Debian Bug report logs -
#353589
CVE-2005-4713 and CVE-2006-0056: remote vulnerabilities
Reported by: Micah Anderson <micah@debian.org>
Date: Sun, 19 Feb 2006 19:03:01 UTC
Severity: serious
Tags: security
Fixed in version pam-mysql/0.6.2-1
Done: Paweł Więcek <coven@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Pawel Wiecek <coven@debian.org>:
Bug#353589; Package libpam-mysql.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Pawel Wiecek <coven@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpam-mysql
Severity: important
Tags: security
Hello,
CVE-2005-4713 and CVE-2006-0056 indicate that there are two vulnerabilities in
libpam-mysql. The first is a remote debian of service
vulnerability in the SQL logging facility of libpam-mysql. The second is
a "double-free" vulnerability. These issues allow local *and* remote
attackers to execute arbitrary machine code in the context of the
affected module. Attackers may also crash applications that use the PAM
module, denying service to legitimate users. Applications that execute
the PAM module with superuser privileges will allow attackers to
completely compromise affected computers.
According to http://www.securityfocus.com/bid/16564 the versions in oldstable
(woody), stable (sarge) and testing/unstable are all vulnerabile to this
issue.
The vendor has released versions 0.6.2 and 0.7pre3 of the affected
package to address these issues.
The official advisory is here:
http://sourceforge.net/forum/forum.php?forum_id=499394
Please mention these CVE ids in any changelog addressing this issue.
Thanks,
Micah
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Severity set to `serious'.
Request was from Julien Danjou <acid@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Paweł Więcek <coven@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 353589-close@bugs.debian.org (full text, mbox, reply):
Source: pam-mysql
Source-Version: 0.6.2-1
We believe that the bug you reported is fixed in the latest version of
pam-mysql, which is due to be installed in the Debian FTP archive:
libpam-mysql_0.6.2-1_i386.deb
to pool/main/p/pam-mysql/libpam-mysql_0.6.2-1_i386.deb
pam-mysql_0.6.2-1.diff.gz
to pool/main/p/pam-mysql/pam-mysql_0.6.2-1.diff.gz
pam-mysql_0.6.2-1.dsc
to pool/main/p/pam-mysql/pam-mysql_0.6.2-1.dsc
pam-mysql_0.6.2.orig.tar.gz
to pool/main/p/pam-mysql/pam-mysql_0.6.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 353589@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paweł Więcek <coven@debian.org> (supplier of updated pam-mysql package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 21 Apr 2006 07:20:56 +0200
Source: pam-mysql
Binary: libpam-mysql
Architecture: source i386
Version: 0.6.2-1
Distribution: unstable
Urgency: high
Maintainer: Paweł Więcek <coven@debian.org>
Changed-By: Paweł Więcek <coven@debian.org>
Description:
libpam-mysql - PAM module allowing authentication from a MySQL server
Closes: 292097 307861 332714 353589 356745
Changes:
pam-mysql (0.6.2-1) unstable; urgency=high
.
* New upstream version (closes: #332714, #353589, #307861, #292097)
* Severity high because it fixes critical vulnerabilities (CVE-2005-4713,
CVE-2006-0056)
* Rebuilt against libmysqlclient15 (closes: #356745)
* Updated standards version and debhelper compatibility level
Files:
9278c9943ededb5fda67d6f96982a877 608 admin extra pam-mysql_0.6.2-1.dsc
7f0ffb17c7aefe62ad07beaa6bbbc641 325746 admin extra pam-mysql_0.6.2.orig.tar.gz
07233bc868556e6917e6ebce49fe9d7a 2481 admin extra pam-mysql_0.6.2-1.diff.gz
7e7c5e478cd3bf2d1f1c60b40fdf8f35 21488 admin extra libpam-mysql_0.6.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFESUYRBOdjEO/Bh4ARAlbAAJ4z/NdKoGjOA/yC/oIaCZgxbd6y+wCdEmXi
oyJgtzZL8o3RUwlAgysZ+Uw=
=8XYB
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 01:49:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:54:51 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon