CVE-2009-1629: generates session IDs with predictable random numbers

Debian Bug report logs - #528938
CVE-2009-1629: generates session IDs with predictable random numbers

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <giuseppe@iuculano.it>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 16 May 2009 16:52:32 +0200

Package: ajaxterm
Version: 0.10-4
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ajaxterm.

CVE-2009-1629[0]:
| ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with
| predictable random numbers based on certain JavaScript functions,
| which makes it easier for remote attackers to (1) hijack a session or
| (2) cause a denial of service (session ID exhaustion) via a
| brute-force attack.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1629
    http://security-tracker.debian.net/tracker/CVE-2009-1629

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoO0y0ACgkQNxpp46476ap5kQCghMAQafc46v0qdvjymQs/2G8p
jZcAoI7a4mTbI3QBpyrx88Qlr9z9ojLG
=hk2D
-----END PGP SIGNATURE-----

Message #10 received at 528938@bugs.debian.org (full text, mbox, reply):

From: The Fungi <fungi@yuggoth.org>

To: 528938@bugs.debian.org

Subject: suggested patch

Date: Sun, 17 May 2009 18:32:02 +0000

Since sid is used as a string, here's a cheap way to increase its
complexity by more than 10^7 without increasing its length, simply
by adding mixed-case letters (this is what I've done on systems
where I use the application and it works fine):


--- /usr/share/ajaxterm/ajaxterm.js	2009-02-17 13:40:43.000000000 +0000
+++ ajaxterm.js	2009-05-17 17:49:30.000000000 +0000
@@ -3,7 +3,17 @@
 	var ie=0;
 	if(window.ActiveXObject)
 		ie=1;
-	var sid=""+Math.round(Math.random()*1000000000);
+
+	// mitigate CVE-2009-1629
+	var sid_arr = ( "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" ).split();
+	var sid_inc = 0;
+	var sid_arr_pos = 0;
+	var sid = "";
+	for (sid_inc = 0 ; sid_inc < 10 ; sid_inc++){
+		sid_arr_pos = RandRange( 0, (sid_arr.length - 1), sid_inc );
+		sid += sid_arr[ sid_arr_pos ];
+	}
+
 	var query0="s="+sid+"&w="+width+"&h="+height;
 	var query1=query0+"&c=1&k=";
 	var buf="";


Further complexity can be added by putting additional safe
characters in sid_arr or increasing the iteration cap in the for
loop (thus extending the length of the string). Hope this helps!
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

Message #15 received at 528938@bugs.debian.org (full text, mbox, reply):

From: The Fungi <fungi@yuggoth.org>

To: 528938@bugs.debian.org

Subject: Re: suggested patch

Date: Sun, 17 May 2009 20:23:01 +0000

Apologies--my previous message included a broken patch from an
earlier attempt rather than the current one. Here is what I'm
presently using on my sytems:


--- /usr/share/ajaxterm/ajaxterm.js	2009-02-17 13:40:43.000000000 +0000
+++ ajaxterm.js	2009-05-17 20:15:16.000000000 +0000
@@ -3,7 +3,16 @@
 	var ie=0;
 	if(window.ActiveXObject)
 		ie=1;
-	var sid=""+Math.round(Math.random()*1000000000);
+
+	// mitigate CVE-2009-1629
+	var sid_arr = (
+		"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	).split("");
+	var sid = "";
+	for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){
+		sid += sid_arr[Math.floor(Math.random()*sid_arr.length)];
+	}
+
 	var query0="s="+sid+"&w="+width+"&h="+height;
 	var query1=query0+"&c=1&k=";
 	var buf="";


Sorry for the confusion!
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

Message #20 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: 528938@bugs.debian.org

Cc: Giuseppe Iuculano <giuseppe@iuculano.it>, The Fungi <fungi@yuggoth.org>, Noah Meyerhans <frodo@morgul.net>

Subject: Re: Bug#528938: suggested patch

Date: Sat, 27 Jun 2009 18:00:32 +0200

Hello,

Le dimanche 17 mai 2009 à 20:23 +0000, The Fungi a écrit :
> Apologies--my previous message included a broken patch from an
> earlier attempt rather than the current one. Here is what I'm
> presently using on my sytems:

First, thanks for sending this patch, which is for now the only possible
fix I have seen for this issue.

