[Webmin-maintainers] Bug#329742: marked as done (usermin:
[CAN-2005-3042] PAM Authentication Bypass Vulnerability)
Debian Bug Tracking System
owner at bugs.debian.org
Sat Sep 24 07:03:15 UTC 2005
Your message dated Fri, 23 Sep 2005 23:02:06 -0700
with message-id <E1EJ36s-0004Tg-00 at spohr.debian.org>
and subject line Bug#329742: fixed in usermin 1.160-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Sep 2005 06:03:26 +0000
>From martin at box79162.elkhouse.de Thu Sep 22 23:03:26 2005
Return-path: <martin at box79162.elkhouse.de>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EIgec-0007Sb-00; Thu, 22 Sep 2005 23:03:26 -0700
Received: by box79162.elkhouse.de (Postfix, from userid 1000)
id 176B41F8474; Fri, 23 Sep 2005 08:02:56 +0200 (CEST)
Date: Fri, 23 Sep 2005 08:02:56 +0200
From: Martin Pitt <mpitt at debian.org>
To: Debian BTS Submit <submit at bugs.debian.org>
Subject: usermin: [CAN-2005-3042] PAM Authentication Bypass Vulnerability
Message-ID: <20050923060255.GH11259 at box79162.elkhouse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="IU5/I01NYhRvwH70"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--IU5/I01NYhRvwH70
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: usermin
Version: 1.150-1
Severity: critical
Tags: security
Hi!
Usermin has a security bug which allows PAM circumvention. Details at
http://archives.neohapsis.com/archives/bugtraq/2005-09/0257.html
This has been assigned CAN-2005-3042, please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-3042
for more references.
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--IU5/I01NYhRvwH70
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDM5qPDecnbV4Fd/IRArohAKCbKoEZCTvEvRE9iphEu3JAQq2iNwCeKaar
etl0Q9mPr5m8Z552hjff7V0=
=zwiT
-----END PGP SIGNATURE-----
--IU5/I01NYhRvwH70--
---------------------------------------
Received: (at 329742-close) by bugs.debian.org; 24 Sep 2005 06:08:18 +0000
>From katie at spohr.debian.org Fri Sep 23 23:08:18 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EJ36s-0004Tg-00; Fri, 23 Sep 2005 23:02:06 -0700
From: jaldhar at debian.org (Jaldhar H. Vyas)
To: 329742-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#329742: fixed in usermin 1.160-1
Message-Id: <E1EJ36s-0004Tg-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Fri, 23 Sep 2005 23:02:06 -0700
Delivered-To: 329742-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: usermin
Source-Version: 1.160-1
We believe that the bug you reported is fixed in the latest version of
usermin, which is due to be installed in the Debian FTP archive:
usermin-at_1.160-1_all.deb
to pool/main/u/usermin/usermin-at_1.160-1_all.deb
usermin-changepass_1.160-1_all.deb
to pool/main/u/usermin/usermin-changepass_1.160-1_all.deb
usermin-chfn_1.160-1_all.deb
to pool/main/u/usermin/usermin-chfn_1.160-1_all.deb
usermin-commands_1.160-1_all.deb
to pool/main/u/usermin/usermin-commands_1.160-1_all.deb
usermin-cron_1.160-1_all.deb
to pool/main/u/usermin/usermin-cron_1.160-1_all.deb
usermin-cshrc_1.160-1_all.deb
to pool/main/u/usermin/usermin-cshrc_1.160-1_all.deb
usermin-fetchmail_1.160-1_all.deb
to pool/main/u/usermin/usermin-fetchmail_1.160-1_all.deb
usermin-forward_1.160-1_all.deb
to pool/main/u/usermin/usermin-forward_1.160-1_all.deb
usermin-gnupg_1.160-1_all.deb
to pool/main/u/usermin/usermin-gnupg_1.160-1_all.deb
usermin-htaccess_1.160-1_all.deb
to pool/main/u/usermin/usermin-htaccess_1.160-1_all.deb
usermin-htpasswd_1.160-1_all.deb
to pool/main/u/usermin/usermin-htpasswd_1.160-1_all.deb
usermin-mailbox_1.160-1_all.deb
to pool/main/u/usermin/usermin-mailbox_1.160-1_all.deb
usermin-man_1.160-1_all.deb
to pool/main/u/usermin/usermin-man_1.160-1_all.deb
usermin-mysql_1.160-1_all.deb
to pool/main/u/usermin/usermin-mysql_1.160-1_all.deb
usermin-plan_1.160-1_all.deb
to pool/main/u/usermin/usermin-plan_1.160-1_all.deb
usermin-postgresql_1.160-1_all.deb
to pool/main/u/usermin/usermin-postgresql_1.160-1_all.deb
usermin-proc_1.160-1_all.deb
to pool/main/u/usermin/usermin-proc_1.160-1_all.deb
usermin-procmail_1.160-1_all.deb
to pool/main/u/usermin/usermin-procmail_1.160-1_all.deb
