Your message dated Thu, 13 Aug 2009 01:53:56 +0000
with message-id <[email protected]>
and subject line Bug#535877: fixed in libpam-ssh 1.91.0-9.3+lenny1
has caused the Debian Bug report #535877,
regarding CVE-2009-1273: user enumeration issue in libpam-ssh
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
535877: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535877
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-ssh
Tags: security
A user enumeration issue has been disclosed in libpam-ssh:
| pam_ssh 1.92 and possibly other versions, as used when PAM is
| compiled with USE=ssh, generates different error messages depending
| on whether the username is valid or invalid, which makes it easier
| for remote attackers to enumerate usernames.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273>
The Gentoo bug report linked from there contains a patch.
This should probably be uploaded to (old)stable-proposed-updates,
combined with the fix for CVE-2007-0844.
--- End Message ---
--- Begin Message ---
Source: libpam-ssh
Source-Version: 1.91.0-9.3+lenny1
We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.diff.gz
libpam-ssh_1.91.0-9.3+lenny1.dsc
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.dsc
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jens Peter Secher <[email protected]> (supplier of updated libpam-ssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Aug 2009 22:37:21 +0200
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.91.0-9.3+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Aurelien Labrosse <[email protected]>
Changed-By: Jens Peter Secher <[email protected]>
Description:
libpam-ssh - enable SSO behavior for ssh and pam
Closes: 535877
Changes:
libpam-ssh (1.91.0-9.3+lenny1) stable-proposed-updates; urgency=low
.
* Avoid leaking user names by backporting Dmitry Butskoy's patch
for CVE-2009-1273.
(Closes: #535877)
Checksums-Sha1:
0ca364d5c3f5b3bc865185129d63c6831eeb08e5 1289 libpam-ssh_1.91.0-9.3+lenny1.dsc
28aaaf09f6d7ada52f2ffc784ba221f0f441aa7a 284109
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
467b464527733be0d6ee1abfa49a56dd9a0cb533 48840
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Checksums-Sha256:
0fced317374ef251cfcf3e28d4cd36e865bb4f2e215f59f8a0f56b03b4c45d45 1289
libpam-ssh_1.91.0-9.3+lenny1.dsc
610959f4dd348b813cb7f230a9f7cace0066cd715352905748c7cdbfc1210347 284109
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
843453e189925d2c28f3e207d49ea0d94d1f532f82695dc68287f5b6636376ae 48840
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Files:
19a6537123281e3682bbf16bf3919d9a 1289 admin optional
libpam-ssh_1.91.0-9.3+lenny1.dsc
3e646b17494731e5da09a14ea472279b 284109 admin optional
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
b84410ff4795ccd62f533d944e871bc9 48840 admin optional
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkqDL30ACgkQiFVdEFPVQL99YwP9HAf2HpS0dgk1c3vONrCxn9Up
8Y2fcVvtAvfV0fXVvLZFRSt8q/2CELqfxCeJQxhjtssey1bcQkGB2jLhh48OXe3l
M7fBhSQG0FYpQHFf1haZWwrHtHLEU2zFqIx1SSeS9q7fYLUdZ/KHahne6E9rQy7e
xlhiXB5l7ZaOAkVdn7o=
=Ty8r
-----END PGP SIGNATURE-----
--- End Message ---
