Debian Bug report logs -
#594413
CVE-2010-2940: allows null password entry to authenticate against LDAP
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 25 Aug 2010 19:54:14 UTC
Severity: grave
Tags: security
Found in version 0.5.0-0ubuntu1
Fixed in version sssd/1.2.1-4
Done: Petter Reinholdtsen <pere@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Petter Reinholdtsen <pere@debian.org>:
Bug#594413; Package sssd.
(Wed, 25 Aug 2010 19:54:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Petter Reinholdtsen <pere@debian.org>.
(Wed, 25 Aug 2010 19:54:17 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: sssd
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2940 for details
and a patch.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Information forwarded
to debian-bugs-dist@lists.debian.org, Petter Reinholdtsen <pere@debian.org>:
Bug#594413; Package sssd.
(Wed, 25 Aug 2010 20:18:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Petter Reinholdtsen <pere@debian.org>.
(Wed, 25 Aug 2010 20:18:07 GMT) (full text, mbox, link).
Message #10 received at 594413@bugs.debian.org (full text, mbox, reply):
found 594413 0.5.0-0ubuntu1
thanks
[Moritz Muehlenhoff]
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2940
> for details and a patch.
Thank you for letting us know. I'm working on a fixed version in git
now, and will upload to unstable as soon as possible.
Happy hacking,
--
Petter Reinholdtsen
Bug Marked as found in versions 0.5.0-0ubuntu1.
Request was from Petter Reinholdtsen <pere@hungry.com>
to control@bugs.debian.org.
(Wed, 25 Aug 2010 20:18:14 GMT) (full text, mbox, link).
Reply sent
to Petter Reinholdtsen <pere@debian.org>:
You have taken responsibility.
(Wed, 25 Aug 2010 22:03:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 25 Aug 2010 22:03:11 GMT) (full text, mbox, link).
Message #17 received at 594413-close@bugs.debian.org (full text, mbox, reply):
Source: sssd
Source-Version: 1.2.1-4
We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive:
libnss-sss_1.2.1-4_i386.deb
to main/s/sssd/libnss-sss_1.2.1-4_i386.deb
libpam-sss_1.2.1-4_i386.deb
to main/s/sssd/libpam-sss_1.2.1-4_i386.deb
python-sss_1.2.1-4_i386.deb
to main/s/sssd/python-sss_1.2.1-4_i386.deb
sssd_1.2.1-4.diff.gz
to main/s/sssd/sssd_1.2.1-4.diff.gz
sssd_1.2.1-4.dsc
to main/s/sssd/sssd_1.2.1-4.dsc
sssd_1.2.1-4_i386.deb
to main/s/sssd/sssd_1.2.1-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 594413@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated sssd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 25 Aug 2010 22:33:40 +0200
Source: sssd
Binary: sssd libnss-sss libpam-sss python-sss
Architecture: source i386
Version: 1.2.1-4
Distribution: unstable
Urgency: low
Maintainer: Petter Reinholdtsen <pere@debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
libnss-sss - Nss library for the System Security Services Daemon
libpam-sss - Pam module for the System Security Services Daemon
python-sss - Pam module for the System Security Services Daemon
sssd - System Security Services Daemon
Closes: 594413
Changes:
sssd (1.2.1-4) unstable; urgency=low
.
* Add patch from Stephen Gallagher to ensure LDAP authentication
never accept a zero length password (Closes: #594413). Solves
CVE-2010-2940.
Checksums-Sha1:
6278c8f85d16bab7758118964625f11f36acc479 1576 sssd_1.2.1-4.dsc
28369ea2a640da6775121f0c0dea1140c26d2a79 13512 sssd_1.2.1-4.diff.gz
6a57a30d8e6a583a08292ac5a2e42e16e236782c 1534802 sssd_1.2.1-4_i386.deb
cb77cc29a53590a392fcc115e3651e07e21eb8ed 15710 libnss-sss_1.2.1-4_i386.deb
bdeff53bd1bb1abded69864db1e62b909b821840 19536 libpam-sss_1.2.1-4_i386.deb
92f65b3d132101b9878590cd1a8539b68cc8d143 132062 python-sss_1.2.1-4_i386.deb
Checksums-Sha256:
fc966523be348bd97875d89a59e2bcc8bbef2ba55a1629c7a27e9c36369646a7 1576 sssd_1.2.1-4.dsc
551d915a789a73a223d5a250289e03335b548a082449fea1e6249b8f77e556b7 13512 sssd_1.2.1-4.diff.gz
2131d489767b02f2db5de7f3c9198a28bf1ec1dca0ac9e313cc9fd455f2120ca 1534802 sssd_1.2.1-4_i386.deb
bda6f3a352bb8d40f8c79c3c0e21e84c9ee382cd49735ca9322d34a60e1bf395 15710 libnss-sss_1.2.1-4_i386.deb
f5d2e3861458b8da03e8aba3858fd32de3ad6bba7b4dbdda82bf1a3692da9346 19536 libpam-sss_1.2.1-4_i386.deb
d1594d3506c72e216785e323b771430e0b376bf7714afc8f8b3f7b576eba9e0d 132062 python-sss_1.2.1-4_i386.deb
Files:
d14ee012128d444b9f37b325de2139be 1576 utils extra sssd_1.2.1-4.dsc
9c84bc9acc57835510fb1d326f2dfa0f 13512 utils extra sssd_1.2.1-4.diff.gz
5955e37647317df78cdaf513d147ab03 1534802 utils extra sssd_1.2.1-4_i386.deb
18075454ec5a6f6bae49891d7639a83e 15710 utils extra libnss-sss_1.2.1-4_i386.deb
3c82057462c1797cd47c1b38c64567f8 19536 utils extra libpam-sss_1.2.1-4_i386.deb
066bad74944582f0565aca2095e04a12 132062 python extra python-sss_1.2.1-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFMdZAU20zMSyow1ykRAtDHAJ0aYzs7Li9MtLvdGvvpoBD8UEXSYACfafsN
DOqZIMxEo2/QL3Pt5zNKAAA=
=SHIn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 12 Oct 2010 07:32:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:50:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon