[Secure-testing-team] Security update for fuse

Roger Leigh rleigh at whinlatter.ukfsn.org
Sat Jun 4 12:39:52 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bartosz Fenski aka fEnIo <fenio at debian.org> writes:

Hi,

> On Sat, Jun 04, 2005 at 12:26:15PM +0100, Roger Leigh wrote:
>> >> There's a serious vulnerability in fuse; see bug #311634.
>> >> This does not yet have a CVE ref, but I found
>> >> http://secunia.com/advisories/15561/
>> >> 
>> >> I've prepared updates for both sid and sarge:
>> >> http://people.debian.org/~rleigh/fuse/sarge-security/
>> >> 
>> >> Due to the release being so close, I haven't uploaded either of these.
>> >> I'm not a security expert, so thought you might be better reviewing
>> >> them first, in case I've missed something. 
>> >
>> > FWIW, the patch is identical to the one posted to linux-kernel by
>> > Miklos Szeredi, the official fuse kernel maintainer, so it seems
>> > safe.
>> 
>> Thanks.  Just to double check, which distribution do I put in the
>> changelog, and which upload queue do I use?  aba said to use
>> sarge-security, but elsewhere I read to use testing-security, so I'd
>> just like to be 100% sure.

> I also have prepared fixed packages and I also not sure where to upload
> them. I wrote to security team two days ago about it and I haven't received
> any answer yet.

- From what I've read over the last couple of hours, you want

  fuse (2.2.1-5sarge1) testing-security; urgency=high

in the changelog (I checked the versions with `dpkg
- --compare-versions`), and you upload to /pub/SecurityUploadQueue on
security.debian.org (dupload: --to anonymous-security).

You also need to build with dpkg-buildpackage -sa to ensure the full
source is uploaded (including .orig.tar.gz).  You need to do this in a
sarge chroot ideally, or on a sarge system.

I won't do anything further with this if you're going to take care of
it.


Thanks,
Roger

- -- 
Roger Leigh
                Printing on GNU/Linux?  http://gimp-print.sourceforge.net/
                Debian GNU/Linux        http://www.debian.org/
                GPG Public Key: 0x25BFB848.  Please sign and encrypt your mail.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQFCoaEXVcFcaSW/uEgRAtWvAJ0VFY/alf8nnsZBCBQT1K7NsKX2xACg5xpW
FuEshSPQcQTx6hA4hCKoaUY=
=Xqor
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list