Your message dated Sat, 18 Nov 2017 22:19:23 +0000 with message-id <e1egbsn-0005xu...@fasolo.debian.org> and subject line Bug#879001: fixed in libpam4j 1.4-2+deb8u1 has caused the Debian Bug report #879001, regarding CVE-2017-12197: libpam4j: Account check bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpam4j Version: 1.4-2 Severity: grave Tags: security Hi, the following vulnerability was published for libpam4j. CVE-2017-12197[0]: libpam4j: Account check bypass PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account is able to log in. https://bugzilla.redhat.com/show_bug.cgi?id=1503103 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libpam4j Source-Version: 1.4-2+deb8u1 We believe that the bug you reported is fixed in the latest version of libpam4j, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libpam4j package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Nov 2017 13:40:55 +0100 Source: libpam4j Binary: libpam4j-java libpam4j-java-doc Architecture: source all Version: 1.4-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libpam4j-java - Java binding for libpam.so libpam4j-java-doc - Documentation for Java binding for libpam.so Closes: 879001 Changes: libpam4j (1.4-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. Checksums-Sha1: 105d9b87b0572ff220531668a544997812788ac6 2288 libpam4j_1.4-2+deb8u1.dsc 1335e34fba33ab2531265ced9dbd58295476a81c 6880 libpam4j_1.4.orig.tar.gz 2500657ab3ebc3545fa6d3e45feac626a6e8c3e6 4980 libpam4j_1.4-2+deb8u1.debian.tar.xz 2c0ed786161a14cab91cf296adc0c076ca7827d9 14868 libpam4j-java_1.4-2+deb8u1_all.deb 618779d577c23c5dd835c339013955f2024d7a11 129648 libpam4j-java-doc_1.4-2+deb8u1_all.deb Checksums-Sha256: 5fae6bbd99b2cf248270243c6cec0d56e740d618c75bc24032555b20af4c175c 2288 libpam4j_1.4-2+deb8u1.dsc 83e738e7e6d5055adaaffccd0caa10ba03a13ea59bd016f9bb4d1306c7c3f550 6880 libpam4j_1.4.orig.tar.gz 7614b9fab4a0102f6dd2a30ed6d76781aea31955f35839513c4a858a06307dc2 4980 libpam4j_1.4-2+deb8u1.debian.tar.xz f7fa3cea0a66abaa813daab57eb3be02de07bd23d2a21049699ab0b1c2a77c7d 14868 libpam4j-java_1.4-2+deb8u1_all.deb 82920e6410269ca366f4dc17d8c38701fff12abe14a7721b68adbc3afd2e42d9 129648 libpam4j-java-doc_1.4-2+deb8u1_all.deb Files: e8fbbb11541dce6adc63149f509dbcf4 2288 java optional libpam4j_1.4-2+deb8u1.dsc 20d90b25f700a559f022d870682f5659 6880 java optional libpam4j_1.4.orig.tar.gz 33b0e775cee4e845cb9e45e42e5b7865 4980 java optional libpam4j_1.4-2+deb8u1.debian.tar.xz 8d3f16b7266b1a7e1f2ad5413252811b 14868 java optional libpam4j-java_1.4-2+deb8u1_all.deb 8b6f74c2a9b50b6ed9071b4c83a9121f 129648 doc optional libpam4j-java-doc_1.4-2+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloB63JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkqsgP/jCDxC83xF0xTVu25R8TMEA/WqSIzjbb1hQO IrY6AiIJUrL+r6H32AQ9MvUZoQfGtFeQ/EiYUlewHvKGhC+XKcKeaLTMXHJ00hGw +s1Gu/Q6hTi5a/yuWh5rhVi2UE+aKlHJv1gJwXDn8w0FyBBrtReKvY66EaGi+tgk S3RjuMY8RUMeaThuxUYKEGxfQWRniO/l95VyL1+92rc2YfOj82NRe0GsDf2p8lZk VhCuHSeqE03HcPHc91sMkHq0CLOCwHErMSxAyvaKS33jxy1xJqnVoRbOTTi2yJGO kliPCZcm2FrABpCmC6GQH1OLVpinuIhmHY0WwfV0zuw8ALyw8I1vpnrJ+b32d7Pl o3D/Ir3p6PcsAVja6hmbDzFbQKAhe9l/MDezQcfAVl5tJ49g8NtIV1p4C47hpBpO ezcJfeFM6rtIVJs8ocd8VQcCuWW7LlrBXd+/azQkzgbT2mcO2u6//lWxR3V1a9p7 0UMcRKbIWMBza+4OqDMK7sRkpOEq+QPWvmOcM3IaCEYW3DU0BOtM+sjBObwZQlqR JcaKGlZ/ceHMLzJwQoZkaMXw0xutfD60iUu2ZhtGvLbwyQXQJCE8ISBpzo3ytAld +OMv3FhGdnrtF9F9vf95yvn78bTYHFeyp7/JI3ypP17hJuk7o9d/EeMMmdlsBDx1 B7lE5Kmd =shRh -----END PGP SIGNATURE-----
--- End Message ---