Unfortunately, the upstream author hasn't answered to any of the
numerous mail he has received regarding this security issue, I think
however it is now urgent to fix the Debian package.

> --- /usr/share/ajaxterm/ajaxterm.js	2009-02-17 13:40:43.000000000 +0000
> +++ ajaxterm.js	2009-05-17 20:15:16.000000000 +0000
> @@ -3,7 +3,16 @@
>  	var ie=0;
>  	if(window.ActiveXObject)
>  		ie=1;
> -	var sid=""+Math.round(Math.random()*1000000000);
> +
> +	// mitigate CVE-2009-1629
> +	var sid_arr = (
> +		"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
> +	).split("");
> +	var sid = "";
> +	for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){
> +		sid += sid_arr[Math.floor(Math.random()*sid_arr.length)];
> +	}
> +
>  	var query0="s="+sid+"&w="+width+"&h="+height;
>  	var query1=query0+"&c=1&k=";
>  	var buf="";

I am not a security expert, and I am not sure to understand how your
patch would make ajaxterm really secure. From what I could read,
Math.random() is said to be inherently insecure.

Would the proposed code add sufficient randomisation to guarantee
ajaxterm security?
As said, I am just trying to understand better before applying the patch
and upload this fix to Debian.

Any comment from the Security team would be welcome!

Cheers,
Julien

Message #25 received at 528938@bugs.debian.org (full text, mbox, reply):

From: The Fungi <fungi@yuggoth.org>

To: Julien Valroff <julien@kirya.net>

Cc: 528938@bugs.debian.org, Giuseppe Iuculano <giuseppe@iuculano.it>, Noah Meyerhans <frodo@morgul.net>

Subject: Re: Bug#528938: suggested patch

Date: Sun, 28 Jun 2009 00:23:30 +0000

On Sat, Jun 27, 2009 at 06:00:32PM +0200, Julien Valroff wrote:
[...]
> I am not a security expert, and I am not sure to understand how
> your patch would make ajaxterm really secure. From what I could
> read, Math.random() is said to be inherently insecure.

Well, the primary concern (according to my reading of the original
report) was that ajaxterm generated very simple IDs, which could be
easily tried in sequence to rapidly hijack existing sessions
(possibily leading to system compromise if in use for shell access).
Having only digits meant the maximum number of unique combinations
of characters was 10 raised to the power of the ID length. Adding
mixed-case letters increased this to 62 raised to the power of the
ID length, which meant a significantly greater number of
possibilities making it much harder to guess an existing session ID.
As I said in a previous update, increasing the ID length could
provide some improvement here as well.

A secondary concern raised by the report was that sending HTTP
requests with lots and lots of different made-up session IDs could
effectively consume resources on the server, leading to a denial of
service. This would generally be considered a less severe
vulnerability, but one which requires much more effort to mitigate.
The usual solution would be to generate IDs server-side, and have
the application refuse to open sessions for IDs which weren't valid.

> Would the proposed code add sufficient randomisation to guarantee
> ajaxterm security?

There are no measures which guarantee security. Of course, if there
were, many of us would need to find a new line of work. ;)

That being said, I feel that increasing the field which needs to be
enumarated to brute-force a session ID already in use helps improve
the situation with only a trivial modification to the existing code.
As much as I'd rather not see the ajaxterm package dropped from
Debian's archive (because I rely on it as a console-to-HTTP
interface for some chrooted or otherwise neutered applications, not
for such risky things as shell access), I'm not personally willing
to take on the task of becoming its upstream maintainer either.

> As said, I am just trying to understand better before applying the
> patch and upload this fix to Debian.

I'd like to be able to take the time to understand it better as
well, but I generally don't get much opportunity to do more than
fill a few cracks and move on. Hopefully my proposed patch isn't
ineffectual, and doesn't introduce further vulerabilities due to my
unfamiliarity with other parts of the application.

> Any comment from the Security team would be welcome!

