Ubuntu
polipo package

Port security patches for Polipo from Lucid to Karmic and below

Bug #533578 reported by Nicola Ferralis on 2010-03-07

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	polipo (Ubuntu)	Fix Released	Medium	Unassigned
	Karmic	Fix Released	Medium	Unassigned

Bug Description

Binary package hint: polipo

Polipo in lucid (1.0.4-3) fixes several high profile security vulnerabilities. Such patches are not present in the version of polipo for karmic, jaunty, intrepid and hardy. THey should be applied ASAP, not as backports but as full security fixes.

CVE References

Nicola Ferralis (feranick) on 2010-03-07

visibility:

private → public

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-03-09:

#1

Updated polipo packages were uploaded to jaunty, intrepid and hardy.
Only karmic still needs to be fixed.

Changed in polipo (Ubuntu Karmic):
status:	New → Confirmed
importance:	Undecided → Medium
Changed in polipo (Ubuntu):
status:	New → Fix Released
importance:	Undecided → Medium

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-03-09:

#2

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Revision history for this message

Nicola Ferralis (feranick) wrote on 2010-03-09:

#3

polipo_1.0.4-3~karmic1.debdiff Edit (10.4 KiB, text/plain)

Debdiff (between 1.0.4-1.1 in Karmic and 1.0.4-3 in Lucid) attached.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-03-15:

#4

Thanks for submitting the debdiff. There are some issues with it that need to be fixed before it can get uploaded:

- The changelog and the release number need to be properly formatted as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update%20the%20packaging
- The patches need to be tagged, as per the procedure here: https://wiki.ubuntu.com/UbuntuDevelopment/PatchTaggingGuidelines

I am unsubscribing the ubuntu-security-sponsors team now. Please submit a corrected debdiff, subscribe ubuntu-security-sponsors and set the status of this bug back to "NEW".

Changed in polipo (Ubuntu Karmic):
status:	Confirmed → Incomplete
assignee:	nobody → Nicola Ferralis (feranick)

Revision history for this message

Nicola Ferralis (feranick) wrote on 2010-03-16:

#5

Attached the new debdiff (polipo_1.0.4-1.1ubuntu0.1.debdiff) and the individual patched from version 1.0.4-3.

Subscribed the ubuntu-security-sponsors.

Revision history for this message

Nicola Ferralis (feranick) wrote on 2010-03-16:

#6

polipo_1.0.4-1.1ubuntu0.1.debdiff Edit (10.1 KiB, text/plain)

Revision history for this message

Nicola Ferralis (feranick) wrote on 2010-03-16:

#7

50_integer_overflow.dpatch Edit (1.3 KiB, text/plain)

Revision history for this message

Nicola Ferralis (feranick) wrote on 2010-03-16:

#8

60_security_fixes.dpatch Edit (7.1 KiB, text/plain)

Changed in polipo (Ubuntu Karmic):
status:	Incomplete → New
assignee:	Nicola Ferralis (feranick) → nobody

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-03-16:

#9

ACK to the debdiff. I'm uploading package now for building.

Changed in polipo (Ubuntu Karmic):
status:	New → Confirmed

Nicola Ferralis (feranick) on 2010-03-16

Changed in polipo (Ubuntu Karmic):
status:	Confirmed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.