Your message dated Sun, 14 Sep 2008 21:17:08 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#443322: fixed in shadow 1:4.1.1-5
has caused the Debian Bug report #443322,
regarding libpam-runtime: login for nonexistent user fails without password
prompt
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
443322: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=443322
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libpam-runtime
Version: 0.99.7.1-6
Severity: grave
Tags: security
Justification: user security hole
At console login, an invalid username will cause the login procedure to
fail *before* it prompts you for a password. (I only discovered this
because I accidentally mistyped my username.) This allows someone to
discover, without ever logging in, whether a given username exists on
the system or not. Seems like an important security issue. The exact
same issue cropped up on Arch Linux last fall (Nov 2007), where it was
determined to be a libpam problem. I don't know enough to know which
libpam package precisely is involved, but I only have three on my
system: libpam-modules, libpam-runtime, libpam0g, all with the same
maintainer, so hopefully this is getting to the right person.
Relevant Arch bug report:
http://bugs.archlinux.org/task/8742
Apologies if I've reported this as too severe: it was dealt with as high
severity in Arch, and seems like a major issue to this layman. Wish I
could tell you more, but as far as I can tell that's the extent of the
problem; everything works just fine if you login with a name that exists
on the system.
-NF
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: shadow
Source-Version: 1:4.1.1-5
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.1.1-5_i386.deb
to pool/main/s/shadow/login_4.1.1-5_i386.deb
passwd_4.1.1-5_i386.deb
to pool/main/s/shadow/passwd_4.1.1-5_i386.deb
shadow_4.1.1-5.diff.gz
to pool/main/s/shadow/shadow_4.1.1-5.diff.gz
shadow_4.1.1-5.dsc
to pool/main/s/shadow/shadow_4.1.1-5.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]> (supplier of updated shadow
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 14 Sep 2008 19:13:34 +0200
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.1-5
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <[EMAIL PROTECTED]>
Changed-By: Nicolas FRANCOIS (Nekral) <[EMAIL PROTECTED]>
Description:
login - system login tools
passwd - change and administer password and group data
Closes: 443322 495831
Changes:
shadow (1:4.1.1-5) unstable; urgency=low
.
* The "Bergues" release.
* debian/login.pam: restore the Etch behavior of pam_securetty.so in case of
unknown user. Closes: #443322, #495831
Checksums-Sha1:
124b31505b36567ad08941728741b8d692b216a0 1542 shadow_4.1.1-5.dsc
de8d92c347cf3134cee736ba66ae2e8c08c20433 90002 shadow_4.1.1-5.diff.gz
cd01828a7bf0986edf559a3ec56c556857887e5c 872278 passwd_4.1.1-5_i386.deb
39b85bccea7b6e3da85284e681b10fbb19f3c3a5 854218 login_4.1.1-5_i386.deb
Checksums-Sha256:
f6a9534e18f6ef3e7a4648e07fd97b366a8dfe4167f23e3abde2137221e4f30a 1542
shadow_4.1.1-5.dsc
bac21b5294097f033c6e9cecb0a9d33ca8d924ca85b061a8ad59d68cc404cfad 90002
shadow_4.1.1-5.diff.gz
904d488076feb91aa0d95e170c046d99e33dcef59ce78f01e73d97ca0b24b962 872278
passwd_4.1.1-5_i386.deb
b43a27526938ad8f5cc5914ab9c2bbf75e81c4a257a352d9238a8c5611ffc335 854218
login_4.1.1-5_i386.deb
Files:
4e3557f9d5b7f3a960838ae9c58c4960 1542 admin required shadow_4.1.1-5.dsc
9af256401017a677733779e34df4bd4a 90002 admin required shadow_4.1.1-5.diff.gz
3260d8fb0bcd29c554ff6193392afb35 872278 admin required passwd_4.1.1-5_i386.deb
4c1dcbc42e6854e146b4e58563f6c4e7 854218 admin required login_4.1.1-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjNepwACgkQWgo5mup89a2MrACaAuhEmbno75lse8D4p8XL0PMR
mUMAmgOjZhe7VGXqb5h5QuiA/b93AkOv
=0NvY
-----END PGP SIGNATURE-----
--- End Message ---
