Your message dated Tue, 27 Aug 2013 23:08:47 -0300 with message-id <39365918.NiRqrLUnAe@luna> and subject line Re: Bug#707776: Why is 4.10.5 marked as vulnerable, fix was in 4.10.4? has caused the Debian Bug report #707776, regarding kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 707776: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707776 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: kde4libs: CVE-2013-2074: prints passwords contained in HTTP URLs in error messages
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sat, 11 May 2013 10:30:54 +0200
- Message-id: <20130511083054.13490.32662.reportbug@elende.valinor.li>
Package: kde4libs Version: 4:4.8.4-4 Severity: important Tags: security patch Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=319428 Hi, the following vulnerability was published for kde4libs. CVE-2013-2074[0]: prints passwords contained in HTTP URLs in error messages Upstream Bugreport is [1] containing a patch [2]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074 http://security-tracker.debian.org/tracker/CVE-2013-2074 [1] https://bugs.kde.org/show_bug.cgi?id=319428 [2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp Please adjust the affected versions in the BTS as needed, the version in wheezy, testing and unstable looks affected. (oldstable and experimental are not checked). Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: Andrew Goodbody <ajg02@elfringham.co.uk>, 707776-done@bugs.debian.org
- Subject: Re: Bug#707776: Why is 4.10.5 marked as vulnerable, fix was in 4.10.4?
- From: "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>
- Date: Tue, 27 Aug 2013 23:08:47 -0300
- Message-id: <39365918.NiRqrLUnAe@luna>
- In-reply-to: <[🔎] 521A7BBB.9050202@elfringham.co.uk>
- References: <[🔎] 521A7BBB.9050202@elfringham.co.uk>
Version: 4:4.10.5-1 On Sunday 25 August 2013 22:48:43 Andrew Goodbody wrote: > The upstream fixes mentioned in [1] appear to have gone into 4.10.4. > Looking at the Debian source [2] for the package in Sid, ie 4.10.5 shows > the fixes included. > > So why does CVE-2013-2074 [3] show sid as vulnerable? Simply because no one properly closed this bug, which I'm doing now. We have lots of bugs and very few people for triaging them. Thanks a lot for pointing this out. If you find more stuff like this, please do not heasitate in communicationg with us as in this case. Regards, Lisandro. -- "If I have been able to see farther, it was only because I stood on the shoulders of giants" Sir Isaac Newton Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---