As would I. Admittedly, Javascript is not my strong suit. I browsed
around a little and didn't see any obvious reports that
Math.Random() is itself highly predictable (though this wouldn't
surprise me either). I do agree, however, that my patch does little
more than raise the bar for brute-forcing sessions, and that a
proper fix would get rid of client-generated session IDs all
together.
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi@yuggoth.org); IRC(fungi@irc.yuggoth.org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi@yuggoth.org);
MUD(fungi@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); }

Message #32 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 528938@bugs.debian.org, team@security.debian.org

Subject: possible solutions

Date: Fri, 31 Jul 2009 20:48:45 +0200

Hi Julien,

two quick comments
- is the security team aware that you are waiting on input?
- if you want to compute a session ID in python, the easy way
  is to use ajaxterm.html only as a template, make sure it is not
  cached and pass the (computed and put in the template) session id in
  the instantiation there.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #37 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 528938@bugs.debian.org

Subject: one more thing

Date: Fri, 31 Jul 2009 20:51:01 +0200

...as the session id is obviously not persistent, it is not strictly 
necessary to wait for upstream to come up with a solution. If you 
include a debian-specific patch and upstream doesn't like it, you can 
always use the upstream fix in the next version because you don't have 
to worry about compatibility between client and server.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #42 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: Thomas Viehmann <tv@beamnet.de>, 528938@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#528938: possible solutions

Date: Thu, 06 Aug 2009 08:37:24 +0200

Hi Thomas,

Le vendredi 31 juillet 2009 à 20:48 +0200, Thomas Viehmann a écrit :
> Hi Julien,
> 
> two quick comments
> - is the security team aware that you are waiting on input?

At least some members were aware, the bug was reported by on of them.
But now, they are all ;)

> - if you want to compute a session ID in python, the easy way
>    is to use ajaxterm.html only as a template, make sure it is not
>    cached and pass the (computed and put in the template) session id in
>    the instantiation there.

I'll check what I can do, but as far as I can see, I will need help on
this.

Cheers,
Julien

Message #45 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 528938@bugs.debian.org

Cc: team@security.debian.org, control@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Fri, 9 Oct 2009 19:13:20 -0500

[Message part 1 (text/plain, inline)]

tag 528938 patch
thanks

Hi,

Taking a look at this long standing security and RC bug, attached is my 
proposed patch for the sid issue.

A 255^255 session id should be good enough.

Cc'ing the stable security team as I would some input from them.
As mentioned by Florian on IRC there's a bug on some browsers that could let 
other websites predict the sequence of Math.random(). On unstable the 
cryptojs library from stanford could be packaged and used to generate a 
session id with the Fortuna-based PRNG (which is of course not shared between 
websites, therefore safe from the Math.random() attacks), but that can't be 
done on neither stable nor oldstable.
And FWIW, I think that a larger and more random sid is better than the week 
and poor currently being generated.

The patch needs some testing (mostly on the per-user sessions limit part), 
though.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[ajaxterm-CVE-2009-1629.diff (text/x-diff, attachment)]

Message #52 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Raphael Geissert <geissert@debian.org>

Cc: 528938@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 10 Oct 2009 20:13:56 +0000

* Raphael Geissert:

> Cc'ing the stable security team as I would some input from them.  As
> mentioned by Florian on IRC there's a bug on some browsers that
> could let other websites predict the sequence of Math.random(). On
> unstable the cryptojs library from stanford could be packaged and
> used to generate a session id with the Fortuna-based PRNG (which is
> of course not shared between websites, therefore safe from the
> Math.random() attacks),

I think it's impossible to generate random numbers which reasonably
cryptographically strong with pure Javascript code because you lack a
reliable source of entropy.

Can't you get the ID from the server instead?

Message #57 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: Florian Weimer <fw@deneb.enyo.de>

Cc: 528938@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 10 Oct 2009 16:57:06 -0500

2009/10/10 Florian Weimer <fw@deneb.enyo.de>:
> * Raphael Geissert:
>
>> Cc'ing the stable security team as I would some input from them.  As
>> mentioned by Florian on IRC there's a bug on some browsers that
>> could let other websites predict the sequence of Math.random(). On
>> unstable the cryptojs library from stanford could be packaged and
>> used to generate a session id with the Fortuna-based PRNG (which is
>> of course not shared between websites, therefore safe from the
>> Math.random() attacks),
>
> I think it's impossible to generate random numbers which reasonably
> cryptographically strong with pure Javascript code because you lack a
> reliable source of entropy.

The cryptojs library uses mouse movements (at least) as entropy data,
which makes it a very good candidate. The PRNG can not be used until
it has enough entropy data, based on its predictor.

