Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-9575

Source

Debian Bug report logs - #849950
freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod

Package: src:freeipa; Maintainer for src:freeipa is Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 2 Jan 2017 15:48:01 UTC

Severity: grave

Tags: security, upstream

Found in version freeipa/4.3.2-5

Done: Timo Aaltonen <tjaalton@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://fedorahosted.org/freeipa/ticket/6560

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#849950; Package src:freeipa. (Mon, 02 Jan 2017 15:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Mon, 02 Jan 2017 15:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: freeipa
Version: 4.3.2-5
Severity: grave
Tags: upstream security
Justification: user security hole

Hi,

the following vulnerability was published for freeipa. Note that I'm
not too familiar with freeipa, so just checked source wise. The code
should be present in ipalib/plugins/certprofile.py, and according to
the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
it contains a patch as well.

CVE-2016-9575[0]:
Insufficient permission check in certprofile-mod

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9575
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9575
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1395311

Regards,
Salvatore

Set Bug forwarded-to-address to 'https://fedorahosted.org/freeipa/ticket/6560'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 02 Jan 2017 16:51:08 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#849950; Package src:freeipa. (Mon, 02 Jan 2017 22:45:08 GMT) (full text, mbox, link).

Acknowledgement sent to Timo Aaltonen <tjaalton@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Mon, 02 Jan 2017 22:45:09 GMT) (full text, mbox, link).

Message #12 received at 849950@bugs.debian.org (full text, mbox, reply):

On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
> Source: freeipa
> Version: 4.3.2-5
> Severity: grave
> Tags: upstream security
> Justification: user security hole
> 
> Hi,
> 
> the following vulnerability was published for freeipa. Note that I'm
> not too familiar with freeipa, so just checked source wise. The code
> should be present in ipalib/plugins/certprofile.py, and according to
> the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
> it contains a patch as well.

Yes, I'm aware of these recent cve's but can't test any updates because
tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
first I guess, and then push 4.4.3 out.


-- 
t

Information forwarded to debian-bugs-dist@lists.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#849950; Package src:freeipa. (Tue, 03 Jan 2017 05:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Tue, 03 Jan 2017 05:54:03 GMT) (full text, mbox, link).

Message #17 received at 849950@bugs.debian.org (full text, mbox, reply):

Hello Timo,

On Tue, Jan 03, 2017 at 12:40:10AM +0200, Timo Aaltonen wrote:
> On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
> > Source: freeipa
> > Version: 4.3.2-5
> > Severity: grave
> > Tags: upstream security
> > Justification: user security hole
> > 
> > Hi,
> > 
> > the following vulnerability was published for freeipa. Note that I'm
> > not too familiar with freeipa, so just checked source wise. The code
> > should be present in ipalib/plugins/certprofile.py, and according to
> > the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
> > it contains a patch as well.
> 
> Yes, I'm aware of these recent cve's but can't test any updates because
> tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
> first I guess, and then push 4.4.3 out.

Great, thank you for you quick feedback!

Regards,
Salvatore

Reply sent to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility. (Mon, 25 Sep 2017 14:15:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 25 Sep 2017 14:15:03 GMT) (full text, mbox, link).

Message #22 received at 849950-done@bugs.debian.org (full text, mbox, reply):

fixed 849950 4.4.3-1
thanks

On 03.01.2017 07:51, Salvatore Bonaccorso wrote:
> Hello Timo,
> 
> On Tue, Jan 03, 2017 at 12:40:10AM +0200, Timo Aaltonen wrote:
>> On 02.01.2017 17:45, Salvatore Bonaccorso wrote:
>>> Source: freeipa
>>> Version: 4.3.2-5
>>> Severity: grave
>>> Tags: upstream security
>>> Justification: user security hole
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for freeipa. Note that I'm
>>> not too familiar with freeipa, so just checked source wise. The code
>>> should be present in ipalib/plugins/certprofile.py, and according to
>>> the Red Hat bug [1] all freeipa versions above 4.2 should be affected.
>>> it contains a patch as well.
>>
>> Yes, I'm aware of these recent cve's but can't test any updates because
>> tomcat 8.5 broke dogtag-pki. Will need to wait for that to get fixed
>> first I guess, and then push 4.4.3 out.
> 
> Great, thank you for you quick feedback!

and this one was fixed in 4.4.3-1 as well..

-- 
t

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 24 Oct 2017 07:28:44 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:47:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod

Debian Bug report logs - #849950
freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod

Vulmon Search

About

Products

Connect

freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod

Debian Bug report logs - #849950 freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod

Vulmon Search

About

Products

Connect

Debian Bug report logs - #849950
freeipa: CVE-2016-9575: Insufficient permission check in certprofile-mod