Debian Bug report logs -
#849950
freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#849950
; Package src:freeipa
.
(Mon, 02 Jan 2017 15:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Mon, 02 Jan 2017 15:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freeipa
Version: 4.3.2-5
Severity: grave
Tags: upstream security
Justification: user security hole
Hi,
the following vulnerability was published for freeipa. Note that I'm
not too familiar with freeipa, so just checked source wise. The code
should be present in ipalib/plugins/certprofile.py, and according to
the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
it contains a patch as well.
CVE-2016-9575[0]:
Insufficient permission check in certprofile-mod
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9575
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395311
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#849950
; Package src:freeipa
.
(Mon, 02 Jan 2017 22:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Timo Aaltonen <tjaalton@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Mon, 02 Jan 2017 22:45:09 GMT) (full text, mbox, link).
Message #12 received at 849950@bugs.debian.org (full text, mbox, reply):
On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
> Source: freeipa
> Version: 4.3.2-5
> Severity: grave
> Tags: upstream security
> Justification: user security hole
>
> Hi,
>
> the following vulnerability was published for freeipa. Note that I'm
> not too familiar with freeipa, so just checked source wise. The code
> should be present in ipalib/plugins/certprofile.py, and according to
> the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
> it contains a patch as well.
Yes, I'm aware of these recent cve's but can't test any updates because
tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
first I guess, and then push 4.4.3 out.
--
t
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#849950
; Package src:freeipa
.
(Tue, 03 Jan 2017 05:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Tue, 03 Jan 2017 05:54:03 GMT) (full text, mbox, link).
Message #17 received at 849950@bugs.debian.org (full text, mbox, reply):
Hello Timo,
On Tue, Jan 03, 2017 at 12:40:10AM +0200, Timo Aaltonen wrote:
> On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
> > Source: freeipa
> > Version: 4.3.2-5
> > Severity: grave
> > Tags: upstream security
> > Justification: user security hole
> >
> > Hi,
> >
> > the following vulnerability was published for freeipa. Note that I'm
> > not too familiar with freeipa, so just checked source wise. The code
> > should be present in ipalib/plugins/certprofile.py, and according to
> > the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
> > it contains a patch as well.
>
> Yes, I'm aware of these recent cve's but can't test any updates because
> tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
> first I guess, and then push 4.4.3 out.
Great, thank you for you quick feedback!
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@debian.org>
:
You have taken responsibility.
(Mon, 25 Sep 2017 14:15:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 25 Sep 2017 14:15:03 GMT) (full text, mbox, link).
Message #22 received at 849950-done@bugs.debian.org (full text, mbox, reply):
fixed 849950 4.4.3-1
thanks
On 03.01.2017 07:51, Salvatore Bonaccorso wrote:
> Hello Timo,
>
> On Tue, Jan 03, 2017 at 12:40:10AM +0200, Timo Aaltonen wrote:
>> On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
>>> Source: freeipa
>>> Version: 4.3.2-5
>>> Severity: grave
>>> Tags: upstream security
>>> Justification: user security hole
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for freeipa. Note that I'm
>>> not too familiar with freeipa, so just checked source wise. The code
>>> should be present in ipalib/plugins/certprofile.py, and according to
>>> the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
>>> it contains a patch as well.
>>
>> Yes, I'm aware of these recent cve's but can't test any updates because
>> tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
>> first I guess, and then push 4.4.3 out.
>
> Great, thank you for you quick feedback!
and this one was fixed in 4.4.3-1 as well..
--
t
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 24 Oct 2017 07:28:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:47:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.