>
> Can't you get the ID from the server instead?
>

It should be possible, yes, but not without modifying many parts of
the code. From the very first time the client connects to the server a
session is started.

My real concern about ajaxterm is that it somewhat eases the
possibility of brute force attacks because none of the policy layers
that are designed to prevent remote brute force attacks are applied.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #62 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@debian.org>

To: 528938@bugs.debian.org

Subject: next steps

Date: Sat, 23 Jan 2010 22:32:21 -0800

It sounds like there are two possible solutions to the weak session:

 - improve the session on the client
 - improve the session on the server side

The patch already exists for improving the client side of things.  The
help-needed tag is for the server changes, which is what direction this
seems to have gone.

As upstream hasn't responded, one of three things needs to happen to move
forward on dealing with this RC bug:
 1) develop the changes to generate the session on the server side.
 2) reduce the severity below "serious".
 3) contact the release team to keep block ajaxterm from testing and next
    stable.

What makes the most sense for this bug?

-- 
Kees Cook                                            @debian.org

Message #67 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Alexander Reichle-Schmehl <tolimar@debian.org>

To: Kees Cook <kees@debian.org>, 528938@bugs.debian.org

Subject: Re: Bug#528938: next steps

Date: Thu, 28 Jan 2010 16:19:30 +0100

Hi!

* Kees Cook <kees@debian.org> [100124 07:32]:

> What makes the most sense for this bug?

I would propose the following:

1) Clone this bug in a sepperate important, RFHed "server side needs
adjustment" bug.
2) Upload the current client side solution closing this bug.
3) Hope, that someone can fix the cloned bug ;)


Best Regards,
  Alexander

Message #72 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: Alexander Reichle-Schmehl <tolimar@debian.org>, 528938@bugs.debian.org

Cc: Kees Cook <kees@debian.org>

Subject: Re: Bug#528938: next steps

Date: Thu, 28 Jan 2010 19:03:32 +0100

Hi,

Le jeudi 28 janvier 2010 à 16:19 +0100, Alexander Reichle-Schmehl a
écrit :
> Hi!
> 
> * Kees Cook <kees@debian.org> [100124 07:32]:
> 
> > What makes the most sense for this bug?
> 
> I would propose the following:
> 
> 1) Clone this bug in a sepperate important, RFHed "server side needs
> adjustment" bug.
> 2) Upload the current client side solution closing this bug.
> 3) Hope, that someone can fix the cloned bug ;)

Would that be an acceptable solution as far as security is concerned?

I really would like to be able to close this bug, but not if security is
lowered.

Thanks for your advice
Cheers,
Julien

Message #75 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 528938@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 6 Feb 2010 01:04:49 -0600

[Message part 1 (text/plain, inline)]

Hi,

I plan to release a DSA fixing this issue with the attached patch.
Please upload a new version to sid containing the fix.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

[CVE-2009-1629.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #80 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: Raphael Geissert <geissert@debian.org>, 528938@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 06 Feb 2010 08:19:06 +0100

Hi Raphael,

Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit :
> Hi,
> 
> I plan to release a DSA fixing this issue with the attached patch.
> Please upload a new version to sid containing the fix.

I'll work on this today. Thanks a lot for your work!

Should I upload a version with the only change being this fix, or can I
also introduce other changes which I have planned?

What about security fixes for Lenny, should I prepare a package and
upload it somewhere?

Cheers,
Julien

Message #85 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 528938@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 6 Feb 2010 01:25:18 -0600

Hi Julien,

On 6 February 2010 01:19, Julien Valroff <julien@kirya.net> wrote:
> Hi Raphael,
>
> Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit :
>> Hi,
>>
>> I plan to release a DSA fixing this issue with the attached patch.
>> Please upload a new version to sid containing the fix.
>
> I'll work on this today. Thanks a lot for your work!
>
> Should I upload a version with the only change being this fix, or can I
> also introduce other changes which I have planned?

You can upload whatever other change you want (well, not "whatever",
but you get it :).

