked as fixed in versions feh/1.12-1. Request was from Francesco Poli <invernomuto@paranoici.org> to control@bugs.debian.org. (Mon, 18 Apr 2011 16:42:47 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Wed, 06 Jul 2011 19:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Wed, 06 Jul 2011 19:24:06 GMT) Full text and rfc822 format available.

Message #34 received at 612035@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 612035@bugs.debian.org
Subject: Re: Bug#612035: vulnerability: rewrite arbitrary user file
Date: Wed, 6 Jul 2011 20:21:03 +0100
[Message part 1 (text/plain, inline)]
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.2)

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help or lack time. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-release@lists.debian.org
1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Fri, 08 Jul 2011 14:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Tille <tille@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Fri, 08 Jul 2011 14:12:03 GMT) Full text and rfc822 format available.

Message #39 received at 612035@bugs.debian.org (full text, mbox):

From: Andreas Tille <tille@debian.org>
To: Jonathan Wiltshire <jmw@debian.org>, 612035@bugs.debian.org
Cc: Daniel Friesel <derf@finalrewind.org>, debian-release@lists.debian.org
Subject: Re: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file
Date: Fri, 8 Jul 2011 16:08:17 +0200
[Message part 1 (text/plain, inline)]
Hi,

I attached two debdiff files which should fullfill the requirement of a
"smallest possible patch".  Here I'm quoting the upstream author for a
description of the patch (which is included in the quilt based packaging
of 1.8 in the patch description as well):

<snip>
The original fix for this was switching from wget to libcurl, which (I
presume) is not possible in this case. Because of that, I changed feh to
create a temporary directory inside /tmp for its files.

mkdir itself will fail if the directory already exists (or is a
symlink).  Thanks to the mode of 0700, if mkdir succeeds, we can be
certain that the directory is empty and completely under our control.
wget, when callled by feh, will save its files inside that directory, so
there should be no way for an attacker to make wget save to symlinks.

There are no Backwards Compatibility problems: While I did change the
location of the temporary files, these are removed once feh exits
anyways.

If the user tells feh to keep its temporary files, they are saved in the
current working directory by default; that behaviour is not affected by
this patch.
</snip>

Feel free to upload this directly whereever it belongs to because I
will not be able to do this over the weekend.  Moreover I do not have
accordig Lenny / Squeeze chroots to build the packages in and thus
I'd prefer if somebody else could do the upload.

Kind regards

       Andreas.


On Wed, Jul 06, 2011 at 08:21:03PM +0100, Jonathan Wiltshire wrote:
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> lenny (5.0.9)
> squeeze (6.0.2)
> 
> Please prepare a minimal-changes upload targetting each of these suites,
> and submit a debdiff to the Release Team [0] for consideration. They will
> offer additional guidance or instruct you to upload your package.
> 
> I will happily assist you at any stage if the patch is straightforward and
> you need help or lack time. Please keep me in CC at all times so I can
> track the progress of this request.
> 
> For details of this process and the rationale, please see the original
> announcement [1] and my blog post [2].
> 
> 0: debian-release@lists.debian.org
> 1: <201101232332.11736.thijs@debian.org>
> 2: http://deb.li/prsc
> 
> Thanks,
> 
> with his security hat on:
> -- 
> Jonathan Wiltshire                                      jmw@debian.org
> Debian Developer                         http://people.debian.org/~jmw
> 
> 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51



> _______________________________________________
> Pkg-phototools-devel mailing list
> Pkg-phototools-devel@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-phototools-devel

-- 
http://fam-tille.de
[feh_1.3.4.dfsg.1-1lenny1.debdiff (text/plain, attachment)]
[feh_1.8-1squeeze1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Fri, 08 Jul 2011 18:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Fri, 08 Jul 2011 18:09:03 GMT) Full text and rfc822 format available.

Message #44 received at 612035@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Andreas Tille <tille@debian.org>
Cc: Jonathan Wiltshire <jmw@debian.org>, 612035@bugs.debian.org, Daniel Friesel <derf@finalrewind.org>, debian-release@lists.debian.org
Subject: Re: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file
Date: Fri, 8 Jul 2011 20:06:17 +0200
On Fri, Jul  8, 2011 at 16:08:17 +0200, Andreas Tille wrote:

> @@ -275,7 +278,21 @@
>           path = "";
>     }
>     else
> -      path = "/tmp/";
> +      snprintf(cppid, sizeof(cppid), "%06ld", (long) getpid());
> +
> +	while ((path == NULL) && (i < 9999)) {
> +		snprintf(num, sizeof(num), "%06ld", i++);
> +
> +		path = estrjoin("", "/tmp/feh", "_", cppid, "_", num, "/", NULL);
> +		if (mkdir(path, 0700) == -1) {
> +			free(path);
> +			path = NULL;
> +		} else
> +		opt.tmp_path = path;
> +	}
> +	if (path == NULL)
> +		weprintf("Failed to create temporary directory:");
> +
>  
>     basename = strrchr(url, '/') + 1;
>     tmpname = feh_unique_filename(path, basename);

ick.  mkdtemp(3), please.

