Bug#285128: marked as done (CAN-2004-1165: FTP command injection bug)

To: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Bug#285128: marked as done (CAN-2004-1165: FTP command injection bug)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 16 Jan 2005 14:18:20 -0800
Message-id: <[🔎] handler.285128.D285128.110591325230123.ackdone@bugs.debian.org>
In-reply-to: <E1CqITY-0000A4-00@newraff.debian.org>
References: <E1CqITY-0000A4-00@newraff.debian.org> <20041210195151.GA13826@kitenet.net>
Your message dated Sun, 16 Jan 2005 17:02:24 -0500
with message-id <E1CqITY-0000A4-00@newraff.debian.org>
and subject line Bug#285128: fixed in kdelibs 4:3.3.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Dec 2004 19:50:24 +0000
>From joey@kitenet.net Fri Dec 10 11:50:24 2004
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CcqmW-0004Fc-00; Fri, 10 Dec 2004 11:50:24 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
	by kitenet.net (Postfix) with ESMTP id 73F1617E8B
	for <submit@bugs.debian.org>; Fri, 10 Dec 2004 19:50:23 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
	id B4FB76E08E; Fri, 10 Dec 2004 14:51:51 -0500 (EST)
Date: Fri, 10 Dec 2004 14:51:51 -0500
From: Joey Hess <joeyh@debian.org>
To: submit@bugs.debian.org
Subject: CAN-2004-1165: FTP command injection bug
Message-ID: <20041210195151.GA13826@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: konqueror
Version: 3.3.1
Tags: security
Severity: serious

CAN-2004-1165 is about a security hole in konqueror that allows
arbitrary ftp commands to be inserted in a URL via URL-encoded newlines.
Details about this hole are here:
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110245752232681&w=3D2

The advisory says that it affects version >=3D 3.3.1, so perhaps our
3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.

--=20
see shy jo

--tKW2IUtsqtDRztdT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBuf5Wd8HHehbQuO8RAjieAKDsuxo6Lz9ntdCxS0KtTOJp3hvGqwCeMCd0
E9zg0VsPJ4emLLfuKeiKibo=
=kf+Z
-----END PGP SIGNATURE-----

--tKW2IUtsqtDRztdT--

---------------------------------------
Received: (at 285128-close) by bugs.debian.org; 16 Jan 2005 22:07:32 +0000
>From katie@ftp-master.debian.org Sun Jan 16 14:07:31 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CqIYV-0007pb-00; Sun, 16 Jan 2005 14:07:31 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
	id 1CqITY-0000A4-00; Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
To: 285128-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#285128: fixed in kdelibs 4:3.3.2-1
Message-Id: <E1CqITY-0000A4-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sun, 16 Jan 2005 17:02:24 -0500
Delivered-To: 285128-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 2

Source: kdelibs
Source-Version: 4:3.3.2-1

We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:

kdelibs-bin_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs-bin_3.3.2-1_i386.deb
kdelibs-data_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs-data_3.3.2-1_all.deb
kdelibs4-dev_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4-dev_3.3.2-1_i386.deb
kdelibs4-doc_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs4-doc_3.3.2-1_all.deb
kdelibs4_3.3.2-1_i386.deb
  to pool/main/k/kdelibs/kdelibs4_3.3.2-1_i386.deb
kdelibs_3.3.2-1.diff.gz
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.diff.gz
kdelibs_3.3.2-1.dsc
  to pool/main/k/kdelibs/kdelibs_3.3.2-1.dsc
kdelibs_3.3.2-1_all.deb
  to pool/main/k/kdelibs/kdelibs_3.3.2-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 285128@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> (supplier of updated kdelibs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Description: 
 kdelibs    - KDE core libraries metapackage
 kdelibs-bin - KDE core binaries
 kdelibs-data - KDE core shared data
 kdelibs4   - KDE core libraries
 kdelibs4-dev - KDE core libraries (development files)
 kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes: 
 kdelibs (4:3.3.2-1) unstable; urgency=medium
 .
   +++ Changes by Adeodato SimÃ³:
 .
   * Uploading to unstable. This new upstream version fixes CAN-2004-1145,
     "Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
     to medium for this reason (the package has been in experimental for some
     time, and has been checked to work properly with the rest of 3.3.1
     packages).
 .
   * debian/control:
     - make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
       3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
 .
   * debian/kdelibs-data.install: the files added in the previous upload were
     checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
     version in sarge. Reverted them for now, will be re-added when OpenOffice
     1.1.3 enters sarge (with the proper Conflicts: entry). (Closes: #287097)
 .
     List of files:
       - usr/share/mimelnk/application/vnd.sun.xml.calc.template.desktop
       - usr/share/mimelnk/application/vnd.sun.xml.draw.template.desktop
       - usr/share/mimelnk/application/vnd.sun.xml.impress.template.desktop
       - usr/share/mimelnk/application/vnd.sun.xml.writer.template.desktop
 .
   +++ Changes by Christopher Martin:
 .
   * KDE_3_3_BRANCH update. Pulls in the fix for CAN-2004-1165, the FTP command
     injection bug. (Closes: #285128, #287201)
 .
   * Add patch to change the group set by KDE CUPS configurator to Debian's
     default, lpadmin, rather than sys. (Closes: #263430)
 .
   * Add kaccel hack that works around a Konqueror crash with Russian keyboards.
     (Closes: #287566)
 .
   * Change debian/copyright file to refer to licenses, instead of copyright,
     when discussing KDE's licenses. (Closes: #290191, #290190)
 .
   * Change dependency on perl-suid to perl, and add Recommends: perl-suid.
     The lack of perl-suid should only cause problems for some users using
     NFS or SMB shares. (Closes: #289164)
Files: 
 5a5b291bbb6afb99219a8eb20d367587 1302 libs optional kdelibs_3.3.2-1.dsc
 77e5cafe54180b108026cf769f0881d4 249693 libs optional kdelibs_3.3.2-1.diff.gz
 3e52b23a11b1f2525227b7b92557c528 853130 libs optional kdelibs-bin_3.3.2-1_i386.deb
 57a32d66d0b83303f5c2df8ad4282045 8185634 libs optional kdelibs4_3.3.2-1_i386.deb
 e16a623a61e3e782d6156c862b6f9ca5 1230822 libdevel optional kdelibs4-dev_3.3.2-1_i386.deb
 7254ee7da031de021e093ee53e909f97 18232 kde optional kdelibs_3.3.2-1_all.deb
 05de696544e6470efe771d1a9e09f342 7082858 libs optional kdelibs-data_3.3.2-1_all.deb
 87121b89ce0b5c7e1aa7bc386498f735 11530760 doc optional kdelibs4-doc_3.3.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Signed by Isaac Clerencia <isaac@warp.es>

iD8DBQFB6uEzQET2GFTmct4RAsBzAJ9vxU5BEvEIF/9roHrIGcq7C107LgCfZv02
73cZKZqziTtyQgYhlWRhZT0=
=Pz0s
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: Bug#286521: marked as done (kdelibs: CAN-2004-1145: Konqueror Java Vulnerability)
Next by Date: Bug#263430: marked as done (kaddprinterwizard overwrites cups admin group)
Previous by thread: Bug#286521: marked as done (kdelibs: CAN-2004-1145: Konqueror Java Vulnerability)
Next by thread: Bug#263430: marked as done (kaddprinterwizard overwrites cups admin group)
Index(es):
- Date
- Thread