[Bug 1004503] Re: Incomplete fix for CVE-2012-0949
    Launchpad Bug Tracker 
    1004503 at bugs.launchpad.net
       
    Wed Jul 25 20:50:20 UTC 2012
    
    
  
** Branch linked: lp:ubuntu/quantal-proposed/ubuntu-release-upgrader
-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1004503
Title:
  Incomplete fix for CVE-2012-0949
Status in “update-manager” package in Ubuntu:
  Fix Released
Status in “update-manager” source package in Natty:
  Fix Released
Status in “update-manager” source package in Oneiric:
  Fix Released
Status in “update-manager” source package in Precise:
  Fix Released
Status in “update-manager” source package in Quantal:
  Fix Released
Bug description:
  The following USN fixed CVE-2012-0949:
  http://www.ubuntu.com/usn/usn-1443-1/
  "Felix Geyer discovered that the Update Manager Apport hook incorrectly
  uploaded certain system state archive files to Launchpad when reporting
  bugs. This could possibly result in repository credentials being included
  in public bug reports."
  This was originally LP #954483
  Unfortunately, the state archive files are still being uploaded. It
  seems there is code in DistUpgradeApport.py that attaches the contents
  of the /var/log/dist-upgrade directory and manually runs apport.
  apport_crash() can be simply modified to exclude the archive files,
  but fixing apport_pkgfailure() is more complicated.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1004503/+subscriptions
    
    
More information about the foundations-bugs
mailing list