[pkg-eucalyptus-maintainers] [Debian] Re: Bug#608289: Bug#608289: CVE-2010-3905
Steffen Möller
steffen_moeller at gmx.de
Fri Dec 31 16:13:25 UTC 2010
1.6.2 is fine, sorry. You could change the password, the system claims success,
but then nothing happened. The "new" password does not work, the old one still does.
So, I was just a bit misled by the first message. I already tried to hack myself
into my account on 2.0.2 on your site but failed :)
Happy new year
Steffen
On 12/31/2010 05:06 PM, Neil Soman wrote:
> Steffen, are you saying that this bug is present in 1.6.2 as well. If
> so, my source is wrong :) I'll verify it.
>
> Regards,
> neil
>
>
>
> On Dec 31, 2010, at 8:02 AM, "Steffen Möller" <steffen_moeller at gmx.de> wrote:
>
>> On 12/31/2010 03:45 PM, Charles Plessy wrote:
>>> tag 608289 + moreinfo
>>> thanks
>>>
>>> Le Wed, Dec 29, 2010 at 06:35:59PM +0100, Giuseppe Iuculano a écrit :
>>>> Package: eucalyptus
>>>> Severity: serious
>>>> Tags: security
>>>>
>>>> CVE-2010-3905[0]:
>>>> | The password reset feature in the administrator interface for
>>>> | Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which
>>>> | allows remote attackers to gain privileges by sending password reset
>>>> | requests for other users.
>>>
>>> Dear Giuseppe and Eucalyptus packagers,
>>>
>>> Do you know if this bug also affects Eucalyptus 1.6.2 ? If not, we can close
>>> it, since Debian does not distribute 2.0.0 or 2.0.1, and since I suppose that
>>> we will jump directly to 2.0.2 or later when we will upgrade the package.
>>
>> It also works with 1.6. I just tested it. Ouch.
>>
>> Many greetings
>>
>> Steffen
>>
>> _______________________________________________
>> pkg-eucalyptus-maintainers mailing list
>> pkg-eucalyptus-maintainers at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/pkg-eucalyptus-maintainers
More information about the pkg-eucalyptus-maintainers
mailing list