Bug#635549: marked as done (Two security issues)
Your message dated Sun, 15 Jan 2012 20:47:15 +0000
with message-id <E1RmWyx-00065j-7t@franck.debian.org>
and subject line Bug#635549: fixed in hplip 3.10.6-2+squeeze1
has caused the Debian Bug report #635549,
regarding Two security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
635549: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635549
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Two security issues
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Tue, 26 Jul 2011 23:07:01 +0200
- Message-id: <20110726210701.1385.59672.reportbug@pisco.westfalen.local>
Package: hplip
Severity: grave
Tags: security
Two security issues have been reported in hplip:
1. Shell command injection in foomatic-rip-hplip:
https://bugzilla.novell.com/show_bug.cgi?id=698451
This is CVE-2011-2697
2. Insecure tempfile handling:
https://bugzilla.novell.com/show_bug.cgi?id=704608
https://bugs.launchpad.net/hplip/+bug/809904
This is CVE-2011-2722
This should be fixed in a DSA, could you prepared updated
packages?
Cheers,
Moritz
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
- To: 635549-close@bugs.debian.org
- Subject: Bug#635549: fixed in hplip 3.10.6-2+squeeze1
- From: Mark Purcell <msp@debian.org>
- Date: Sun, 15 Jan 2012 20:47:15 +0000
- Message-id: <E1RmWyx-00065j-7t@franck.debian.org>
Source: hplip
Source-Version: 3.10.6-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
hplip, which is due to be installed in the Debian FTP archive:
hpijs-ppds_3.10.6-2+squeeze1_all.deb
to main/h/hplip/hpijs-ppds_3.10.6-2+squeeze1_all.deb
hpijs_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/hpijs_3.10.6-2+squeeze1_amd64.deb
hplip-cups_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/hplip-cups_3.10.6-2+squeeze1_amd64.deb
hplip-data_3.10.6-2+squeeze1_all.deb
to main/h/hplip/hplip-data_3.10.6-2+squeeze1_all.deb
hplip-dbg_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/hplip-dbg_3.10.6-2+squeeze1_amd64.deb
hplip-doc_3.10.6-2+squeeze1_all.deb
to main/h/hplip/hplip-doc_3.10.6-2+squeeze1_all.deb
hplip-gui_3.10.6-2+squeeze1_all.deb
to main/h/hplip/hplip-gui_3.10.6-2+squeeze1_all.deb
hplip_3.10.6-2+squeeze1.diff.gz
to main/h/hplip/hplip_3.10.6-2+squeeze1.diff.gz
hplip_3.10.6-2+squeeze1.dsc
to main/h/hplip/hplip_3.10.6-2+squeeze1.dsc
hplip_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/hplip_3.10.6-2+squeeze1_amd64.deb
libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
libhpmud0_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/libhpmud0_3.10.6-2+squeeze1_amd64.deb
libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
to main/h/hplip/libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 635549@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated hplip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 27 Nov 2011 02:39:13 +1100
Source: hplip
Binary: hplip hplip-data hplip-gui hplip-dbg hplip-doc hpijs-ppds hpijs hplip-cups libhpmud0 libhpmud-dev libsane-hpaio
Architecture: source all amd64
Version: 3.10.6-2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Debian HPIJS and HPLIP maintainers <pkg-hpijs-devel@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
hpijs - HP Linux Printing and Imaging - gs IJS driver (hpijs)
hpijs-ppds - HP Linux Printing and Imaging - HPIJS PPD files
hplip - HP Linux Printing and Imaging System (HPLIP)
hplip-cups - HP Linux Printing and Imaging - CUPS Raster driver (hpcups)
hplip-data - HP Linux Printing and Imaging - data files
hplip-dbg - HP Linux Printing and Imaging - debugging information
hplip-doc - HP Linux Printing and Imaging - documentation
hplip-gui - HP Linux Printing and Imaging - GUI utilities
libhpmud-dev - HP Multi-Point Transport Driver (hpmud) development libraries
libhpmud0 - HP Multi-Point Transport Driver (hpmud) run-time libraries
libsane-hpaio - HP SANE backend for multi-function peripherals
Closes: 635549
Changes:
hplip (3.10.6-2+squeeze1) stable; urgency=low
.
