Debian Bug report logs - #559836
CVE-2009-3736 local privilege escalation

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: CVE-2009-3736 local privilege escalation

Date: Mon, 7 Dec 2009 00:06:27 -0500

Package: openmpi
Severity: grave
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for libtool.  I have determined that this package embeds a
vulnerable copy of the libtool source code.  However, since this is a
mass bug filing (due to so many packages embedding libtool), I have not
had time to determine whether the vulnerable code is actually present
in any of the binary packages. Please determine whether this is the
case. If the binary packages are not affected, please feel free to close
the bug with a message containing the details of what you did to check.

CVE-2009-3736[0]:
| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
| attempts to open a .la file in the current working directory, which
| allows local users to gain privileges via a Trojan horse file.

Note that this problem also affects etch and lenny, so if your package
is affected, please coordinate with the security team to release the
DSA for the affected packages.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
    http://security-tracker.debian.org/tracker/CVE-2009-3736

Message #10 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Sylvestre Ledru <sylvestre@debian.org>

To: 559836@bugs.debian.org, Manuel Prinz <debian@pinguinkiste.de>

Subject: Re: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Mon, 07 Dec 2009 09:30:40 +0100

Manuel, are you going to handle this issue or do you want me to do it ?

Thanks
Sylvestre

Le lundi 07 décembre 2009 à 00:06 -0500, Michael Gilbert a écrit :
> Package: openmpi
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool.  I have determined that this package embeds a
> vulnerable copy of the libtool source code.  However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the binary packages are not affected, please feel free to close
> the bug with a message containing the details of what you did to check.
> 
> CVE-2009-3736[0]:
> | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b,
> | attempts to open a .la file in the current working directory, which
> | allows local users to gain privileges via a Trojan horse file.
> 
> Note that this problem also affects etch and lenny, so if your package
> is affected, please coordinate with the security team to release the
> DSA for the affected packages.
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736
>     http://security-tracker.debian.org/tracker/CVE-2009-3736
> 
> 
> 

Message #15 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Sylvestre Ledru <sylvestre@debian.org>

To: Manuel Prinz <manuel@debian.org>

Cc: 559836@bugs.debian.org

Subject: Re: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Mon, 07 Dec 2009 13:32:19 +0100

Le lundi 07 décembre 2009 à 13:30 +0100, Manuel Prinz a écrit :
> Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru:
> > Manuel, are you going to handle this issue or do you want me to do it ?
> 
> I can take care of that. I've forwarded this upstream already. The best
> option would be having a fixed libtool available, or trying to use the
> backported patch in the CVE. Information on fixing this is quite sparse,
> unfortunately.
> 
> I hope that there will be some more information in the thread on d-d. I
> can take care of it this evening. If you want to go faster, feel free to
> do so. You don't need to ask for permission. We're a team, aren't we? ;)
Indeed but sometimes, you have upcoming modifications :)

Sylvestre

Message #20 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: Sylvestre Ledru <sylvestre@debian.org>

Cc: 559836@bugs.debian.org

Subject: Re: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Mon, 07 Dec 2009 13:30:10 +0100

Am Montag, den 07.12.2009, 09:30 +0100 schrieb Sylvestre Ledru:
> Manuel, are you going to handle this issue or do you want me to do it ?

I can take care of that. I've forwarded this upstream already. The best
option would be having a fixed libtool available, or trying to use the
backported patch in the CVE. Information on fixing this is quite sparse,
unfortunately.

I hope that there will be some more information in the thread on d-d. I
can take care of it this evening. If you want to go faster, feel free to
do so. You don't need to ask for permission. We're a team, aren't we? ;)

Best regards
Manuel

Message #25 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 559836@bugs.debian.org

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 08 Dec 2009 00:50:50 +0100

Hi Michael!

Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
> The following CVE (Common Vulnerabilities & Exposures) id was
> published for libtool.  I have determined that this package embeds a
> vulnerable copy of the libtool source code.  However, since this is a
> mass bug filing (due to so many packages embedding libtool), I have not
> had time to determine whether the vulnerable code is actually present
> in any of the binary packages. Please determine whether this is the
> case. If the binary packages are not affected, please feel free to close
> the bug with a message containing the details of what you did to check.

AIUI, only the versions in squeeze and sid (identical) are affected. We
did not have static library support in the versions in etch and lenny,
so there are no .la files contained in the packages and they therefore
should not be vulnerable.

I'm preparing a fix at the moment, which I can upload soon. I'd like to
know with which priority to upload, and where. The ST suggests urgency
of "medium", but I'm unsure which queue to use. As I understand dev-ref,
an upload to ftp-master should suffice since {old,}stable is not
affected. (Sorry, first CVE…)

I'll send the debdiff for review as soon as the build finishes.

Best regards
Manuel

Message #30 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 559836@bugs.debian.org

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 08 Dec 2009 01:42:23 +0100

[Message part 1 (text/plain, inline)]

Here's the debdiff. Changes are checked into our SVN repo.

Best regards
Manuel

[ompi_libtool_fix.diff (text/x-patch, attachment)]

Message #37 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Luk Claes <luk@debian.org>

To: Manuel Prinz <manuel@debian.org>, 559836@bugs.debian.org

Cc: Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#559836: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 08 Dec 2009 07:41:21 +0100

Manuel Prinz wrote:
> Hi Michael!
> 
> Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
>> The following CVE (Common Vulnerabilities & Exposures) id was
>> published for libtool.  I have determined that this package embeds a
>> vulnerable copy of the libtool source code.  However, since this is a
>> mass bug filing (due to so many packages embedding libtool), I have not
>> had time to determine whether the vulnerable code is actually present
>> in any of the binary packages. Please determine whether this is the
>> case. If the binary packages are not affected, please feel free to close
>> the bug with a message containing the details of what you did to check.
> 
> AIUI, only the versions in squeeze and sid (identical) are affected. We
> did not have static library support in the versions in etch and lenny,
> so there are no .la files contained in the packages and they therefore
> should not be vulnerable.
> 
> I'm preparing a fix at the moment, which I can upload soon. I'd like to
> know with which priority to upload, and where. The ST suggests urgency
> of "medium", but I'm unsure which queue to use. As I understand dev-ref,
> an upload to ftp-master should suffice since {old,}stable is not
> affected. (Sorry, first CVE…)

As only sid and squeeze are affected, uploading with medium urgency to
unstable should be enough.

Cheers

Luk

Message #42 received at 559836-close@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: 559836-close@bugs.debian.org

Subject: Bug#559836: fixed in openmpi 1.3.3-4

Date: Tue, 08 Dec 2009 15:39:17 +0000

Source: openmpi
Source-Version: 1.3.3-4

We believe that the bug you reported is fixed in the latest version of
openmpi, which is due to be installed in the Debian FTP archive:

