Your message dated Sat, 11 Apr 2009 16:47:36 +0000
with message-id <[email protected]>
and subject line Bug#520115: fixed in pam 1.0.1-5+lenny1
has caused the Debian Bug report #520115,
regarding pam: CVE-2009-0887 integer signedness error could lead to DoS or
authentication bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520115: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520115
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: pam
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for pam.
CVE-2009-0887[0]:
| Integer signedness error in the _pam_StrTok function in
| libpam/pam_misc.c in Linux-PAM (aka pam) 1.0.3 and earlier, when a
| configuration file contains non-ASCII usernames, might allow remote
| attackers to cause a denial of service, and might allow remote
| authenticated users to obtain login access with a different user's
| non-ASCII username, via a login attempt.
Upstream patch:
http://pam.cvs.sourceforge.net/viewvc/pam/Linux-PAM/libpam/pam_misc.c?r1=1.9&r2=1.10&view=patch
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0887
http://security-tracker.debian.net/tracker/CVE-2009-0887
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpCvHdWaXHCc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: pam
Source-Version: 1.0.1-5+lenny1
We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:
libpam-cracklib_1.0.1-5+lenny1_i386.deb
to pool/main/p/pam/libpam-cracklib_1.0.1-5+lenny1_i386.deb
libpam-doc_1.0.1-5+lenny1_all.deb
to pool/main/p/pam/libpam-doc_1.0.1-5+lenny1_all.deb
libpam-modules_1.0.1-5+lenny1_i386.deb
to pool/main/p/pam/libpam-modules_1.0.1-5+lenny1_i386.deb
libpam-runtime_1.0.1-5+lenny1_all.deb
to pool/main/p/pam/libpam-runtime_1.0.1-5+lenny1_all.deb
libpam0g-dev_1.0.1-5+lenny1_i386.deb
to pool/main/p/pam/libpam0g-dev_1.0.1-5+lenny1_i386.deb
libpam0g_1.0.1-5+lenny1_i386.deb
to pool/main/p/pam/libpam0g_1.0.1-5+lenny1_i386.deb
pam_1.0.1-5+lenny1.diff.gz
to pool/main/p/pam/pam_1.0.1-5+lenny1.diff.gz
pam_1.0.1-5+lenny1.dsc
to pool/main/p/pam/pam_1.0.1-5+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Christoph Nordholz <[email protected]> (supplier of updated pam
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 17 Mar 2009 18:51:07 +0100
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib
libpam-doc
Architecture: source all i386
Version: 1.0.1-5+lenny1
Distribution: stable
Urgency: high
Maintainer: Steve Langasek <[email protected]>
Changed-By: Jan Christoph Nordholz <[email protected]>
Description:
libpam-cracklib - PAM module to enable cracklib support
libpam-doc - Documentation of PAM
libpam-modules - Pluggable Authentication Modules for PAM
libpam-runtime - Runtime support for the PAM library
libpam0g - Pluggable Authentication Modules library
libpam0g-dev - Development files for PAM
Closes: 520115
Changes:
pam (1.0.1-5+lenny1) stable; urgency=high
.
* Security NMU, high urgency.
* Fix signedness error in _pam_StrTok(), CVE-2009-0887.
Closes: #520115.
Checksums-Sha1:
08f79c5853de45e71ee8e6a0e42b1e5c237e3dfc 1508 pam_1.0.1-5+lenny1.dsc
2bf3eedc4e4c67ee99baee1b2882ab3e74e44b12 145990 pam_1.0.1-5+lenny1.diff.gz
0cebb023da329157444c84bb1214da3735ef3513 165310
libpam-runtime_1.0.1-5+lenny1_all.deb
2a9a3f9cd5ce6930b1cb2b1a0706ab8f72720152 294510
libpam-doc_1.0.1-5+lenny1_all.deb
6e76844bca68041b5ae0f03547028ccfc83b54d1 103594
libpam0g_1.0.1-5+lenny1_i386.deb
b1a1ea3fc1043eab6b9b1707677f39b0098e4b03 293958
libpam-modules_1.0.1-5+lenny1_i386.deb
963150db6ca491f1e5e88106775a6c3052719b99 162096
libpam0g-dev_1.0.1-5+lenny1_i386.deb
fa668d15085532c69565f0bead57db25d6971bf5 65438
libpam-cracklib_1.0.1-5+lenny1_i386.deb
Checksums-Sha256:
2c6c6f1c5d4bb1492f5a05e9ee659db6d87dc44a1de26b571eed912e3c845e84 1508
pam_1.0.1-5+lenny1.dsc
fbefd3d5cd60e6c34c645ae8e4315aeca857343037cb23583c1328db7872e672 145990
pam_1.0.1-5+lenny1.diff.gz
3d2f29c308844e09ac72e4b914fb99d93b8e898f68b6de11e67d453ae1307ba7 165310
libpam-runtime_1.0.1-5+lenny1_all.deb
d34263dab615cf6254a4debd79e07eb802b9dbd9193397028a8fee9f139428bb 294510
libpam-doc_1.0.1-5+lenny1_all.deb
2b77bbe7bf33e7108a89e1b4301c7d270c9f41e2036aa397881f0c597274e7ea 103594
libpam0g_1.0.1-5+lenny1_i386.deb
492557dc26bf62827b027362f88750a8b904700dc4b063f81a780f9741c3d212 293958
libpam-modules_1.0.1-5+lenny1_i386.deb
90beaf63e380ae98e93d83b175052282083008f502797e9bba2b699702c5dc43 162096
libpam0g-dev_1.0.1-5+lenny1_i386.deb
c701e1f9565c94d121320d331c30beaf49cce07c110b2f28536f8b7ddcd94e6f 65438
libpam-cracklib_1.0.1-5+lenny1_i386.deb
Files:
2aae14803005104cc30a7bcdda9d75eb 1508 libs optional pam_1.0.1-5+lenny1.dsc
6caa1adbcfa4183f6c5e44714da83164 145990 libs optional
pam_1.0.1-5+lenny1.diff.gz
5ae1f212c4b27e83e2241c600cb8ace0 165310 admin required
libpam-runtime_1.0.1-5+lenny1_all.deb
ff96edd761a0a34d1bf8932628e95451 294510 doc optional
libpam-doc_1.0.1-5+lenny1_all.deb
7194529c3dd2e201ffc3c1f7a85a934c 103594 libs required
libpam0g_1.0.1-5+lenny1_i386.deb
2b1f6392b59d4de7ce5aa514507ed65c 293958 libs required
libpam-modules_1.0.1-5+lenny1_i386.deb
a4ea49a731dcce3b93c1de11456e5344 162096 libdevel optional
libpam0g-dev_1.0.1-5+lenny1_i386.deb
f0f37eb0ef282632e5f7cb2cdfc0db00 65438 libs optional
libpam-cracklib_1.0.1-5+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknAO2AACgkQHYflSXNkfP8oQQCdFZ7huiTyLocWBEq+oicIcq12
+zwAn1wMPGqQcSGJih9rS59bOPArQ85C
=hKg4
-----END PGP SIGNATURE-----
--- End Message ---