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Thu, 19 Jan 2012 12:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Thu, 19 Jan 2012 12:54:06 GMT) Full text and rfc822 format available.

Message #49 received at 612035@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 612035@bugs.debian.org
Cc: Andreas Tille <tille@debian.org>, Daniel Friesel <derf@finalrewind.org>
Subject: Ping: Bug#612035: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file
Date: Thu, 19 Jan 2012 12:47:06 +0000
On Fri, Jul 08, 2011 at 08:06:17PM +0200, Julien Cristau wrote:
> On Fri, Jul  8, 2011 at 16:08:17 +0200, Andreas Tille wrote:
> 
> > @@ -275,7 +278,21 @@
> >           path = "";
> >     }
> >     else
> > -      path = "/tmp/";
> > +      snprintf(cppid, sizeof(cppid), "%06ld", (long) getpid());
> > +
> > +	while ((path == NULL) && (i < 9999)) {
> > +		snprintf(num, sizeof(num), "%06ld", i++);
> > +
> > +		path = estrjoin("", "/tmp/feh", "_", cppid, "_", num, "/", NULL);
> > +		if (mkdir(path, 0700) == -1) {
> > +			free(path);
> > +			path = NULL;
> > +		} else
> > +		opt.tmp_path = path;
> > +	}
> > +	if (path == NULL)
> > +		weprintf("Failed to create temporary directory:");
> > +
> >  
> >     basename = strrchr(url, '/') + 1;
> >     tmpname = feh_unique_filename(path, basename);
> 
> ick.  mkdtemp(3), please.
> 

Hi,

Any news on this?



-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Fri, 03 Feb 2012 14:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Friesel <derf@finalrewind.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Fri, 03 Feb 2012 14:36:07 GMT) Full text and rfc822 format available.

Message #54 received at 612035@bugs.debian.org (full text, mbox):

From: Daniel Friesel <derf@finalrewind.org>
To: 612035@bugs.debian.org
Subject: Re: Bug#612035: Ping: Bug#612035: [Pkg-phototools-devel] Bug#612035: vulnerability: rewrite arbitrary user file
Date: Fri, 3 Feb 2012 15:24:15 +0100
[Message part 1 (text/plain, inline)]
Hi,

On Thu, Jan 19, 2012 at 12:47:06PM +0000, Jonathan Wiltshire wrote:
> On Fri, Jul 08, 2011 at 08:06:17PM +0200, Julien Cristau wrote:
> > [...]
> > ick.  mkdtemp(3), please.
> Any news on this?

the attached patches (created against the unpatched 1.3.4.dfsg.1-1 / 1.8-1
packages) use mkdtemp for the fix.

I removed the --cache 0 wget argument because my system's wget does not support
it anymore, if the wget in oldstable still has it it's safe to put that back in.

--Daniel
[feh-1.3something.mkdtemp.patch (text/x-diff, attachment)]
[feh-1.8.mkdtemp.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Sun, 08 Jul 2012 22:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Sun, 08 Jul 2012 22:15:07 GMT) Full text and rfc822 format available.

Message #59 received at 612035@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 612035@bugs.debian.org
Subject: Re: vulnerability: rewrite arbitrary user file
Date: Sun, 08 Jul 2012 15:24:49 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/612035/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Information forwarded to debian-bugs-dist@lists.debian.org, Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>:
Bug#612035; Package feh. (Mon, 09 Jul 2012 00:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PhotoTools Maintainers <pkg-phototools-devel@lists.alioth.debian.org>. (Mon, 09 Jul 2012 00:12:04 GMT) Full text and rfc822 format available.

Message #64 received at 612035@bugs.debian.org (full text, mbox):

From: Jonathan Wiltshire <jmw@debian.org>
To: 612035@bugs.debian.org
Subject: Re: vulnerability: rewrite arbitrary user file
Date: Sun, 08 Jul 2012 17:38:31 -0000
Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/612035/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 May 2013 07:40:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 14:45:51 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.