Debian Bug report logs -
#895950
freeipa: CVE-2017-12169: Password hash disclosure via 'System: Read Stage Users' permission
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#895950
; Package src:freeipa
.
(Tue, 17 Apr 2018 18:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Tue, 17 Apr 2018 18:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: freeipa
Version: 4.3.1-1
Severity: normal
Tags: security upstream
Hi,
The following vulnerability was published for freeipa.
CVE-2017-12169[0]:
| It was found that FreeIPA 4.2.0 and later could disclose password
| hashes to users having the 'System: Read Stage Users' permission. A
| remote, authenticated attacker could potentially use this flaw to
| disclose the password hashes belonging to Stage Users. This security
| issue does not result in disclosure of password hashes belonging to
| active standard users. NOTE: some developers feel that this report is
| a suggestion for a design change to Stage User activation, not a
| statement of a vulnerability.
Initially this issue was disputed as beeing valid, was confirmed that
the issue is valid, although as low imapct security flaw.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12169
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1487697
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:57:22 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.