|Summary:||<net-firewall/fwbuilder-3.0.3: audit wrt insecure temp file usage (CVE-2008-4956)|
|Product:||Gentoo Security||Reporter:||Christian Hoffmann (RETIRED) <hoffie>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||asl, dev-zero, maintainer-needed|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||228621|
Comment 1 Jeremy Olexa (darkside) (RETIRED) 2008-11-06 17:06:05 UTC
I assume I was added because I touched this package to fix a bug report submitted by a user. However, it was merely an attempt to improve QA in gentoo ;) I don't use this package so..meh.
Comment 2 Petteri Räty (RETIRED) 2008-11-06 20:07:43 UTC
I was only nuking built_with_use usage.
Comment 3 Tiziano Müller (RETIRED) 2009-03-17 15:58:45 UTC
I just committed fwbuilder-3.0.3 which isn't affected anymore (at least, the affected script is gone in the new version and also debian doesn't have any special patch anymore for this version).
Comment 4 Robert Buchholz (RETIRED) 2009-03-17 17:38:39 UTC
Arches, please test and mark stable: =net-firewall/fwbuilder-3.0.3 Target keywords : "amd64 ppc ppc64 sparc x86"
Comment 5 Brent Baude (RETIRED) 2009-03-18 21:50:45 UTC
~ppc and ~ppc64 and removed us from CC. If the intent was to go to straight stable, then re-add us
Comment 6 Tiziano Müller (RETIRED) 2009-03-20 14:01:34 UTC
@security: I dropped all keywords when bumping from 2.1 to 3.0. Please specify whether stable keywords are wanted (I assume yes). Please also note that alpha has 2.0 stable (which is also affected) but can't keyword >=2.1 because of the implicit java dependency (due to antlr). They agreed that their keyword gets dropped completely.
Comment 7 Markus Meier 2009-04-15 19:43:33 UTC
Comment 8 Robert Buchholz (RETIRED) 2009-07-18 17:17:46 UTC
Arches, please test and mark stable: =net-firewall/fwbuilder-3.0.3 Target keywords : "amd64 ppc ppc64 sparc x86" Already stabled : "amd64 x86" Missing keywords: "ppc ppc64 sparc"
Comment 9 nixnut (RETIRED) 2009-07-19 18:34:25 UTC
Comment 10 Brent Baude (RETIRED) 2009-07-26 13:49:24 UTC
Comment 11 Alex Legler (RETIRED) 2009-08-27 22:29:20 UTC
Comment 12 Tiago Cunha (RETIRED) 2009-11-29 20:05:55 UTC
sparc keyword dropped from the vulnerable version. We'll probably keyword a new one (on bug #228621) when we have a working JDK. Sorry for the delay.
Comment 13 Arnaud Launay 2010-01-21 15:10:29 UTC
I think this might be related to bug #285861 , maybe it would be time to shake a bit this ebuild ?
Comment 14 Tim Sammut (RETIRED) 2010-11-20 23:33:25 UTC
GLSA Vote: yes.
Comment 15 Stefan Behte (RETIRED) 2010-11-21 16:41:29 UTC
glsa with #285861
Comment 16 Andreas K. Hüttel 2011-03-30 20:54:52 UTC
Not in tree anymore
Comment 17 Joshua Kinard 2011-12-24 19:47:50 UTC
fwbuilder-3.0.3 is no longer in the tree. Closing as OBSOLETE.
Comment 18 Tim Sammut (RETIRED) 2011-12-27 05:25:12 UTC
Please do not close security bug--we need to publish a GLSA for this--thanks.
Comment 19 GLSAMaker/CVETool Bot 2012-01-23 20:37:02 UTC
This issue was resolved and addressed in GLSA 201201-11 at http://security.gentoo.org/glsa/glsa-201201-11.xml by GLSA coordinator Sean Amoss (ackle).