Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On Sat, Feb 23, 2013 at 01:33:58PM +, Adam D. Barratt wrote: On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote: Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: [...] Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for it though... This is the first I know of it. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Hi On Sun, Feb 24, 2013 at 06:09:45PM +, Jonathan Wiltshire wrote: On Sat, Feb 23, 2013 at 01:33:58PM +, Adam D. Barratt wrote: On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote: Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: [...] Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for it though... This is the first I know of it. Might be that my reply in #700669 (message #83[1]), made the confusion. I mentioned there that #700669 was marked as no-dsa and needs to go trough a p-u. @Jeremy: to clarify: I'm not part of the Release Team, so the p-u should have a official request to the release team (peferably as bugreport via release.debian.org pseudo-package) [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669#83 @Adam and Jonathan: will make it clearer in future replies that this needs an approval first from Release Team when I say was classified no-dsa, could you please prepare targeting stable and to go trough a stable-proposed-updates (in case this was part of the problem). Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On 02/23/2013 02:33 PM, Adam D. Barratt wrote: On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote: Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for it though... I have just filed the missing p-u request. Cheers, Jeremy -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote: Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: [...] Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for it though... Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote: I was involved reporting the problem: I noticed now a possible problem about the versioning: Current situation: pyrad | 1.2-1| squeeze| source pyrad | 1.2-1| wheezy | source pyrad | 1.2-1+deb7u1 | wheezy-p-u | source pyrad | 2.0-2| sid| source Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: 1.2-1 = 1.2-1+deb7u1 but 1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1. Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and wheezy. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On Sun, Feb 17, 2013 at 08:36:24AM +0100, Jeremy Lainé wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote: It's traditional to seek approval *before* uploading; more so in this case since adding a patch system is a no-no. The change itself is fine, please upload with this only. You will have to bump the version number IIRC. OK, attached is the resulting debdiff. Approved, thanks. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Dear release team, Yesterday the following security vulnerability in the pyrad package was brought to my attention by Salvatore Bonaccorso: https://security-tracker.debian.org/tracker/CVE-2013-0294 It is tracked in the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy? Thanks in advance, Jeremy pyrad_1.2-1+deb7u1.debdiff Description: Binary data
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote: Dear release team, Yesterday the following security vulnerability in the pyrad package was brought to my attention by Salvatore Bonaccorso: https://security-tracker.debian.org/tracker/CVE-2013-0294 It is tracked in the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy? It's traditional to seek approval *before* uploading; more so in this case since adding a patch system is a no-no. The change itself is fine, please upload with this only. You will have to bump the version number IIRC. -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 directhex i have six years of solaris sysadmin experience, from 8-10. i am well qualified to say it is made from bonghits layered on top of bonghits signature.asc Description: Digital signature
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
Hi all On Sun, Feb 17, 2013 at 12:19:00AM +, Jonathan Wiltshire wrote: On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote: Dear release team, Yesterday the following security vulnerability in the pyrad package was brought to my attention by Salvatore Bonaccorso: https://security-tracker.debian.org/tracker/CVE-2013-0294 It is tracked in the following bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy? It's traditional to seek approval *before* uploading; more so in this case since adding a patch system is a no-no. The change itself is fine, please upload with this only. You will have to bump the version number IIRC. I was involved reporting the problem: I noticed now a possible problem about the versioning: Current situation: pyrad | 1.2-1| squeeze| source pyrad | 1.2-1| wheezy | source pyrad | 1.2-1+deb7u1 | wheezy-p-u | source pyrad | 2.0-2| sid| source Assuming there will be also either a DSA or a pu for pyrad, how should that be versioned? Traditionally for Squeeze it was +squeeze1, but: 1.2-1 = 1.2-1+deb7u1 but 1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote: It's traditional to seek approval *before* uploading; more so in this case since adding a patch system is a no-no. The change itself is fine, please upload with this only. You will have to bump the version number IIRC. OK, attached is the resulting debdiff. On a sidenote, you might consider updating the following page to make it cristal clear, as I obviously did not get the message: http://release.debian.org/wheezy/freeze_policy.html Rule #1: Changing patch systems = Adding or changing patch systems Rule #2: If in doubt, first contact the release team = Always contact the release team first Thanks, Jeremy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlEgiHgACgkQ4mJJZqJp2SeURwCfehij0NsJR5BO10rIP32pYjqe On0AnixhAivkdmHVHj82URcWnnCdzTzg =8wEX -END PGP SIGNATURE- diff -u pyrad-1.2/debian/changelog pyrad-1.2/debian/changelog --- pyrad-1.2/debian/changelog +++ pyrad-1.2/debian/changelog @@ -1,3 +1,10 @@ +pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high + + * Use a better random number generator to prevent predictable password +hashing and packet IDs (CVE-2013-0294, Closes: #700669). + + -- Jeremy Lainé jeremy.la...@m4x.org Sun, 17 Feb 2013 08:21:08 +0100 + pyrad (1.2-1) unstable; urgency=low * New upstream release (Closes: #532843). only in patch2: unchanged: --- pyrad-1.2.orig/pyrad/packet.py +++ pyrad-1.2/pyrad/packet.py @@ -31,8 +31,11 @@ CoAACK = 44 CoANAK = 45 +# Use cryptographic-safe random generator as provided by the OS. +random_generator = random.SystemRandom() + # Current ID -CurrentID = random.randrange(1, 255) +CurrentID = random_generator.randrange(1, 255) class PacketError(Exception): pass @@ -219,7 +222,7 @@ data= for i in range(16): -data+=chr(random.randrange(0,256)) +data+=chr(random_generator.randrange(0, 256)) return data CreateAuthenticator=staticmethod(CreateAuthenticator) @@ -234,7 +237,7 @@ :rtype: integer -return random.randrange(0,256) +return random_generator.randrange(0, 256) def ReplyPacket(self):