Your message dated Fri, 21 May 2010 17:48:14 +1000 with message-id <201005211748.16708.msp@debian.org> and subject line Fwd: Bug#499842: CVE-2008-2940/-2941: security issues in hplip has caused the Debian Bug report #499842, regarding CVE-2008-2940/-2941: security issues in hplip to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 499842: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499842 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: CVE-2008-2940/-2941: security issues in hplip
- From: Stefan Fritsch <sf@sfritsch.de>
- Date: Tue, 23 Sep 2008 00:11:27 +0200
- Message-id: <200809230011.27690.sf@sfritsch.de>
Package: hplip Version: 1.6.10-3 Severity: important Tags: security Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for hplip. CVE-2008-2940[0]: | The alert-mailing implementation in HP Linux Imaging and Printing | (HPLIP) 1.6.7 allows local users to gain privileges and send e-mail | messages from the root account via vectors related to the setalerts | message, and lack of validation of the device URI associated with an | event message. CVE-2008-2941[1]: | The hpssd message parser in hpssd.py in HP Linux Imaging and | Printing (HPLIP) 1.6.7 allows local users to cause a denial of | service (process stop) via a crafted packet, as demonstrated by | sending "msg=0" to TCP port 2207. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2940 http://security-tracker.debian.net/tracker/CVE-2008-2940 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2941 http://security-tracker.debian.net/tracker/CVE-2008-2941
--- End Message ---
--- Begin Message ---
- To: 499842-done@bugs.debian.org
- Subject: Fwd: Bug#499842: CVE-2008-2940/-2941: security issues in hplip
- From: Mark Purcell <msp@debian.org>
- Date: Fri, 21 May 2010 17:48:14 +1000
- Message-id: <201005211748.16708.msp@debian.org>
Package: hplip Version: 2.8.6-1 ---------- Forwarded Message ---------- Subject: Bug#499842: CVE-2008-2940/-2941: security issues in hplip Date: Saturday 04 October 2008, 04:40:29 From: Stefan Fritsch <sf@sfritsch.de> To: 499842@bugs.debian.org CC: control@bugs.debian.org fixed 499842 2.8.6-1 thanks Both issues affect 1.6.10-3etch1 in etch. Of the three patches, this one https://bugzilla.redhat.com/attachment.cgi?id=312880 introduces a new config file /etc/hp/alerts.conf . I am not sure if this is good for a stable security update, but it may be ok if the feature is nearly never used. Maybe the maintainer could comment? The code in lenny (2.8.6) is quite different. AFAICS, hpssd does not open any listening socket anymore so CVE-2008-2941 is not an issue. And the alert email code seems to be commented out, therefore CVE-2008-2940 is also an non-issue. -----------------------------------------Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---