Bug#876640: marked as done (plinth: Insecure crypto settings used for auth-pubtkt)

Debian Bug Tracking System Mon, 25 Sep 2017 08:12:36 -0700

Your message dated Mon, 25 Sep 2017 15:11:12 +0000
with message-id <e1dwv2o-0007gk...@fasolo.debian.org>
and subject line Bug#876640: fixed in plinth 0.15.2+ds-1
has caused the Debian Bug report #876640,
regarding plinth: Insecure crypto settings used for auth-pubtkt
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
876640: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876640
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: plinth
Version: 0.15.1+ds-1
Severity: grave
Tags: security upstream
Justification: user security hole


Due to issues (now fixed) in libapache2-mod-auth-pubtkt, plinth
v0.15.1 has insecure settings for key generation and signing. This may
allow someone to impersonate a plinth user and gain access to apps
that support SSO.

This issue is fixed upstream, but not released yet:
https://github.com/freedombox/Plinth/commit/f9166f8e985401e598de39bd72f0304c799bc0f0#diff-c3fddc6d3c8965915ad635b6b3de49f4


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.12.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), 
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages plinth depends on:
ii  adduser                     3.116
ii  augeas-tools                1.8.1-2
ii  avahi-daemon                0.7-3
ii  batctl                      2017.2-2
ii  firewalld                   0.4.4.5-2
ii  gettext                     0.19.8.1-4
ii  gir1.2-glib-2.0             1.54.0-2
ii  gir1.2-networkmanager-1.0   1.8.4-1
ii  init-system-helpers         1.49
ii  javascript-common           11
ii  ldap-utils                  2.4.45+dfsg-1
ii  ldapscripts                 2.0.8-1
ii  libapache2-mod-auth-pubtkt  0.11-1
ii  libjs-bootstrap             3.3.7+dfsg-2
ii  libjs-jquery                3.2.1-1
ii  libjs-modernizr             2.6.2+ds1-1
ii  libnss-ldapd                0.9.8-1
ii  libpam-ldapd                0.9.8-1
ii  network-manager             1.8.4-1
ii  nslcd                       0.9.8-1
ii  ntp                         1:4.2.8p10+dfsg-5
ii  openssl                     1.1.0f-5
ii  ppp                         2.4.7-1+4
ii  pppoe                       3.12-1.1
ii  python3                     3.5.3-3
ii  python3-apt                 1.4.0~beta3+b1
ii  python3-augeas              0.5.0-1
ii  python3-bootstrapform       3.2.1-3
ii  python3-cherrypy3           3.5.0-2
ii  python3-django              1:1.11.5-1
ii  python3-django-stronghold   0.2.7+debian-3
ii  python3-gi                  3.24.1-3
ii  python3-openssl             16.2.0-1
ii  python3-psutil              5.0.1-1+b1
ii  python3-requests            2.18.1-1
ii  python3-ruamel.yaml         0.13.4-2+b1
ii  slapd                       2.4.45+dfsg-1
ii  sudo                        1.8.21p2-1
ii  unattended-upgrades         0.97

plinth recommends no packages.

plinth suggests no packages.

-- Configuration Files:
/etc/sudoers.d/plinth [Errno 13] Permission denied: '/etc/sudoers.d/plinth'

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: plinth
Source-Version: 0.15.2+ds-1

