Your message dated Tue, 07 Nov 2017 13:19:54 +0000
with message-id <e1ec3ng-000fjq...@fasolo.debian.org>
and subject line Bug#879001: fixed in libpam4j 1.4-3
has caused the Debian Bug report #879001,
regarding CVE-2017-12197: libpam4j: Account check bypass
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
879001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879001
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: libpam4j
Version: 1.4-2
Severity: grave
Tags: security

Hi,

the following vulnerability was published for libpam4j.

CVE-2017-12197[0]: libpam4j: Account check bypass

PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the
PAM account is not properly verified. Any user with a valid password but
with deactivated or disabled account is able to log in.

https://bugzilla.redhat.com/show_bug.cgi?id=1503103

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12197
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197

Please adjust the affected versions in the BTS as needed.



-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

--- End Message ---
--- Begin Message ---
Source: libpam4j
Source-Version: 1.4-3

We believe that the bug you reported is fixed in the latest version of
libpam4j, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 879...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated libpam4j package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 07 Nov 2017 13:40:55 +0100
Source: libpam4j
Binary: libpam4j-java libpam4j-java-doc
Architecture: source
Version: 1.4-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libpam4j-java - Java binding for libpam.so
 libpam4j-java-doc - Documentation for Java binding for libpam.so
Closes: 879001
Changes:
 libpam4j (1.4-3) unstable; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-12197 (Closes: #879001):
     It was discovered that libpam4j does not call pam_acct_mgmt().
     As a consequence, the PAM account is not properly
     verified. Any user with a valid password but with deactivated or
     disabled account was able to log in.
Checksums-Sha1:
 09cf4f00202a0e858f4dab4b5987989bc14c73a6 2260 libpam4j_1.4-3.dsc
 082cf148e4d423e647c598863f02bc375c3ca234 4956 libpam4j_1.4-3.debian.tar.xz
 60496ca22fd92cea6f78a1891fbfc23602edc0ad 16230 libpam4j_1.4-3_amd64.buildinfo
Checksums-Sha256:
 7e0bf2e67bc7320e3983d9c80d581fd118b822951e78c75b7e913f959bf5203b 2260 
libpam4j_1.4-3.dsc
 0b1e66a7958dc008d2eeffff21c98df531fd804c3ff3733e1637051fba8f5b5d 4956 
libpam4j_1.4-3.debian.tar.xz
 f7cada6ddf911f4643cc0f47330da436d29b28650fcba4b3b7a0da61dd90d726 16230 
libpam4j_1.4-3_amd64.buildinfo
Files:
 8ea6b153c05b0193a1413d17fc18dfda 2260 java optional libpam4j_1.4-3.dsc
 e8a77cfa527236beb2c464dd2f827292 4956 java optional 
libpam4j_1.4-3.debian.tar.xz
 350d738fbac170aaa49a3f0431a861fb 16230 java optional 
libpam4j_1.4-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloBsBNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk1rAP/1kYubmlK59X+ZHfTYTRn8T7peSo3A32fPuk
eVw8tPOFXONWrZnVkWWt+sDGCA4OGAbTXlby0iLFiwrnMB4FyQ/kyvZvF2vBFstE
C79fg6oZg3rZUJqQguNB1JhcMWax/3OKgCsvO0VWGxXaVcXCI2RVT8jik0ObN99s
vTpXfQ10J9fHwYXq/CZ7E0Wx1l3vxBexAwqcrEPJAk060S1KziM4L4l57SDGxTsY
42SY1IsnSlnA42GNcZeV2A6Zi7ATgH0sL1HEeIFvU/zXO0zt8JBAS9N839/NiUVU
uc45q6umpILA2p0l8EFxFsnI79+1fwvUPmU3iQVhjjszEdEs5uA+sMLSeMr04e4r
YzwOggTGCfoKgSglHMdpK1Bhd63H4/in17LSQAYZfeqOxPsYEjWlMBPxqWKvA5AF
HqRj6mxf676mB5NMFCI0V7vcnXP5KKAyMy2jk7bJzdn5laR45FACaAwwLoauAuRE
BTUGRCejQvb1RoKMJ3V0i7HtiCDBSfi1yD8BZLlxFg8EFCBaVEU5pDRTdz/C5MEu
gvFJXP6gCdFYU/Ke0kRKdKUwv4ceZG5jmfmk/+rTdSVAOnRax597s5J4c/Lk3+lN
OvR52erfxXYEes/LftiGmORnlLhy5da/06WB+PwMfgdaSgu3ChDcr8thMtWo2qqO
V4eOBdie
=F+Bf
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to