Debian Bug report logs -
#870752
389-ds-base: CVE-2017-7551: Locked account provides different return code if password is correct
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>:
Bug#870752; Package src:389-ds-base.
(Fri, 04 Aug 2017 19:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>.
(Fri, 04 Aug 2017 19:03:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Version: 1.3.5.17-2
Severity: grave
Tags: upstream patch security
Forwarded: https://pagure.io/389-ds-base/issue/49336
Control: found -1 1.3.6.5-1
Hi,
the following vulnerability was published for 389-ds-base.
CVE-2017-7551[0]:
Password brute-force possible for locked account due to different return codes
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7551
[1] https://pagure.io/389-ds-base/issue/49336
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions 389-ds-base/1.3.6.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Fri, 04 Aug 2017 19:03:07 GMT) (full text, mbox, link).
Reply sent
to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility.
(Tue, 22 Aug 2017 13:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Aug 2017 13:51:03 GMT) (full text, mbox, link).
Message #12 received at 870752-close@bugs.debian.org (full text, mbox, reply):
Source: 389-ds-base
Source-Version: 1.3.6.7-1
We believe that the bug you reported is fixed in the latest version of
389-ds-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870752@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated 389-ds-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 22 Aug 2017 16:30:11 +0300
Source: 389-ds-base
Binary: 389-ds 389-ds-base-libs 389-ds-base-dev 389-ds-base
Architecture: source
Version: 1.3.6.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian 389ds Team <pkg-fedora-ds-maintainers@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
389-ds - 389 Directory Server suite - metapackage
389-ds-base - 389 Directory Server suite - server
389-ds-base-dev - 389 Directory Server suite - development files
389-ds-base-libs - 389 Directory Server suite - libraries
Closes: 870752
Changes:
389-ds-base (1.3.6.7-1) unstable; urgency=medium
.
* New upstream release
- fix CVE-2017-7551 (Closes: #870752)
* fix-tests.diff: Dropped, fixed upstream.
Checksums-Sha1:
21adaa56099f562a74644a0e8da4ea38875a3652 2550 389-ds-base_1.3.6.7-1.dsc
ab573e5bb83d5752867e7be0e8fea6de1629aba2 3439437 389-ds-base_1.3.6.7.orig.tar.bz2
97fceb0ae900a6aef2e5acc0744ec12094c3a30c 19944 389-ds-base_1.3.6.7-1.debian.tar.xz
Checksums-Sha256:
4b0c85f9f18375fe285b4138e91fefa2ac884e1d83845f90c52a841b156adc62 2550 389-ds-base_1.3.6.7-1.dsc
d6a8a4dbe1ebd30eff2ad20f550fe2e1b2673ca632cbfbee46baaff2671062db 3439437 389-ds-base_1.3.6.7.orig.tar.bz2
e5009f0a79833655552721c5d4be0915294c1a1a0817c8600b12551c9b180c85 19944 389-ds-base_1.3.6.7-1.debian.tar.xz
Files:
a9e4368e3fd974036ce2e23d87df18da 2550 net optional 389-ds-base_1.3.6.7-1.dsc
90b639fff61a084308d6b5dcdb70636b 3439437 net optional 389-ds-base_1.3.6.7.orig.tar.bz2
ca992c4ebad9d68afbfbc997a4898e0d 19944 net optional 389-ds-base_1.3.6.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJZnDH3AAoJEMtwMWWoiYTccTQP/2mvXFjLt0IaKTgsfOOwyY6+
H1uSukO9PeAts+zuRFNozWEJMka99dBBk8mUPV8fwm1+ovyAbGUqyaIsz2IMFzqM
biicKjHUQHp0FkYl/tp16ocPo/v2JD1f/lwtrbMk7k/6mTpG+oca8XguedJQWFDV
XAocOnXsHVJ2OTGoCArQFjNk65V265Jekmtqnh4hDP8pULG+HFKk+BmoFcSPktLf
X7kpJZ85YqwmgSJHktkAirFwMym+w+sdfXRC1AQgvH0OHHPD+GPkff87yOndhGgd
oUv493ZlLVD0JDHOPwuLSeJISZEjtFWOQ+OV+19TiTZy+yThj/9y3DaxmctG2WEz
hzJ2AuJy7hwZqU1XZu3efDZrLTQyiCSyMMApp8FvQjWNrKO3Dl9Wfh9XG++ymQKq
XJyyLClWPin5x4SUfCSJWZd5yY/AhRZ+nSWRZVNCYpy80svhHHpWzAd1NviCY3UY
sKI06677EiKAbRAWEnWzC5rlmeMlwwvpph0Z90CKKRCVM/X6uJbTAQ1V73K5Hl9D
iL6TB3jm5NQbPKsNmT2SDgykZG3dxXjN02OKWobfdzo9//sxKaQWt/bbo6HSwb5L
cEEj8dtZuURFMwTYcsh7kS+lPZuGTNLbxka8+bsTFYuW+20qhm+aLU2xJGkZDvpb
09f8P6o0OAhWb9a1T4qo
=w7Iz
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon