Your message dated Tue, 24 Jan 2012 22:43:44 +0100
with message-id <[email protected]>
and subject line Re: Bug#631283: CVE-2011-2483 crypt_blowfish: 8-bit character
mishandling allows different password pairs to produce the same hash
has caused the Debian Bug report #631283,
regarding CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows
different password pairs to produce the same hash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
631283: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php5-suhosin
Severity: serious
Tags: security
Hi,
The CVE (Common Vulnerabilities & Exposures) CVE-2011-2483 was
published for php5-suhosin.
A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key from
crypt_blowfish.c:554 looks vulnerable. The RH report may be useful[4] too.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
-luciano
--- End Message ---
--- Begin Message ---
Hi Luciano,
I contacted upstream about the issue.
On Mittwoch 22 Juni 2011, Luciano Bello wrote:
> The CVE (Common Vulnerabilities & Exposures) CVE-2011-2483 was
> published for php5-suhosin.
>
> A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key from
> crypt_blowfish.c:554 looks vulnerable. The RH report may be useful[4] too.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
The broken code is not used since php 5.3 and so this is a theoretical
vulnerability (in the unused code). As we are shipping php 5.3 with stable,
this should not be an issue.
Anyways ... the unsued code is removed with recent upstream release.
With kind regards, Jan.
--
Never write mail to <[email protected]>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
------END GEEK CODE BLOCK------
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