libopenmpi-dbg_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi-dbg_1.3.3-4_amd64.deb
libopenmpi-dev_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi-dev_1.3.3-4_amd64.deb
libopenmpi1.3_1.3.3-4_amd64.deb
  to main/o/openmpi/libopenmpi1.3_1.3.3-4_amd64.deb
openmpi-bin_1.3.3-4_amd64.deb
  to main/o/openmpi/openmpi-bin_1.3.3-4_amd64.deb
openmpi-checkpoint_1.3.3-4_amd64.deb
  to main/o/openmpi/openmpi-checkpoint_1.3.3-4_amd64.deb
openmpi-common_1.3.3-4_all.deb
  to main/o/openmpi/openmpi-common_1.3.3-4_all.deb
openmpi-doc_1.3.3-4_all.deb
  to main/o/openmpi/openmpi-doc_1.3.3-4_all.deb
openmpi_1.3.3-4.diff.gz
  to main/o/openmpi/openmpi_1.3.3-4.diff.gz
openmpi_1.3.3-4.dsc
  to main/o/openmpi/openmpi_1.3.3-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 559836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Manuel Prinz <manuel@debian.org> (supplier of updated openmpi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 08 Dec 2009 00:58:02 +0100
Source: openmpi
Binary: openmpi-bin libopenmpi-dev libopenmpi1.3 openmpi-common openmpi-doc libopenmpi-dbg openmpi-checkpoint
Architecture: source amd64 all
Version: 1.3.3-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenMPI Maintainers <pkg-openmpi-maintainers@lists.alioth.debian.org>
Changed-By: Manuel Prinz <manuel@debian.org>
Description: 
 libopenmpi-dbg - high performance message passing library -- debug library
 libopenmpi-dev - high performance message passing library -- header files
 libopenmpi1.3 - high performance message passing library -- shared library
 openmpi-bin - high performance message passing library -- binaries
 openmpi-checkpoint - high performance message passing library -- checkpoint support
 openmpi-common - high performance message passing library -- common files
 openmpi-doc - high performance message passing library -- man pages
Closes: 559836
Changes: 
 openmpi (1.3.3-4) unstable; urgency=medium
 .
   * Fixed security issue in copy of libtool, see CVE-2009-3736.
     Closes: #559836.
Checksums-Sha1: 
 b3ab7e772eb9075bd378c197de5c0be3671f76cd 1585 openmpi_1.3.3-4.dsc
 add0e08c0f5532a26dea91a112239663d0b42e64 22962 openmpi_1.3.3-4.diff.gz
 b49018cd4f726624bb86a50ddfdd5f86176d4736 139812 openmpi-bin_1.3.3-4_amd64.deb
 be3c4cb248c08967d96c755698292a91754d4a5a 2623272 libopenmpi-dev_1.3.3-4_amd64.deb
 944c8889698f2294b8ff713fd416386a71b52dfd 1336690 libopenmpi1.3_1.3.3-4_amd64.deb
 8dc02789d574cd919dd9217b7cf143cd98e10242 5552998 libopenmpi-dbg_1.3.3-4_amd64.deb
 0d66efeef4ef12ec7686ec36ca551b664287c82a 79118 openmpi-checkpoint_1.3.3-4_amd64.deb
 ff73e9055588b99a595eb323fb3d26723b0635f5 81844 openmpi-common_1.3.3-4_all.deb
 dae2dc29b8d792ed1d5b52ffb10e1ddfc5feebd5 461774 openmpi-doc_1.3.3-4_all.deb
Checksums-Sha256: 
 458ec132b5d93c628f78d3e87f52b45d1bc94b3757031eb74627b0aecba8d7ab 1585 openmpi_1.3.3-4.dsc
 0b1d2275c48f2d5ec4f9a5f70413a4e5e887c8b90e4e4eda797df54881ab1280 22962 openmpi_1.3.3-4.diff.gz
 4cb05d1b5c1370e8f900cd07a5333bfbbb5dd3b0603d601b88ffdd3e7b0cdaa5 139812 openmpi-bin_1.3.3-4_amd64.deb
 8bdddbfc22887ca6c958616960e479f51b46fd6f9039f772236e85180f1f5f41 2623272 libopenmpi-dev_1.3.3-4_amd64.deb
 eb4e0cabfce87d86cd208692d308e5c99f8f633796f54e10754ab0fbc2a0c2b5 1336690 libopenmpi1.3_1.3.3-4_amd64.deb
 60d781b2fafceb30b7a8ac278e64cc50ec49f2ace1f02f228e5ef8f148639c2a 5552998 libopenmpi-dbg_1.3.3-4_amd64.deb
 6814336e635074b785c4465e1f0cdffc72333811b45d987869fbb74d6c5517d2 79118 openmpi-checkpoint_1.3.3-4_amd64.deb
 f632471ac093e16659bda9fc312e758bf8109193aabdd9e71570174c7a711ed0 81844 openmpi-common_1.3.3-4_all.deb
 daf8052844eebbdfb32ca36b64edfe71eed9f58025bbefdc2c0c5d9024b51a8b 461774 openmpi-doc_1.3.3-4_all.deb
Files: 
 2c47a5d49a72e43502e96e501f6a60f4 1585 net extra openmpi_1.3.3-4.dsc
 91a7210cd0a8ef923d46cc6e7d2c067e 22962 net extra openmpi_1.3.3-4.diff.gz
 0321887c00cd5f97feee692d8d09c595 139812 net extra openmpi-bin_1.3.3-4_amd64.deb
 8e8e6be08f5fa825850da64ccb1d37de 2623272 libdevel extra libopenmpi-dev_1.3.3-4_amd64.deb
 a4ac08b486bf5fc1bff6f18c7c6e283c 1336690 libs extra libopenmpi1.3_1.3.3-4_amd64.deb
 093896081441a09e69716fb828682e29 5552998 debug extra libopenmpi-dbg_1.3.3-4_amd64.deb
 3946ecce3efa5369af19aba2ae9e8e26 79118 net extra openmpi-checkpoint_1.3.3-4_amd64.deb
 946f07f5ca6776bec92551a265a5b3ad 81844 net extra openmpi-common_1.3.3-4_all.deb
 6e06e4165c5ad7dc838f37d4e8024e4a 461774 doc extra openmpi-doc_1.3.3-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkseYacACgkQ8WlhyMyNeVcvbgCfVnWBg+6KeqJpJclsNtmWg12p
lJIAoJ106piZbcXI9ZkxdBKb8XTCozff
=CmNn
-----END PGP SIGNATURE-----

