Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)

To: Michael Gilbert <mgilbert@debian.org>, 681524@bugs.debian.org
Subject: Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
From: Henri Salo <henri@nerv.fi>
Date: Tue, 17 Jul 2012 22:18:50 +0300
Message-id: <[🔎] 20120717191850.GE5188@kludge.henri.nerv.fi>
Reply-to: Henri Salo <henri@nerv.fi>, 681524@bugs.debian.org
In-reply-to: <[🔎] CANTw=MPn+CT1LG_EgcuGjUjJcZ3Uc-GtF50nTSdzLvKUxf_O8A@mail.gmail.com>
References: <CANTw=MMioxXHnYcQ373HYp2yrdikQQT2KmpgKCwjhJo=n_DDGw@mail.gmail.com> <[🔎] 20120713212855.6556.74354.reportbug@homebrew> <handler.681524.D681524.134248710420006.notifdone@bugs.debian.org> <[🔎] 20120717184940.ed5778cc563199e81b3a1c99@paranoici.org> <[🔎] 20120717183339.GA5188@kludge.henri.nerv.fi> <[🔎] CANTw=MPn+CT1LG_EgcuGjUjJcZ3Uc-GtF50nTSdzLvKUxf_O8A@mail.gmail.com>

On Tue, Jul 17, 2012 at 02:47:49PM -0400, Michael Gilbert wrote:
> Data entered into the tracker needs to be reliable.  If you have not
> personally checked CVE references for each individual issue against
> the patches present in the tracker, then you cannot claim that the
> problem has been fixed.
> 
> Leave those issues <unfixed> until someone who is willing to do the
> appropriate research has time to review the issue.
> 
> Otherwise we're leaving issues unfixed and fooling ourselves into
> thinking they are fixed, which is just so incredibly wrong.
> 
> Best wishes,
> Mike

I got this information from package maintainer (Stig Sandbeck Mathisen ssm@d.org):
"""
That issue is fixed in the 2.7.18-1 upload to unstable and in
2.6.2-5+squeeze6 upload to stable-security, along with CVE-2012-3864,
CVE-2012-3865, CVE-2012-3866 and CVE-2012-3867 which those uploads
mention.
"""

Which he later corrected in our email discussion:

"""
It was fixed by Puppet Labs in revision ab9150b by deprecating it in
2.7.18 (by logging a warning message), and removing it in 3.x. I was of
the impression that this made it into the squeeze security release, but
I was mistaken. Sorry. :/

Puppet labs sees it as a "low-risk" security vulnerability.
(http://puppetlabs.com/security/cve/cve-2012-3408/).

In order to be vulnerable, you have to:

 * Explicitly configure "certname=<ipaddress>" in puppet.conf. The
   default is the fully qualified domain name.

 * Allow others access to the network your agent runs on, as well as
   taking its IP address, or using man-in-the-middle techniques to
   impersonate this IP address.
"""

I could verify every issue by myself, but is that really needed in cases where package maintainer gives this information as some issues are very time consuming to verify? This was a human mistake and I am sorry. I hope trying to update security tracker and report bugs is not incredibly wrong. I asked from #debian-security how to go forward with this case as DSA did not contain CVE-2012-3408 and were following those instructions.

- Henri Salo

Reply to:

References:
- Bug#681524: security-tracker: DSA-2511-1 vs. tracker
  - From: "Francesco Poli \(wintermute\)" <invernomuto@paranoici.org>
- Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
  - From: Francesco Poli <invernomuto@paranoici.org>
- Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
  - From: Henri Salo <henri@nerv.fi>
- Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
Next by Date: Packages glassfish-* security concerns
Previous by thread: Bug#681524: closed by Michael Gilbert <mgilbert@debian.org> (Re: Bug#681524: security-tracker: DSA-2511-1 vs. tracker)
Next by thread: Re: Point release notifications
Index(es):
- Date
- Thread