usermin-quota_1.160-1_all.deb
to pool/main/u/usermin/usermin-quota_1.160-1_all.deb
usermin-schedule_1.160-1_all.deb
to pool/main/u/usermin/usermin-schedule_1.160-1_all.deb
usermin-shell_1.160-1_all.deb
to pool/main/u/usermin/usermin-shell_1.160-1_all.deb
usermin-spamassassin_1.160-1_all.deb
to pool/main/u/usermin/usermin-spamassassin_1.160-1_all.deb
usermin-ssh_1.160-1_all.deb
to pool/main/u/usermin/usermin-ssh_1.160-1_all.deb
usermin-tunnel_1.160-1_all.deb
to pool/main/u/usermin/usermin-tunnel_1.160-1_all.deb
usermin-updown_1.160-1_all.deb
to pool/main/u/usermin/usermin-updown_1.160-1_all.deb
usermin-usermount_1.160-1_all.deb
to pool/main/u/usermin/usermin-usermount_1.160-1_all.deb
usermin_1.160-1.diff.gz
to pool/main/u/usermin/usermin_1.160-1.diff.gz
usermin_1.160-1.dsc
to pool/main/u/usermin/usermin_1.160-1.dsc
usermin_1.160-1_all.deb
to pool/main/u/usermin/usermin_1.160-1_all.deb
usermin_1.160.orig.tar.gz
to pool/main/u/usermin/usermin_1.160.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 329742 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jaldhar at debian.org> (supplier of updated usermin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 24 Sep 2005 01:53:06 -0400
Source: usermin
Binary: usermin-commands usermin-postgresql usermin-procmail usermin-gnupg usermin-cshrc usermin-mysql usermin-ssh usermin-usermount usermin-tunnel usermin-mailbox usermin-spamassassin usermin-quota usermin-proc usermin-updown usermin-htaccess usermin-schedule usermin-cron usermin-plan usermin usermin-forward usermin-at usermin-chfn usermin-shell usermin-fetchmail usermin-man usermin-htpasswd usermin-changepass
Architecture: source all
Version: 1.160-1
Distribution: unstable
Urgency: high
Maintainer: Debian Webmin maintainers <webmin-maintainers at lists.alioth.debian.org>
Changed-By: Jaldhar H. Vyas <jaldhar at debian.org>
Description:
usermin - a web interface for user tasks
usermin-at - an at(1) module for the usermin web-based administration tool
usermin-changepass - a password module for the usermin web-based administration tool
usermin-chfn - a user details module for the usermin web-based admin tool
usermin-commands - a custom commands module for the usermin web-based admin tool
usermin-cron - a cron module for the usermin web-based administration tool
usermin-cshrc - a .cshrc module for the usermin web-based administration tool
usermin-fetchmail - A fetchmail module for the usermin web-based administration tool
usermin-forward - a .forward module for the usermin web-based administration tool
usermin-gnupg - a GnuPG module for the usermin web-based administration tool
usermin-htaccess - an htaccess config module for the usermin web-based admin tool
usermin-htpasswd - an htpasswd config module for the usermin web-based admin tool
usermin-mailbox - a mailbox module for the usermin web-based administration tool
usermin-man - a man module for the usermin web-based administration tool
usermin-mysql - a mysql module for the usermin web-based administration tool
usermin-plan - a .plan module for the usermin web-based administration tool
usermin-postgresql - a postgresql module for the usermin web-based administration tool
usermin-proc - a process module for the usermin web-based administration tool
usermin-procmail - a procmail module for the usermin web-based administration tool
usermin-quota - a quota module for the usermin web-based administration tool
usermin-schedule - schedule sending emails with the usermin web-based admin tool
usermin-shell - a command shell for the usermin web-based administration tool
usermin-spamassassin - spamassassin module for the usermin web-based administration tool
usermin-ssh - an SSH module for the usermin web-based administration tool
usermin-tunnel - an HTTP tunnel module for the usermin web-based admin tool
usermin-updown - a file transfer module for the usermin web-based admin tool
usermin-usermount - a file system mount module for the usermin web-based admin tool
Closes: 316705 324070 329742
Changes:
usermin (1.160-1) unstable; urgency=high
.
