Your message dated Sat, 10 Jun 2006 11:02:12 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#366927: fixed in webcalendar 1.0.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: webcalendar
Severity: grave
Tags: security sid etch
David Maciejak noticed that webcalendar, a PHP-Based multi-user
calendar, returns different error messages on login attempts for an
invalid password and a non-existing user, allowing remote attackers to
gain information about valid usernames.
The patch for the version in sarge is attached to this mail.
Regards,
Joey
--
It's time to close the windows.
Please always Cc to me when replying to me on the lists.
diff -u webcalendar-0.9.45/debian/changelog webcalendar-0.9.45/debian/changelog
--- webcalendar-0.9.45/debian/changelog
+++ webcalendar-0.9.45/debian/changelog
@@ -1,3 +1,11 @@
+webcalendar (0.9.45-4sarge4) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Unified error messages for unknown users and wrong passwords to
+ prevent an information leak [includes/user.php, CVE-2006-2247]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Fri, 12 May 2006 08:10:15 +0200
+
webcalendar (0.9.45-4sarge3) stable-security; urgency=high
* Fixed multiple security vulnerabilities
only in patch2:
unchanged:
--- webcalendar-0.9.45.orig/includes/user.php
+++ webcalendar-0.9.45/includes/user.php
@@ -41,8 +41,7 @@
if ( $row[0] == $login )
$ret = true; // found login/password
else
- $error = translate ("Invalid login") . ": " .
- translate("incorrect password");
+ $error = translate ("Invalid login");
} else {
$error = translate ("Invalid login");
// Could be no such user or bad password
@@ -53,12 +52,10 @@
$row = dbi_fetch_row ( $res2 );
if ( $row && ! empty ( $row[0] ) ) {
// got a valid username, but wrong password
- $error = translate ("Invalid login") . ": " .
- translate("incorrect password" );
+ $error = translate ("Invalid login");
} else {
// No such user.
- $error = translate ("Invalid login") . ": " .
- translate("no such user" );
+ $error = translate ("Invalid login");
}
dbi_free_result ( $res2 );
}
--- End Message ---
--- Begin Message ---
Source: webcalendar
Source-Version: 1.0.4-1
We believe that the bug you reported is fixed in the latest version of
webcalendar, which is due to be installed in the Debian FTP archive:
webcalendar_1.0.4-1.diff.gz
to pool/main/w/webcalendar/webcalendar_1.0.4-1.diff.gz
webcalendar_1.0.4-1.dsc
to pool/main/w/webcalendar/webcalendar_1.0.4-1.dsc
webcalendar_1.0.4-1_all.deb
to pool/main/w/webcalendar/webcalendar_1.0.4-1_all.deb
webcalendar_1.0.4.orig.tar.gz
to pool/main/w/webcalendar/webcalendar_1.0.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tim Peeler <[EMAIL PROTECTED]> (supplier of updated webcalendar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 10 Jun 2006 08:24:57 -0400
Source: webcalendar
Binary: webcalendar
Architecture: source all
Version: 1.0.4-1
Distribution: unstable
Urgency: high
Maintainer: Tim Peeler <[EMAIL PROTECTED]>
Changed-By: Tim Peeler <[EMAIL PROTECTED]>
Description:
webcalendar - PHP-Based multi-user calendar
Closes: 308519 360187 360286 360690 363914 366927
Changes:
webcalendar (1.0.4-1) unstable; urgency=high
.
* New upstream release (closes: #363914)
* Upstream release fixes CVE-2006-2762
* Added French translation from Steve Petruzzello <[EMAIL PROTECTED]>
(closes: #360187)
* Restored dbconfig_oldconf.sh for upgrades from < 1.0.2
* Fixed dbconfig_oldconf.sh to bail out if settings.php is not found
* Renamed settings.php to settings.conf as settings.conf is not a php file
* LDAP admin groups is fixed in upstream (closes: #308519)
* Added Czech translation from Miroslav Kure <[EMAIL PROTECTED]> (closes:
#360286)
* Previous NMUs fix a couple of problems (closes: #366927) (Closes: #360690)
Files:
9fb081949cc8be78a749bd213ce3f3b1 628 web optional webcalendar_1.0.4-1.dsc
5e4c5968ecf18a2797c3166b3bbe0891 882315 web optional
webcalendar_1.0.4.orig.tar.gz
281985fff6b9eca8c471bf849bc27bd6 17288 web optional webcalendar_1.0.4-1.diff.gz
159747bf9d9f66297f5985bcb879fb6a 714316 web optional
webcalendar_1.0.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEiwdzSYIMHOpZA44RAmMMAKCLi0av3vvxMwrV+L+uPq3tulOg/QCg16ex
V2qx0LPQCGw1/p/BOp0GDVc=
=zOSt
-----END PGP SIGNATURE-----
--- End Message ---
