severity 679628 critical thanks On Sat, Jun 30, 2012 at 10:43:33AM +0100, Roy Hills wrote: > I think the crypt_blowfish implementation in libxcrypt 2.4-1 has the sign > extension bug detailed in CVE-2011-2483. > > Full details of this bug are at: http://seclists.org/oss-sec/2011/q2/632
Given the information here concerning weak passwords, I have set the severity to critical. > Upgrading to the latest upstream source should fix this bug. When I tried 3.0 it didn't work (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487487) and didn't compile on some arches (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489840), but perhaps it is worth trying again with upstream 3.0.2, fixing any issues that crop up. Or, it may be more straightfoward (especially since we've just frozen) to backport port the fix to 2.4. In any case, I'm very sorry to say that my need for libxcrypt and libpam-unix2 ended several years ago and I won't be able to work on this myself. libpam-unix2 was already orphaned and I have now orphaned libxcrypt as well. Best wishes to a future adopter. -- Ivan Kohler President and Head Geek, Freeside Internet Services, Inc. http://freeside.biz/ Debian GNU/Linux developer | CPAN author | cat person | ski addict -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
