Your message dated Thu, 30 Oct 2014 12:02:08 +0000 with message-id <20141030120208.GA30538@lupin.home.powdarrmonkey.net> and subject line Re: Bug#767275: unblock: wget/1.16-1 has caused the Debian Bug report #767275, regarding unblock: wget/1.16-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 767275: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767275 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: wget/1.16-1
- From: Neil McGovern <neilm@debian.org>
- Date: Wed, 29 Oct 2014 18:54:57 +0000
- Message-id: <[🔎] 20141029185457.GA24114@halon.org.uk>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Dear lovely release team, TL;DR: # CVE-2014-4887 unblock wget/1.16-1 age-days 2 wget/1.16-1 wget 1.16 in unstable currently fixes CVE-2014-4887: Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. This is rather a rather nasty security bug, so should probably get into testing a) before the freeze (which it won't do at the moment) and b) before it gets tangled in the nettle transition (which hopefully won't happen, but you know what happens sometimes with transitions...) Thanks! Neil -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (650, 'testing'), (500, 'testing-updates'), (500, 'testing-proposed-updates'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash --Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Neil McGovern <neilm@debian.org>, 767275-done@bugs.debian.org
- Subject: Re: Bug#767275: unblock: wget/1.16-1
- From: Jonathan Wiltshire <jmw@debian.org>
- Date: Thu, 30 Oct 2014 12:02:08 +0000
- Message-id: <20141030120208.GA30538@lupin.home.powdarrmonkey.net>
- In-reply-to: <[🔎] 20141029185457.GA24114@halon.org.uk>
- References: <[🔎] 20141029185457.GA24114@halon.org.uk>
On Wed, Oct 29, 2014 at 06:54:57PM +0000, Neil McGovern wrote: > TL;DR: > # CVE-2014-4887 > unblock wget/1.16-1 > age-days 2 wget/1.16-1 > > wget 1.16 in unstable currently fixes CVE-2014-4887: > Absolute path traversal vulnerability in GNU Wget before 1.16, when > recursion is enabled, allows remote FTP servers to write to arbitrary > files, and consequently execute arbitrary code, via a LIST response that > references the same filename within two entries, one of which indicates > that the filename is for a symlink. Thanks for the heads up. It's a new upstream with quite some other changes, so I've compromised at 5 days. -- Jonathan Wiltshire jmw@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51Attachment: signature.asc
Description: Digital signature
--- End Message ---