We believe that the bug you reported is fixed in the latest version of
plinth, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 876...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Federico Ceratto <feder...@debian.org> (supplier of updated plinth package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 25 Sep 2017 15:03:35 +0100
Source: plinth
Binary: plinth
Architecture: source all
Version: 0.15.2+ds-1
Distribution: unstable
Urgency: medium
Maintainer: FreedomBox packaging team 
<freedombox-pkg-t...@lists.alioth.debian.org>
Changed-By: Federico Ceratto <feder...@debian.org>
Description:
 plinth     - web front end for administering every aspect of a FreedomBox
Closes: 876627 876640
Changes:
 plinth (0.15.2+ds-1) unstable; urgency=medium
 .
   [ James Valleroy ]
   * Cleanup config for removed modules (Closes: #876627).
   * New upstream version 0.15.2 (Closes: #876640).
   * Add python3-configobj depend.
Checksums-Sha1:
 aa597e1a7e67e39fe1e746f2bf0c84cfc379989e 2548 plinth_0.15.2+ds-1.dsc
 8502684db06d53687ccba9fd9ec09dc8c7f67e89 9785146 plinth_0.15.2+ds.orig.tar.gz
 92a323bc26492e67d3e58752e492dda8c533d3ea 7652 plinth_0.15.2+ds-1.debian.tar.xz
 ded8d6d38a7b07abfa4cfa0a0795e4450a43ea27 14140126 plinth_0.15.2+ds-1_all.deb
 f2406119fc195e51328a9d826d443c1ad5a001bf 11892 
plinth_0.15.2+ds-1_amd64.buildinfo
Checksums-Sha256:
 1e6004afa62c252986b2b69eb8ed6cc0c0a6e1cf9324e9b670d851df5fa0b58e 2548 
plinth_0.15.2+ds-1.dsc
 ee1b9ce6f9805b157bdae66d74dcd81c4520643fa801864ef7d2cefddee69caf 9785146 
plinth_0.15.2+ds.orig.tar.gz
 9cef74d12a4844d0f19cf4ce384cef3f39eeb31054bf44cae81d40f662ca6ff1 7652 
plinth_0.15.2+ds-1.debian.tar.xz
 7725fa7d0f26ab8d3faa0b60a9aa08a643727b2cb43398b1e937592e08f839f6 14140126 
plinth_0.15.2+ds-1_all.deb
 f2391978a9e3c055a63f0f879f80d8aaaa92a6a7038cf5b071f09c9121e1ee6c 11892 
plinth_0.15.2+ds-1_amd64.buildinfo
Files:
 39e68c0070b094b2ae9c874c2d89e394 2548 web optional plinth_0.15.2+ds-1.dsc
 a4040cceba00bbc6314f50bcf67a4bd3 9785146 web optional 
plinth_0.15.2+ds.orig.tar.gz
 4f6862a7b109f2c3ab80c4bdef3cc355 7652 web optional 
plinth_0.15.2+ds-1.debian.tar.xz
 c40bc40f39c2d3c08207b2103da113df 14140126 web optional 
plinth_0.15.2+ds-1_all.deb
 e13041b405bcd2ff339e5c640854ca6a 11892 web optional 
plinth_0.15.2+ds-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfKfd+zM5IUCMbyuWbzG8RPUXfaoFAlnJEDkACgkQbzG8RPUX
far/rA//eD8fSKqf0toDIA9f13iv7NTAgbKzRWaLBBpnwpJc5RiQMA0+A24L6I/M
leNTOwasbqe62b4eNacfSdAF+CicK8vkMswEsCIZgUtyzfv8FrUwP11IGA/FVG8H
npbtZyzA/Q4AeDrgMOnZLQrIsomQ7DBeBEKyO3e4HnBsa7BkeDxU6RuG5daJ8tWP
dQoGwO3qDQBtSuETmqPPyR3PYfdiKiDYtTvrJUXLCqxV9ezQAsBaFb6S2+IvWcGa
CLE/Arr8r64GlpW7DQfs35ggPqnGGpriOn7LjdPwMrxleFXgQfc9qHcydKGlf8wl
0gbfbrpuOMTv9qWwXd02Jnx0P5NiTeoAt2cv4LYmRlxxceuIgm4Pjy9w7vrbtSqG
0JubHvxLOWTElAVxfZH3qHQGdJyxmB03zcz0QkUI0XxT6f1xAasBS59H+iFRbHHH
l7dW+zKF442G0/7CLP/FM/t/NuYf1nuvWwHnJ0BmdHrUQNReV4iqtOZkpZ26fxXg
B/fBs2CcN8eYmN8mIxu53IkjxvFDKb/BF8C2ecTWRLQ7DY+VgsOSEf3eaozHY+oQ
bJPHq12594BkOFlW2xD+OsD8zPzh/kNf1xC+KOhCTebFiqu5YMRi3Lmf6sBP1RFy
7Y31lTMQhQRSVDaWvT9sWtv8nkh61JzJfW0kCTl95LT3jTs4HGc=
=tPzy
-----END PGP SIGNATURE-----

--- End Message ---

Bug#876640: marked as done (plinth: Insecure crypto settings used for auth-pubtkt)

Reply via email to