* New upstream version.
* [SECURITY] CAN-2005-3042: miniserv.pl in versions before this one
when "full PAM conversations" is enabled, allowed remote attackers to
bypass authentication by spoofing session IDs via certain metacharacters
(line feed or carriage return). An immediate upgrade to this
version is advised. (Closes: #329742)
* usermin-quota: added dependency on usermin-usermount (Closes: #316705)
* Vietnamese translation for debconf. (Closes: #324070) Thanks:
Clytie Siddall
Files:
d062dcbfe6c8c25f12c8a97d8de3c9a7 1075 admin optional usermin_1.160-1.dsc
225eeaf06e4559e76d83353ebc806e4c 1894941 admin optional usermin_1.160.orig.tar.gz
84192ee3ca3fe69f26236bb4acf01036 18292 admin optional usermin_1.160-1.diff.gz
236c93b792767ccca044ea24528e3d30 498684 admin optional usermin_1.160-1_all.deb
61747c51b03adb9a654996e8c8b00ff4 23554 admin optional usermin-at_1.160-1_all.deb
513952490a65ad908a8a2d9b8b8186e9 20488 admin optional usermin-changepass_1.160-1_all.deb
a01f60f5056bb7cb7b21b44aa577c34c 13880 admin optional usermin-chfn_1.160-1_all.deb
c559a3cbb14367bb5f49219d1fbc05e2 31290 admin optional usermin-commands_1.160-1_all.deb
23d042bda2014f5bb352fbb058d08a90 68968 admin optional usermin-cron_1.160-1_all.deb
5c41f5cd4b1144075defec84c19aad3d 9016 admin optional usermin-cshrc_1.160-1_all.deb
5c6d593622097170b66ac2787bf096dc 37704 admin optional usermin-fetchmail_1.160-1_all.deb
aab3a90a75cdc18e4127b645d87384d6 30690 admin optional usermin-forward_1.160-1_all.deb
bdf1ddd4cca67beec70ed2c6eb6293e6 33132 admin optional usermin-gnupg_1.160-1_all.deb
cfd6b41635bfa700eb9ae9e7f4266071 279350 admin optional usermin-htaccess_1.160-1_all.deb
6e3c497cfae3219c84de840122660cd6 27138 admin optional usermin-htpasswd_1.160-1_all.deb
f19ad0e21df5f73931c50341d724e62d 195292 admin optional usermin-mailbox_1.160-1_all.deb
0df55568354c3eca2046328fcfb498f7 36970 admin optional usermin-man_1.160-1_all.deb
719228a5f25673517d78d35b9a8c837e 154692 admin optional usermin-mysql_1.160-1_all.deb
62d4856d73457e23e8c3ad822d3e758a 10748 admin optional usermin-plan_1.160-1_all.deb
d791ab4b5aaa1da321248e27b5db39ef 132792 admin optional usermin-postgresql_1.160-1_all.deb
44bab8bd7186fc08e71066a3761849bc 85438 admin optional usermin-proc_1.160-1_all.deb
7fb35d50c9ec7e2999ffbf17310ec5e5 28898 admin optional usermin-procmail_1.160-1_all.deb
ff54e8159505b0b7dc944fbcf3ca4530 58964 admin optional usermin-quota_1.160-1_all.deb
47c33df8ae75e055503d307310151c45 6332 admin optional usermin-schedule_1.160-1_all.deb
e385222153c8d18ac2006036f8b2da3a 62074 admin optional usermin-shell_1.160-1_all.deb
020f97bd773c7505a78f0e1a266655c5 98186 admin optional usermin-spamassassin_1.160-1_all.deb
46525fe4a66d43e4793cb39f70d30f42 49208 admin optional usermin-ssh_1.160-1_all.deb
eb99ac7cc97a9e2d75864c1dc59ac69d 12110 admin optional usermin-tunnel_1.160-1_all.deb
b0448f16df6c7355f82b05f14c77ab2b 29050 admin optional usermin-updown_1.160-1_all.deb
2798e9ebc6c63b585c1b64a046ad9b7b 93658 admin optional usermin-usermount_1.160-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDNOrg2kYOR+5txmoRAqDWAJ0Vxmgm1YgZuNHbq3BomhJNnqqusACeOVq+
NM+vfLAtYXYvrzZHj+YFfuM=
=C/8b
-----END PGP SIGNATURE-----
More information about the Webmin-maintainers
mailing list