Your message dated Tue, 24 Mar 2009 19:53:40 +0000
with message-id <[email protected]>
and subject line Bug#520115: fixed in pam 0.79-5+etch1
has caused the Debian Bug report #520115,
regarding pam: CVE-2009-0887 integer signedness error could lead to DoS or
authentication bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520115: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520115
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pam
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pam.
CVE-2009-0887[0]:
| Integer signedness error in the _pam_StrTok function in
| libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
| configuration file contains non-ASCII usernames, might allow remote
| attackers to cause a denial of service, and might allow remote
| authenticated users to obtain login access with a different user's
| non-ASCII username, via a login attempt.
Upstream patch:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&r2=1.10&view=patch
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887
http://security-tracker.debian.net/tracker/CVE-2009-0887
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpiqoSS0rnh3.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 0.79-5+etch1
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_0.79-5+etch1_i386.deb
to pool/main/p/pam/libpam-cracklib_0.79-5+etch1_i386.deb
libpam-doc_0.79-5+etch1_all.deb
to pool/main/p/pam/libpam-doc_0.79-5+etch1_all.deb
libpam-modules_0.79-5+etch1_i386.deb
to pool/main/p/pam/libpam-modules_0.79-5+etch1_i386.deb
libpam-runtime_0.79-5+etch1_all.deb
to pool/main/p/pam/libpam-runtime_0.79-5+etch1_all.deb
libpam0g-dev_0.79-5+etch1_i386.deb
to pool/main/p/pam/libpam0g-dev_0.79-5+etch1_i386.deb
libpam0g_0.79-5+etch1_i386.deb
to pool/main/p/pam/libpam0g_0.79-5+etch1_i386.deb
pam_0.79-5+etch1.diff.gz
to pool/main/p/pam/pam_0.79-5+etch1.diff.gz
pam_0.79-5+etch1.dsc
to pool/main/p/pam/pam_0.79-5+etch1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <[email protected]> (supplier of updated pam
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 17 Mar 2009 22:29:19 +0100
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime
libpam-cracklib
Architecture: source i386 all
Version: 0.79-5+etch1
Distribution: oldstable
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Jan Christoph Nordholz <[email protected]>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 520115
Changes:
pam (0.79-5+etch1) oldstable; urgency=high
.
* Security NMU, high urgency.
* Fix signedness error in _pam_StrTok(), CVE-2009-0887.
Closes: #520115.
Files:
2950f9ad56b140b065d46032ea343a9e 990 libs optional pam_0.79-5+etch1.dsc
0988f7bab0212a8b0b2e45dbe0efcd64 137339 libs optional pam_0.79-5+etch1.diff.gz
577d30df5573e424f6c45c369b1fbd8d 64570 admin required
libpam-runtime_0.79-5+etch1_all.deb
ef3961b28a429b3abbdfa6ac26798c6b 732360 doc optional
libpam-doc_0.79-5+etch1_all.deb
bbe9f13efb3d2ecc2b17d95d173ed7f7 80678 libs required
libpam0g_0.79-5+etch1_i386.deb
085040a84b3094b193ef7a299b0c8993 187798 libs required
libpam-modules_0.79-5+etch1_i386.deb
650cd54cb72369614650cd40f49698cd 119750 libdevel optional
libpam0g-dev_0.79-5+etch1_i386.deb
651638be65d45eb7e507fc791ffa8697 59450 libs optional
libpam-cracklib_0.79-5+etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknAO1UACgkQHYflSXNkfP9bAACfSeSNqVOUWAGfOOXrg4P2dETK
y+sAnjpx9EetPdyoh+CgUmlkBAH9m0sX
=8R/D
-----END PGP SIGNATURE-----
--- End Message ---
