Your message dated Fri, 07 Jul 2006 11:47:03 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#368804: fixed in ldap-account-manager 1.0.3-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: ldap-account-manager
Version: 1.0.1-1
Severity: critical
Tags: security
If I use the "Invalid Password" option in the "Unix" section of a user,
I get a password of *. This is not invalid. pam_ldap accepts the
password fine and allows the user to log in. Perhaps that means the
fault is with pam_ldap, not sure.
If try to change an "Invalid Password" to a "Lock password" option
nothing changes, the password remains as "*":
# slapcat
[...]
userPassword:: Kg==
[...]
# echo "Kg==" | mimencode -u | hexdump -C
00000000 2a |*|
00000001
The help for "Invalid password" says this option should make the
password invalid and the "Lock password" says this option should prefix
the password with a "!". Lock password only seems to work if the
password was set to a password that is not "*" beforehand.
I consider this a security issue, as it would be easy to set "Invalid
Password" thinking this makes it impossible to log in to the account,
when in actual fact not only is it possible to log in, but the password
is an easy one. According to
http://www.debian.org/Bugs/Developer#severities
--- cut ---
critical
makes unrelated software on the system (or the whole system)
break, or causes serious data loss, or introduces a security
hole on systems where you install the package.
grave
makes the package in question unusable or mostly so, or causes
data loss, or introduces a security hole allowing access to the
accounts of users who use the package.
--- cut ---
I believe this bug matches the definition of "critical".
--- End Message ---
--- Begin Message ---
Source: ldap-account-manager
Source-Version: 1.0.3-1
We believe that the bug you reported is fixed in the latest version of
ldap-account-manager, which is due to be installed in the Debian FTP archive:
ldap-account-manager_1.0.3-1.diff.gz
to pool/main/l/ldap-account-manager/ldap-account-manager_1.0.3-1.diff.gz
ldap-account-manager_1.0.3-1.dsc
to pool/main/l/ldap-account-manager/ldap-account-manager_1.0.3-1.dsc
ldap-account-manager_1.0.3-1_all.deb
to pool/main/l/ldap-account-manager/ldap-account-manager_1.0.3-1_all.deb
ldap-account-manager_1.0.3.orig.tar.gz
to pool/main/l/ldap-account-manager/ldap-account-manager_1.0.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Roland Gruber <[EMAIL PROTECTED]> (supplier of updated ldap-account-manager
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 3 Jul 2006 22:01:54 +0200
Source: ldap-account-manager
Binary: ldap-account-manager
Architecture: source all
Version: 1.0.3-1
Distribution: unstable
Urgency: low
Maintainer: Roland Gruber <[EMAIL PROTECTED]>
Changed-By: Roland Gruber <[EMAIL PROTECTED]>
Description:
ldap-account-manager - webfrontend for managing accounts in an LDAP directory
Closes: 368804 368805 368806 373181 375452 375453
Changes:
ldap-account-manager (1.0.3-1) unstable; urgency=low
.
* Updated to new upstream release.
* Account expiration date wierdness (Closes: #368806)
* Incorrect display of password encryption (Closes: #368805)
* [intl:fr] ldap-account-manager debconf templates translation
(Closes: #373181)
* Invalid/Lock password auto reverts (Closes: #375453)
* Invalid/Lock password options conflict (Closes: #375452)
* Ack NMU. (Closes: #368804)
Files:
b32ccee812d5885824f2ba116e9a001c 651 web extra ldap-account-manager_1.0.3-1.dsc
6d1ebee537b61a8aae9237cbc4d49747 1544041 web extra
ldap-account-manager_1.0.3.orig.tar.gz
1fce3f60225b38caac94c881435caf3c 15188 web extra
ldap-account-manager_1.0.3-1.diff.gz
9c4e30e8d181cacf96c08a4add0fa7b8 1501504 web extra
ldap-account-manager_1.0.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFErquHJdKMxZV9WM8RAn56AJ9ui1snUzCRZmWNeJ6tju35Mg95jQCcC3ju
0oHpQIzK+2HlOxJGyD2cZcg=
=CEpJ
-----END PGP SIGNATURE-----
--- End Message ---
