Your message dated Sun, 20 Jan 2013 23:17:04 +0000
with message-id <[email protected]>
and subject line Bug#698241: fixed in pam-pgsql 0.7.1-4+squeeze2
has caused the Debian Bug report #698241,
regarding CVE-2013-0191: NULL password query result permits login with any
password
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
698241: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698241
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-pgsql
Tags: security
Lucas Clemente Vella discovered that pam-pgsql (aka pam_pgsql) might
allow login with any password the SQL query for the password returns
NULL.
Bug report: <https://sourceforge.net/p/pam-pgsql/bugs/13/>
Patch:
<https://sourceforge.net/u/lvella/pam-pgsql/ci/9361f5970e5dd90a747319995b67c2f73b91448c/>
Please fix this for squeeze and wheezy, using minimal fixes.
(We will not release a DSA for this.)
--- End Message ---
--- Begin Message ---
Source: pam-pgsql
Source-Version: 0.7.1-4+squeeze2
We believe that the bug you reported is fixed in the latest version of
pam-pgsql, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Dittberner <[email protected]> (supplier of updated pam-pgsql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Jan 2013 19:48:50 +0100
Source: pam-pgsql
Binary: libpam-pgsql
Architecture: source amd64
Version: 0.7.1-4+squeeze2
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Jan Dittberner <[email protected]>
Changed-By: Jan Dittberner <[email protected]>
Description:
libpam-pgsql - PAM module to authenticate using a PostgreSQL database
Closes: 698241
Changes:
pam-pgsql (0.7.1-4+squeeze2) stable-proposed-updates; urgency=low
.
* Fix "CVE-2013-0191: NULL password query result permits login with
any password" by adding patch
debian/patches/fix-698241-null-passwort-result-permits-login.patch from
upstream bug tracker (Closes: #698241)
Checksums-Sha1:
454ad213405b80a2f4d3869c6cd8663217540bba 1944 pam-pgsql_0.7.1-4+squeeze2.dsc
20c6fc4064dca42f7deccf6fd4dd6fb11625f82c 11953
pam-pgsql_0.7.1-4+squeeze2.debian.tar.gz
7f25959ba23bac1051500e404792e21010cc2012 29866
libpam-pgsql_0.7.1-4+squeeze2_amd64.deb
Checksums-Sha256:
a1974d4d8937568bc29ce12723b2fc58e79c1d0c3c5046276dca18e5ac32e65d 1944
pam-pgsql_0.7.1-4+squeeze2.dsc
efb6996ae1b1d4772b4d41dc1f2a4b6722bb477a82ab3e861ffc3bbc84614fb5 11953
pam-pgsql_0.7.1-4+squeeze2.debian.tar.gz
32fb5eb3975690067d5267e7ffc6583b73db289529d52799cbd8f5e6708e154d 29866
libpam-pgsql_0.7.1-4+squeeze2_amd64.deb
Files:
00b09705b305177a21249b473a12f3e3 1944 admin extra
pam-pgsql_0.7.1-4+squeeze2.dsc
7b541126e6369a41190470091cad0163 11953 admin extra
pam-pgsql_0.7.1-4+squeeze2.debian.tar.gz
2dece761ff3af8ada0771c815c66fa1c 29866 admin extra
libpam-pgsql_0.7.1-4+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQ+uruAAoJEKc+AFVVj7jdavkP/iaDYJQj/arE0/q19IcAQ6Xd
JxV12Ro9i7Q99TyxWNgnqmawBnlQa5X0aWIFSPhpW1f4KL4/jJV07ZSi2giP6B2Z
ItIQRuG6LVBW9RqjyQu/9nd0YrQZO0Ug3JJjfZDbbbRwDsC67ZdRfxcyh6m2s4K/
L4KPu/3hx97EsLJkv3SMc/SXbYVT6/NICVCZv8/E7Dj0TwGi6Ry1XCttzY1zlPvk
VJpafcKL6YdgIxViJhRQkEy8L5jcczHqhTqd25AG8uiQlA0TXjdPxCl8tVjTIIdM
gxpGGqS1XsZ8eQqSNpws7chawcGs4jmnIomgd/gQc5GSpyhFD4uTf19guxnkz743
gZ4Nn7bMYf8iWntpIDXiuLr8INDgpCCeVBg4GdUpu99Go9JwCZkVShvxyT/juelZ
KUhnWtn/gatMkhR3UsxXP3SG9LgbqfDNcPHAgsvxZHCaV8zIVVtX6SwJovNh8CYZ
GQwdri/2plDPuSsgpR4/ydNW5RKmCXjlQI42m353JXXbRcMua1fQNNMg5uCLlRuZ
ytnC2/tB9iEk1wBFuX4yvAc583FYyaC/zyveLtC96I1C/wGN2n863m1/QmCY9aV0
eJxCY9s/o5tssnTjjk+cFaLQwNP1gtioBSsqoyjjLKl32ApcFfbRb54ibFxUENeZ
iso6ZhPiyZmKdLcLCSNg
=XwtE
-----END PGP SIGNATURE-----
--- End Message ---