Message #47 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Manuel Prinz <manuel@debian.org>

Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 559836@bugs.debian.org

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 8 Dec 2009 20:35:00 +0100

On Tue, Dec 08, 2009 at 01:42:23AM +0100, Manuel Prinz wrote:
> Here's the debdiff. Changes are checked into our SVN repo.
> 
> Best regards
> Manuel

You should rather use the copy of libltdl currently in the
archive or is there a technical reason, which prevents this?

Cheers,
        Moritz

Message #52 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 559836@bugs.debian.org

Cc: Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 08 Dec 2009 21:46:45 +0100

Hi Moritz!

Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
> You should rather use the copy of libltdl currently in the
> archive or is there a technical reason, which prevents this?

I'm aware of that and discussed it with upstream. They said it would
require quite some changes to the build system, since they decided to
use a copy of libtool for technical and practical reasons and only
support that. I of course might be able to hack support for using the
system libtool into it but I thought fixing security issues in a timely
manner is generally prefered, especially if the issue is that simple to
fix.

Also, I do not quite understand how using Debian's libtool would help,
as it seems vulnerable as well and is not fixed yet. If I misunderstood
the situation, please correct me.

Don't get me wrong: I really appreciate the work the security team does
and I wanted to help you by fixing the issue ASAP. If this was wrong, I
apologize! The solution as is should be seen as an interim solution. I
will try to make Open MPI use libtool, though this is something I can't
see to happen in a reasonable time frame at the moment. Leaving RC bugs
open for weeks does not help anyone, so I fixed the issue the way I did,
by patching the local copy. If this is not an acceptable solution,
please reopen. I just had good intentions, and am open to criticism and
discussion, and willed to learn.

Also, please clarify on the state in etch and lenny. We did not build
static libs, so no .la files there. This version of libtool is not used
outside of MPI. Am I supposed to fix those packages as well as users
might modify debian/rules and build static binaries? I did assume this
not to be the case, but I'm irritated now.

