Ubuntu
dtc package

SQL injections in DTC

Bug #729700 reported by Thomas Goirand
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dtc (Ubuntu)
Fix Released
Medium
Unassigned
Nominated for Hardy by Steve Beattie
Karmic
Fix Released
Medium
Steve Beattie
Lucid
Fix Released
Medium
Steve Beattie
Maverick
Fix Released
Medium
Steve Beattie
Natty
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: dtc-common

Hi,

It seems that Ubuntu people didn't manage the security issues in DTC. Please see the Debian advisory:
http://www.debian.org/security/2011/dsa-2179

And the announcement that I made through our list:
http://gplhost.sg/lists/dtcannounce/msg00025.html

Please take these into account, and have the packages fixed. If you need, I can prepare patches, but I would at least need someone to get in touch.

Thomas Goirand (main author, and <email address hidden> DD)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in dtc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

[Updating] dtc (0.32.5-1 [Ubuntu] < 0.32.10-1 [Debian])
 * Trying to add dtc...
2011-03-11 16:55:06 INFO - <dtc_0.32.10.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2011-03-11 16:55:10 INFO - <dtc_0.32.10-1.diff.gz: downloading from http://ftp.debian.org/debian/>
2011-03-11 16:55:11 INFO - <dtc_0.32.10-1.dsc: downloading from http://ftp.debian.org/debian/>
I: dtc [universe] -> dtc-common_0.32.5-1 [universe].
I: dtc [universe] -> dtc-dos-firewall_0.32.5-1 [universe].
I: dtc [universe] -> dtc-postfix-dovecot_0.32.5-1 [universe].
I: dtc [universe] -> dtc-core_0.32.5-1 [universe].
I: dtc [universe] -> dtc-cyrus_0.32.5-1 [universe].
I: dtc [universe] -> dtc-postfix-courier_0.32.5-1 [universe].
I: dtc [universe] -> dtc-stats-daemon_0.32.5-1 [universe].
I: dtc [universe] -> dtc-toaster_0.32.5-1 [universe].
I: dtc [universe] -> dtc-autodeploy_0.32.5-1 [universe].

Changed in dtc (Ubuntu Lucid):
status: New → Confirmed
Changed in dtc (Ubuntu Maverick):
status: New → Confirmed
Changed in dtc (Ubuntu Karmic):
importance: Undecided → Medium
Changed in dtc (Ubuntu Lucid):
importance: Undecided → Medium
Changed in dtc (Ubuntu Karmic):
status: New → Confirmed
Changed in dtc (Ubuntu Maverick):
importance: Undecided → Medium
Changed in dtc (Ubuntu Natty):
status: Confirmed → Fix Released
Revision history for this message
Thomas Goirand (thomas-goirand) wrote :

Hi,

Patched versions have been made. Here's the details:

Hardy:
http://ftparchive.gplhost.com/pub/dtc/ubuntu-fixes/hardy/dtc_0.25.3-2ubuntu2.dsc

karmic:
http://ftp.debian.org/debian/pool/main/d/dtc/dtc_0.29.17-1+lenny1.dsc
(directly from Debian)

lucid:
http://ftparchive.gplhost.com/pub/dtc/ubuntu-fixes/lucid/dtc_0.30.10-1+ubuntu1.dsc

maverik:
http://ftparchive.gplhost.com/pub/dtc/ubuntu-fixes/maverik/dtc_0.30.18-1+ubuntu1.dsc

natty: http://ftp.debian.org/debian/pool/main/d/dtc/dtc_0.32.10-1.dsc
(directly from Debian)

While Natty has been updated, other flavors of Ubuntu shall also get an update ASAP.

Thomas

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thomas, thanks, I'll review and push these out.

Changed in dtc (Ubuntu Karmic):
assignee: nobody → Steve Beattie (sbeattie)
Changed in dtc (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in dtc (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in dtc (Ubuntu Karmic):
status: Confirmed → In Progress
Changed in dtc (Ubuntu Lucid):
status: Confirmed → Triaged
status: Triaged → In Progress
Changed in dtc (Ubuntu Maverick):
status: Confirmed → In Progress
Revision history for this message
Steve Beattie (sbeattie) wrote :

Karmic was fixed with the 0.29.17-1+lenny1build0.9.10.1 security-fake-sync.

Changed in dtc (Ubuntu Karmic):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thomas, I went ahead and tweaked the format of the changelog and adjusted the maverick and lucid versions (as well as the release distro) to be more consistent with our style for security updates, and have pushed them to the respective security pockets.

Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

Bah, forgot to add the the launchpad bug number to the changelog; manually closing the tasks.

Changed in dtc (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in dtc (Ubuntu Maverick):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.