Ubuntu
ziproxy package

Please sync ziproxy 3.1.3-1 (universe) from Debian unstable

Bug #657024 reported by David Sugar
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ziproxy (Debian)
Fix Released
Unknown
ziproxy (Ubuntu)
Fix Released
Undecided
Loïc Minier
Lucid
Won't Fix
Undecided
Unassigned
Maverick
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: ziproxy

As per Debian #584933 and CVE-2010-1513 there is a remote network exploit allowing arbitrary code to be executed. This has been fixed in 3.0.1, though Debian presently packages 3.1.3-1. We package 2.7.2, which is vulnerable and carries a couple of arm specific patches. I have verified the new package from sid at least minimally builds on Maverick unmodified for x86. I will review the patch we have made to see if it is still valid and needed for armel (originally LP: #539874), but it is a very simple one and should be easy to include if needed.

CVE References

Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
David Sugar (dyfet-deactivatedaccount) wrote :

3..1.3 builds fine from sid on Maverick unmodified, including on armel. Since this is a security vulnerability with a remote network exploit, I think it should be targeted as a SRU.

David Sugar (dyfet-deactivatedaccount)
summary: - please sync/merge 3.1.3-1 from debian (unstable) to Maverick (universe)
- - security vulnerability
+ please sync 3.1.3-1 from debian (unstable) to replace 2.7.2-1ubuntu2 in
+ Maverick (universe) - security vulnerability
Revision history for this message
David Sugar (dyfet-deactivatedaccount) wrote : Re: please sync 3.1.3-1 from debian (unstable) to replace 2.7.2-1ubuntu2 in Maverick (universe) - security vulnerability

The change required for addressing this security issue might be isolated to a change between 3.0.0 and 3.0.1. I am going to see if that change can be backported to our 2.7.2 and if it does fully address the security issue. My initial impression from reading the upstream changelog is that perhaps other changes in other upstream releases were also relevant.

Changed in ziproxy (Ubuntu):
assignee: nobody → David Sugar (dyfet)
Bug Watch Updater (bug-watch-updater)
Changed in ziproxy (Debian):
status: Unknown → Fix Released
Revision history for this message
Loïc Minier (lool) wrote :

I don't know whether this security issue affects older releases than lucid, but it certainly affects lucid.

Changed in ziproxy (Ubuntu):
assignee: David Sugar (dyfet) → Loïc Minier (lool)
Revision history for this message
Loïc Minier (lool) wrote :

I reviewed the Ubuntu diff; Debian patched out the Nameservers support, so our fix for the build affecting this code isn't needed anymore. I wrote to upstream author Daniel Mealha Cabrita to tell him about the Ubuntu fix though.

Ack for the sync to natty.

summary: - please sync 3.1.3-1 from debian (unstable) to replace 2.7.2-1ubuntu2 in
- Maverick (universe) - security vulnerability
+ Please sync ziproxy 3.1.3-1 (universe) from Debian unstable
Changed in ziproxy (Ubuntu):
status: New → Fix Committed
Changed in ziproxy (Ubuntu Lucid):
status: New → Confirmed
Changed in ziproxy (Ubuntu Maverick):
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

[Updating] ziproxy (2.7.2-1.1ubuntu2 [Ubuntu] < 3.1.3-1 [Debian])
 * Trying to add ziproxy...
2010-10-22 15:36:26 INFO - <ziproxy_3.1.3-1.dsc: downloading from http://ftp.debian.org/debian/>
2010-10-22 15:36:26 INFO - <ziproxy_3.1.3-1.debian.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-10-22 15:36:27 INFO - <ziproxy_3.1.3.orig.tar.bz2: downloading from http://ftp.debian.org/debian/>
I: ziproxy [universe] -> ziproxy_2.7.2-1.1ubuntu2 [universe].

Changed in ziproxy (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

2010-10-22 15:36:54 INFO - <ziproxy_3.1.3-1.dsc: cached>
2010-10-22 15:36:54 INFO - <ziproxy_3.1.3-1.debian.tar.gz: cached>
2010-10-22 15:36:54 INFO - <ziproxy_3.1.3.orig.tar.bz2: cached>
[Updating] ziproxy (2.7.2-1.1ubuntu2 [Ubuntu] < 3.1.3-1 [Debian])
 * Trying to add ziproxy...
I: ziproxy [universe] -> ziproxy_2.7.2-1.1ubuntu2 [universe].

Revision history for this message
Colin Watson (cjwatson) wrote :

The security updates for stable releases would need to be done by somebody other than the archive administration team, so I'm unsubscribing ubuntu-archive. Feel free to resubscribe us if there's an action for us to take that falls within our remit.

Revision history for this message
Loïc Minier (lool) wrote :

Oh yes, thanks; the intent was to track that this had to be done, not for the archive team to do anything here -- I guess the team just remained subscribed subscribed after the sync to the development release

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in ziproxy (Ubuntu Maverick):
status: Confirmed → Won't Fix
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in ziproxy (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.