Best regards
Manuel

Message #57 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Manuel Prinz <manuel@debian.org>

Cc: 559836@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 8 Dec 2009 22:28:22 +0100

On Tue, Dec 08, 2009 at 09:46:45PM +0100, Manuel Prinz wrote:
> Hi Moritz!
> 
> Am Dienstag, den 08.12.2009, 20:35 +0100 schrieb Moritz Muehlenhoff:
> > You should rather use the copy of libltdl currently in the
> > archive or is there a technical reason, which prevents this?
> 
> I'm aware of that and discussed it with upstream. They said it would
> require quite some changes to the build system, since they decided to
> use a copy of libtool for technical and practical reasons and only
> support that. I of course might be able to hack support for using the
> system libtool into it but I thought fixing security issues in a timely
> manner is generally prefered, especially if the issue is that simple to
> fix.
> 
> Also, I do not quite understand how using Debian's libtool would help,
> as it seems vulnerable as well and is not fixed yet. If I misunderstood
> the situation, please correct me.
> 
> Don't get me wrong: I really appreciate the work the security team does
> and I wanted to help you by fixing the issue ASAP. If this was wrong, I
> apologize! The solution as is should be seen as an interim solution. I
> will try to make Open MPI use libtool, though this is something I can't
> see to happen in a reasonable time frame at the moment. Leaving RC bugs
> open for weeks does not help anyone, so I fixed the issue the way I did,
> by patching the local copy. If this is not an acceptable solution,
> please reopen. I just had good intentions, and am open to criticism and
> discussion, and willed to learn.

No problem, fixing the issue ad hoc is of course preferred and using the
system copy the long term goal (if there're technical issues (that's why
I asked) you can also leave it as-is). Embedding a copy of libtool is
rather harmless to, e.g. an embedded copy of libavcodec.
 
> Also, please clarify on the state in etch and lenny. We did not build
> static libs, so no .la files there. This version of libtool is not used
> outside of MPI. Am I supposed to fix those packages as well as users
> might modify debian/rules and build static binaries? I did assume this
> not to be the case, but I'm irritated now.

You can leave etch and lenny untouched, the impact doesn't warrant an
update.

Cheers,
        Moritz

Message #62 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Manuel Prinz <manuel@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Subject: Re: [Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

Date: Tue, 08 Dec 2009 23:05:15 +0100

Hi Moritz!

Am Dienstag, den 08.12.2009, 22:28 +0100 schrieb Moritz Muehlenhoff:
> You can leave etch and lenny untouched, the impact doesn't warrant an
> update.

Thanks for clarifying!

Best regards
Manuel

Message #67 received at 559836@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 559798@bugs.debian.org, 559799@bugs.debian.org, 559800@bugs.debian.org, 559801@bugs.debian.org, 559802@bugs.debian.org, 559803@bugs.debian.org, 559804@bugs.debian.org, 559805@bugs.debian.org, 559806@bugs.debian.org, 559807@bugs.debian.org, 559808@bugs.debian.org, 559809@bugs.debian.org, 559810@bugs.debian.org, 559811@bugs.debian.org, 559812@bugs.debian.org, 559813@bugs.debian.org, 559814@bugs.debian.org, 559815@bugs.debian.org, 559816@bugs.debian.org, 559817@bugs.debian.org, 559818@bugs.debian.org, 559819@bugs.debian.org, 559820@bugs.debian.org, 559821@bugs.debian.org, 559822@bugs.debian.org, 559823@bugs.debian.org, 559824@bugs.debian.org, 559825@bugs.debian.org, 559826@bugs.debian.org, 559827@bugs.debian.org, 559828@bugs.debian.org, 559829@bugs.debian.org, 559830@bugs.debian.org, 559831@bugs.debian.org, 559832@bugs.debian.org, 559833@bugs.debian.org, 559834@bugs.debian.org, 559835@bugs.debian.org, 559836@bugs.debian.org, 559837@bugs.debian.org, 559838@bugs.debian.org, 559839@bugs.debian.org, 559840@bugs.debian.org, 559841@bugs.debian.org, 559842@bugs.debian.org, 559843@bugs.debian.org, 559844@bugs.debian.org, 559845@bugs.debian.org

Subject: CVE-2009-3736 update

Date: Sat, 12 Dec 2009 18:07:00 -0500

Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike

Send a report that this bug log contains spam.