Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

oath-toolkit: CVE-2013-7322: certain one-time-passwords not invalidated correctly

Related Vulnerabilities: CVE-2013-7322  

Source

Debian Bug report logs - #738515
oath-toolkit: CVE-2013-7322: certain one-time-passwords not invalidated correctly

version graph

Package: oath-toolkit; Maintainer for oath-toolkit is OATH Toolkit Team <oath-toolkit-help@nongnu.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 10 Feb 2014 06:06:02 UTC

Severity: grave

Tags: security, upstream

Fixed in version oath-toolkit/2.4.1-1

Done: Simon Josefsson <simon@josefsson.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org:
Bug#738515; Package oath-tookit. (Mon, 10 Feb 2014 06:06:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, unknown-package@qa.debian.org. (Mon, 10 Feb 2014 06:06:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: oath-tookit: CVE-2013-7322: certain one-time-passwords not invalidated correctly
Date: Mon, 10 Feb 2014 07:03:37 +0100
Package: oath-tookit
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for oath-toolkit. It is to
track the isse both in BTS and security tracker.

CVE-2013-7322[0]:
certain one-time-passwords not invalidated correctly

A possible pach is found at [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-7322
[1] http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/txtUm85v7Wqcy.txt

Regards,
Salvatore

Bug reassigned from package 'oath-tookit' to 'oath-toolkit'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 10 Feb 2014 06:45:04 GMT) (full text, mbox, link).

Changed Bug title to 'oath-toolkit: CVE-2013-7322: certain one-time-passwords not invalidated correctly' from 'oath-tookit: CVE-2013-7322: certain one-time-passwords not invalidated correctly' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 10 Feb 2014 06:45:09 GMT) (full text, mbox, link).

Reply sent to Simon Josefsson <simon@josefsson.org>:
You have taken responsibility. (Thu, 11 Sep 2014 15:24:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 11 Sep 2014 15:24:21 GMT) (full text, mbox, link).

Message #14 received at 738515-close@bugs.debian.org (full text, mbox, reply):

From: Simon Josefsson <simon@josefsson.org>
To: 738515-close@bugs.debian.org
Subject: Bug#738515: fixed in oath-toolkit 2.4.1-1
Date: Thu, 11 Sep 2014 15:22:32 +0000
Source: oath-toolkit
Source-Version: 2.4.1-1

We believe that the bug you reported is fixed in the latest version of
oath-toolkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 738515@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon Josefsson <simon@josefsson.org> (supplier of updated oath-toolkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 11 Sep 2014 16:38:12 +0200
Source: oath-toolkit
Binary: liboath-dev liboath0 oathtool oath-dbg libpam-oath
Architecture: source
Version: 2.4.1-1
Distribution: unstable
Urgency: low
Maintainer: OATH Toolkit Team <oath-toolkit-help@nongnu.org>
Changed-By: Simon Josefsson <simon@josefsson.org>
Description:
 liboath-dev - Development files for the OATH Toolkit Liboath library
 liboath0   - OATH Toolkit Liboath library
 libpam-oath - OATH Toolkit libpam_oath PAM module
 oath-dbg   - OATH Toolkit debugging symbols
 oathtool   - OATH Toolkit oathtool command line tool
Closes: 738515 744641
Changes:
 oath-toolkit (2.4.1-1) unstable; urgency=low
 .
   * New upstream release.
     - New symbols added.
     - Fixed CVE-2013-7322.  Closes: #738515.
     - Disable PSKC builds until I found a sponsor.
   * Use dh-autoreconf.  Closes: #744641.
   * Bump to Debian Policy version 3.9.5.
   * Add debian/upstream-signing-key.pgp and update watch file.
Checksums-Sha1:
 39c89812bca12ec0636b40fb3afdb064ef16a101 1880 oath-toolkit_2.4.1-1.dsc
 b0ca4c5f89c12c550f7227123c2f21f45b2bf969 4136649 oath-toolkit_2.4.1.orig.tar.gz
 2168e75cb922af99cef24ad7c93bd4b415a71e55 15524 oath-toolkit_2.4.1-1.debian.tar.xz
Checksums-Sha256:
 534053d49d92c74b1270aaf8dafaf737245faa7632e770074c425bcc6880163a 1880 oath-toolkit_2.4.1-1.dsc
 9bfa42cbc100eb6c43d2bf83e3badc51d9e6f4950a92e07513ae586d0c5e9b24 4136649 oath-toolkit_2.4.1.orig.tar.gz
 688eacab2898d99966b1a505ec4277f1cfc4a923d286b1884d4bd0002b4224ae 15524 oath-toolkit_2.4.1-1.debian.tar.xz
Files:
 9c004a29c829521e6d9a1cb5c1aab0e5 1880 devel optional oath-toolkit_2.4.1-1.dsc
 951bafd1d86e6013903c10be3b6623bb 4136649 devel optional oath-toolkit_2.4.1.orig.tar.gz
 4f91ad6cb4a1e8153d34acd5acd4066b 15524 devel optional oath-toolkit_2.4.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJUEboxAAoJEIYLf7sy+BGdVi0H/jChscvMDL/dls/lw4zgf4rZ
FoOXW9dZBLUTNCwDp3ck7LVhvtLbZE11b5ski3OuCIj/WokSx/eyiqPWt19VQlzO
T08XtfWQjDH6z+fVWjLPENF6CcHffrTJtxtyepzUdGqtzqsHRxwyr7GsxLtWvaBD
do8AzCX0JmKFSDtE6IQyEi8sDVjr/pGvssMFxrcHjYQD+EHAMMAp9LRuhdr/pDll
mGqfn42TJgjSbWAVaKa0sTppdb/b9cl6SGyIaoeG1xujA0l0dcYsvZVx5n8wceah
mJdbuU6+RTPYDMZrqZk3EPHDjMN2s+7x3va+7Y1elp8r2eHcz70u6GTNETDw1Zc=
=np95
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 May 2015 07:34:13 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:46:16 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started