Your message dated Sun, 12 Nov 2017 15:33:08 +0000 with message-id <e1edufw-000fbd...@fasolo.debian.org> and subject line Bug#879001: fixed in libpam4j 1.4-2+deb9u1 has caused the Debian Bug report #879001, regarding CVE-2017-12197: libpam4j: Account check bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpam4j Version: 1.4-2 Severity: grave Tags: security Hi, the following vulnerability was published for libpam4j. CVE-2017-12197[0]: libpam4j: Account check bypass PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account is able to log in. https://bugzilla.redhat.com/show_bug.cgi?id=1503103 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libpam4j Source-Version: 1.4-2+deb9u1 We believe that the bug you reported is fixed in the latest version of libpam4j, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libpam4j package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Nov 2017 18:22:33 +0100 Source: libpam4j Binary: libpam4j-java libpam4j-java-doc Architecture: source all Version: 1.4-2+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libpam4j-java - Java binding for libpam.so libpam4j-java-doc - Documentation for Java binding for libpam.so Closes: 879001 Changes: libpam4j (1.4-2+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. Checksums-Sha1: 38444a2fefe56f6cabc4dd567f4efe54e2fe4554 2288 libpam4j_1.4-2+deb9u1.dsc 1335e34fba33ab2531265ced9dbd58295476a81c 6880 libpam4j_1.4.orig.tar.gz 07264c172fb3c2a3d38dc1fe20de7971f5600925 4972 libpam4j_1.4-2+deb9u1.debian.tar.xz 0f865e8ae403483ef7c43b1f62cf4b7e776cdb8b 24244 libpam4j-java-doc_1.4-2+deb9u1_all.deb fa5629353cf55dcb7314e6db74305ccd20e5266d 14700 libpam4j-java_1.4-2+deb9u1_all.deb 593a7e896bf0502374707fbed462a0bb6fb27c7e 15358 libpam4j_1.4-2+deb9u1_amd64.buildinfo Checksums-Sha256: 07dcae78f87e001357eb2069e2d15e507bdb549d286c6fca9c7d5c72445d0028 2288 libpam4j_1.4-2+deb9u1.dsc 83e738e7e6d5055adaaffccd0caa10ba03a13ea59bd016f9bb4d1306c7c3f550 6880 libpam4j_1.4.orig.tar.gz 4b6e024b12ce4d74df81629232a3d141a3d04686c0c970b26169c25235f9a79e 4972 libpam4j_1.4-2+deb9u1.debian.tar.xz 4d5c2f6cbb0343f716c8c7c9624b51af67e5c3b913a4b1417e8e6eca9827b42d 24244 libpam4j-java-doc_1.4-2+deb9u1_all.deb 0ef43ba693ad70971831067cb2cee8bc468a62ce39082cd85ee1ad99a230a293 14700 libpam4j-java_1.4-2+deb9u1_all.deb b5f52537fe8ef42151ed910e7ba2ec2e319653b64c8ddb847d00606dff238b79 15358 libpam4j_1.4-2+deb9u1_amd64.buildinfo Files: 91e2e8ec5d74c90ad95de50993d04428 2288 java optional libpam4j_1.4-2+deb9u1.dsc 20d90b25f700a559f022d870682f5659 6880 java optional libpam4j_1.4.orig.tar.gz 600f666da593a215305beb5b7b39639d 4972 java optional libpam4j_1.4-2+deb9u1.debian.tar.xz 9d048975b9c086de3f4783f563f8ad70 24244 doc optional libpam4j-java-doc_1.4-2+deb9u1_all.deb d3262cc040d409901e683edaa870f90b 14700 java optional libpam4j-java_1.4-2+deb9u1_all.deb 1fb1f71ffbef837f868e93ed708c7aaf 15358 java optional libpam4j_1.4-2+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloB7ZdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk2UoQAJp9fN63hWiZb853UHStVM+sOgPL6f1fzV3V +kJkIX+gN4kgvfx31FiUb6M0YSN+9qHfKOYuoAZ337blPoG+u/UpM6gVt+Px5Uuz J91S37HNY93trSrd/wzaEF4hy9bzOJYlaM0yd0oGpAhN+lSuJYDqaxIW7kkckcRF D9C8gdrVtJvfwi1/IuurMMLA4iIDb87bkPFZiDFoK+HSGyuMzuX0yHK4dIr8H+5N 5rncF32Cyr+G/SFQcYoAlRsCKTWamOrzp647BI6iA1VLuN8XW3rWoiOkTsZH09at X23+Nuybn7q0Ro+fM7cEN7MvqbXGTLY6aKw1rKOOivvZwFCSCFXTStMeBPPNZm3I 0OuDfYEj3ERWNp7PwPIXgSMffxVl0riUsKlpbcPqRhPnnfCQuD2dLrQ1f4+CgTk2 tqRuKCgxs0LWvfB+mtnfjh5PAdYtAwIJwusKBc8bHTTUyZyWNH39S3dYWICcAXDf HfmLvV9ZnvwVDNL29sQrkX63OiGRCxDb9pnO9OCw2f929zOwsHJQdJeV3S4Ql1F+ lWbx65cLt2OL/51XW1uD4xYu5Nun0tFLrxSwzXXBZQsD1gL3Q9usUWYnNm5jB+xI ItR5lYEKMMSFlgw3sEi5hqvsIxU0I5booKdOKZX0hXlLY0YVqs/jbhAM/bTQIfOd 5nQe4fSO =6xcV -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
