Debian Bug report logs - #626842
pu: package kde4libs/4:4.4.5-2+squeeze2

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Modestas Vainius <modax@debian.org>

Date: Sun, 15 May 2011 20:15:01 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.2

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-qt-kde@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#626842; Package release.debian.org. (Sun, 15 May 2011 20:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Modestas Vainius <modax@debian.org>:
New Bug report received and forwarded. Copy sent to debian-qt-kde@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Sun, 15 May 2011 20:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Modestas Vainius <modax@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package kde4libs/4:4.4.5-2+squeeze2
Date: Sun, 15 May 2011 23:12:51 +0300
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

[ Disclaimer: I've already asked security team about this upload and they told
me to do it via s-p-u ]

The upload would fix 3 CVEs and bug #612675. Change-by-change details are below
while full diff is attached.

* Fix CVE-2011-1168 (Konqueror partially universal XSS in error pages) by
  cve_2011_1168_konqueror_xss.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=20deb674

* Fix CVE-2010-3170 (browser wildcard cerficate validation weakness) for
  Konqueror by cve_2010_3170_cn_wildcards.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=ae934a0a

* Fix CVE-2011-1094 (kdelibs does not properly verify that the server hostname
  matches the Common Name of the Subject of an X.509 certificate if that CN is
  an IP address) by cve_2011_1094_ssl_verify_hostname.diff.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=2bfb1e47

  [ kde4libs non-security changes ]

* KTar: use unsigned arithmetic when calculating checksum of tar header record
  (as per ustar specification). However, when reading archive, verify
  checksum by calculating it both ways (unsigned and signed) and accept if
  either matches (partially solves #612675). Implemented in
  ktar_header_checksum_fix.diff patch.

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=af9374ec

* Fix KTar longlink support when filenames are encoded in the UTF-8 (or other
  multibyte) locale. Implemented in ktar_longlink_length_in_bytes.diff patch
  (thanks to Ibragimov Rinat). Closes: #612675

  http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commit;h=66efdda4

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (110, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=lt_LT.UTF-8, LC_CTYPE=lt_LT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[kde4libs_4.4.5-2+squeeze2.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#626842; Package release.debian.org. (Sun, 12 Jun 2011 15:57:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 12 Jun 2011 15:57:08 GMT) Full text and rfc822 format available.

Message #10 received at 626842@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Modestas Vainius <modax@debian.org>, 626842@bugs.debian.org
Subject: Re: Bug#626842: pu: package kde4libs/4:4.4.5-2+squeeze2
Date: Sun, 12 Jun 2011 16:54:12 +0100
tag 626842 + squeeze confirmed
thanks

On Sun, 2011-05-15 at 23:12 +0300, Modestas Vainius wrote:
> The upload would fix 3 CVEs and bug #612675. Change-by-change details are below
> while full diff is attached.

Please go ahead; sorry for the delay.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 12 Jun 2011 15:57:11 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 14 Jun 2011 19:48:07 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.2, send any further explanations to Modestas Vainius <modax@debian.org> Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 26 Jun 2011 15:03:23 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jul 2011 07:37:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:29:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.