* Fix "Insecure tempfile handling" CVE-2011-2722 by backporting from
the removal of the culprit code by upstream. (Closes: #635549)
- Added CVE-2011-2722.dpatch by Didier Raboud
Checksums-Sha1:
1acf0b797807b6558524c03d16d3f0fb2695c7f8 1948 hplip_3.10.6-2+squeeze1.dsc
8ed21a0fe41c7a32bdd2d42a4622b422335cbf79 94643 hplip_3.10.6-2+squeeze1.diff.gz
cc45627815b71b11f21e48f07e1b23e1f4b1f429 11801374 hplip-data_3.10.6-2+squeeze1_all.deb
c8556f2e7291425b608d8d8e0866789f2d81d7e4 79086 hplip-gui_3.10.6-2+squeeze1_all.deb
46300e480d3dec618ab3082e5913504c87c82951 667642 hplip-doc_3.10.6-2+squeeze1_all.deb
4c6629f0f2551d46127f71d79c0e7d760f8263a4 612086 hpijs-ppds_3.10.6-2+squeeze1_all.deb
e531d34c838d39547744dad4fc3b902f0760f000 145766 hplip_3.10.6-2+squeeze1_amd64.deb
d37f5ccc2268dd0889921a73fe296abcacfbf21f 1030862 hplip-dbg_3.10.6-2+squeeze1_amd64.deb
e59906abe6f42649997af4091bce84bbeb641251 422046 hpijs_3.10.6-2+squeeze1_amd64.deb
567403cec1dfdf7211d4955a75e681519a39e5b3 349756 hplip-cups_3.10.6-2+squeeze1_amd64.deb
9394f36d3bd8f16ef3c5745f8d4207e767d298df 170572 libhpmud0_3.10.6-2+squeeze1_amd64.deb
ed8d56c502f5d4bca0c1321a9c3e3ff711c1a177 70430 libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
34bee16a724a79c0afac71d0a2f6918e4a0acbb7 171358 libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
Checksums-Sha256:
54c2a52312c5340fd627271c9e0451393e0a0868797e0226ea1366166dff5d50 1948 hplip_3.10.6-2+squeeze1.dsc
3e69ba72243296a644886bb24dab6acb4f301b7964d312733ff1a217c7a15b7f 94643 hplip_3.10.6-2+squeeze1.diff.gz
f83db4fc964225969c69a4cd064008c10f6dd6aef73c4166dbcc88ab8a3b309c 11801374 hplip-data_3.10.6-2+squeeze1_all.deb
ba03844f0c6601bc0ea828c49516b1431a2121a29a1d7b23587502c632cdc893 79086 hplip-gui_3.10.6-2+squeeze1_all.deb
29de2b09e2a598f73b3dc4d111d562e1aa96e3315fddcefc97d67e08f70d6a51 667642 hplip-doc_3.10.6-2+squeeze1_all.deb
318f35433733df6985ab2dfde7283b5a4beea8d1190a52e911dac10009387c07 612086 hpijs-ppds_3.10.6-2+squeeze1_all.deb
6096ece98690d3793a4218fa955b388acad3d3129ba19c99485ae901d3d27b34 145766 hplip_3.10.6-2+squeeze1_amd64.deb
41e4dd6b6bf72616f1ffa651915f3eda3f46adf8099a7845c9edf9106b049a79 1030862 hplip-dbg_3.10.6-2+squeeze1_amd64.deb
832524d212c24395dc6c6965928fed722d9a7addd1a3a81d40671714c70de5ce 422046 hpijs_3.10.6-2+squeeze1_amd64.deb
2d36facc5be67ea7d3b9b3db511d1560065f044c3b34861e92c801e100814fb8 349756 hplip-cups_3.10.6-2+squeeze1_amd64.deb
98cab9d1001230aee6dd10755f1aa41898d49441f416bf663ac041167ef5457b 170572 libhpmud0_3.10.6-2+squeeze1_amd64.deb
0a977bcad7005cdfbcaeac0ecce0e389d92c46d900d9e904cdb25bba38e06f31 70430 libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
90300115c785cebc2ce0869f59435587923238e55eb04c117914005c0ae0940a 171358 libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
Files:
8598ed29b628df3c40eb5d381e1940df 1948 utils optional hplip_3.10.6-2+squeeze1.dsc
8e8387e0eb8cf7dfc07b9d0daf50b84f 94643 utils optional hplip_3.10.6-2+squeeze1.diff.gz
a2a05165bfcaeaa2d7508acf6d09c6e5 11801374 utils optional hplip-data_3.10.6-2+squeeze1_all.deb
ee861d67a1442ef3dfb08d9c8939f75c 79086 utils optional hplip-gui_3.10.6-2+squeeze1_all.deb
6d023d50b4adf4d697b49167d75f083a 667642 doc optional hplip-doc_3.10.6-2+squeeze1_all.deb
1d91263f98f702420da6424060fb161a 612086 utils optional hpijs-ppds_3.10.6-2+squeeze1_all.deb
c4c10cb1509b0eebf4855dd28641abdf 145766 utils optional hplip_3.10.6-2+squeeze1_amd64.deb
756043d29d575360098fb323c42da1a8 1030862 debug extra hplip-dbg_3.10.6-2+squeeze1_amd64.deb
425c55ccd05a582d2bc3cb1d46f4e6ae 422046 text optional hpijs_3.10.6-2+squeeze1_amd64.deb
5c21e2b37407ff65541268257868c5ef 349756 text optional hplip-cups_3.10.6-2+squeeze1_amd64.deb
d3ff85b39d583af3aa4043e14dc662d5 170572 libs optional libhpmud0_3.10.6-2+squeeze1_amd64.deb
0f335711ca2241ff74db6509c5e04a18 70430 libdevel optional libhpmud-dev_3.10.6-2+squeeze1_amd64.deb
2c694f2d88f78a769b7b72197605b986 171358 libs optional libsane-hpaio_3.10.6-2+squeeze1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk7Zd5oACgkQoCzanz0IthK7nwCbBAm+I+el8VjycMS/RCCC6mBl
GocAoIXL9CMk12CGY04E7DsgmoObcAOS
=3Vuq
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: