Bug#529318: marked as done (linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sat, 15 Aug 2009 03:13:18 +0200
with message-id <20090815011318.GA14842@galadriel.inutil.org>
and subject line Re: linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability
has caused the Debian Bug report #529318,
regarding linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
529318: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529318
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability
• From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
• Date: Mon, 18 May 2009 12:06:58 -0400
• Message-id: <20090518120658.91edc7f9.michael.s.gilbert@gmail.com>

Package: linux-2.6
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for linux-2.6.

CVE-2007-6514[0]:
| Apache HTTP Server, when running on Linux with a document root on a
| Windows share mounted using smbfs, allows remote attackers to obtain
| unprocessed content such as source files for .php programs via a
| trailing "\" (backslash), which is not handled by the intended AddType
| directive.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6514
    http://security-tracker.debian.net/tracker/CVE-2007-6514

--- End Message ---

--- Begin Message ---

• To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
• Cc: 529318-done@bugs.debian.org
• Subject: Re: linux-2.6: CVE-2007-6514 smbfs information disclosure vulnerability
• From: Moritz Muehlenhoff <jmm@inutil.org>
• Date: Sat, 15 Aug 2009 03:13:18 +0200
• Message-id: <20090815011318.GA14842@galadriel.inutil.org>
• In-reply-to: <[🔎] 20090814004228.be36bafa.michael.s.gilbert@gmail.com>
• References: <20090518120658.91edc7f9.michael.s.gilbert@gmail.com> <[🔎] 20090813215140.GA11546@galadriel.inutil.org> <[🔎] 20090814004228.be36bafa.michael.s.gilbert@gmail.com>

Version: 2.6.17-1

On Fri, Aug 14, 2009 at 12:42:28AM -0400, Michael S. Gilbert wrote:
> On Thu, 13 Aug 2009 23:51:40 +0200 Moritz Muehlenhoff wrote:
> 
> > On Mon, May 18, 2009 at 12:06:58PM -0400, Michael S. Gilbert wrote:
> > > Package: linux-2.6
> > > Severity: important
> > > Tags: security
> > > 
> > > Hi,
> > > 
> > > The following CVE (Common Vulnerabilities & Exposures) id was
> > > published for linux-2.6.
> > > 
> > > CVE-2007-6514[0]:
> > > | Apache HTTP Server, when running on Linux with a document root on a
> > > | Windows share mounted using smbfs, allows remote attackers to obtain
> > > | unprocessed content such as source files for .php programs via a
> > > | trailing "\" (backslash), which is not handled by the intended AddType
> > > | directive.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE id in your changelog entry.
> > 
> > Have you been able to test this against recent kernels such as 2.6.30?
> 
> i have not done any tests to determine affected versions, but it
> should be fairly straightforward to do so.  see [0].

This was fixed by 3b7c8108273bed41a2fc04533cc9f2026ff38c8e, so all supported
versions of Debian are already fixed.

Cheers,
        Moritz

--- End Message ---