>
> What about security fixes for Lenny, should I prepare a package and
> upload it somewhere?
>

There's no need, I've already prepared the packages and will release
them later today.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #90 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: Raphael Geissert <geissert@debian.org>, 528938@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 06 Feb 2010 08:52:19 +0100

Le samedi 06 février 2010 à 01:25 -0600, Raphael Geissert a écrit :
> Hi Julien,
> 
> On 6 February 2010 01:19, Julien Valroff <julien@kirya.net> wrote:
> > Hi Raphael,
> >
> > Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit :
> >> Hi,
> >>
> >> I plan to release a DSA fixing this issue with the attached patch.
> >> Please upload a new version to sid containing the fix.
> >
> > I'll work on this today. Thanks a lot for your work!
> >
> > Should I upload a version with the only change being this fix, or can I
> > also introduce other changes which I have planned?
> 
> You can upload whatever other change you want (well, not "whatever",
> but you get it :).

Ok, I will prepare a new package ASAP

> >
> > What about security fixes for Lenny, should I prepare a package and
> > upload it somewhere?
> >
> 
> There's no need, I've already prepared the packages and will release
> them later today.

Great, I am happy to see this bug at least (about to be) close!

Cheers,
Julien

Message #95 received at 528938-close@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: 528938-close@bugs.debian.org

Subject: Bug#528938: fixed in ajaxterm 0.10-5

Date: Sat, 06 Feb 2010 09:32:53 +0000

Source: ajaxterm
Source-Version: 0.10-5

We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:

ajaxterm_0.10-5.debian.tar.gz
  to main/a/ajaxterm/ajaxterm_0.10-5.debian.tar.gz
ajaxterm_0.10-5.dsc
  to main/a/ajaxterm/ajaxterm_0.10-5.dsc
ajaxterm_0.10-5_all.deb
  to main/a/ajaxterm/ajaxterm_0.10-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Valroff <julien@kirya.net> (supplier of updated ajaxterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Feb 2010 09:57:33 +0100
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.10-5
Distribution: unstable
Urgency: low
Maintainer: Julien Valroff <julien@kirya.net>
Changed-By: Julien Valroff <julien@kirya.net>
Description: 
 ajaxterm   - Web based terminal written in Python
Closes: 515987 528208 528938 531165 541850 568372
Changes: 
 ajaxterm (0.10-5) unstable; urgency=low
 .
   * Make use of python-support >= 0.6
   * Updated to new policy 3.8.4 (no changes needed)
   * Bumped debhelper compat to 7
   * Removed useless lintian override
   * Updated Debian packaging copyright
   * Added $AJAXTERM_UID in default file, allowing to change the user running
     ajaxterm (Closes: #531165)
   * Make use of start-stop-daemon --group option to also allow to change the
     GID (Closes: #528208)
   * Updated README.Debian
   * Added patch from Berki Lukács T. <blt@shin.hu>:
     + Make it work with Chrome and possibly other Webkit-based browsers
     + Returns Connection: keep-alive and Content-Length HTTP headers to
       avoid doing a complete SSL handshake on every keystroke and screen update
     + Added a reaper thread to kill off disconnected sessions
     + Sends SIGHUP rather than SIGTERM on end of session
     + Threaded mode is default
   * CVE-2009-1629: ajaxterm generated session IDs with predictable random
     numbers - thanks to Raphael Geissert <geissert@debian.org> (Closes: #528938)
   * Added configuration file allowing to set terminal size (Closes: #515987)
   * Fixed typo in copyright file - license for sarissa* files is now correct
   * Added patch from Sergej Pupykin <ps@lx-ltd.ru> to switch ajaxterm from
     Latin-1 to UTF-8 encoding (Closes: #541850)
   * Use start-stop-daemon return code in the init script
   * Removed sleep call when restarting ajaxterm daemon
   * Added patch to display hostname in login prompt
   * Fixed manpage to make lintian happy
   * Switched to GIT - updated VCS-* fields accordingly
   * Converted package to dh minimal rules files
   * Switched to 3.0 (quilt) source format
   * Removed pyversions file and use XS-Python-Version field instead
   * Build-depend on python rather than on python-dev
   * Fixed issue in sarissa with Firefox/Iceweasel 3.6 (Closes: #568372)
Checksums-Sha1: 
 48bdc3acca9d96f32e87b7b8b02059b44c5e3d67 1256 ajaxterm_0.10-5.dsc
 6ef1283e7009236f8b102e685a2574328a332fac 16642 ajaxterm_0.10-5.debian.tar.gz
 170e10dc842c74103fb306515fc30373f0edc81d 43862 ajaxterm_0.10-5_all.deb
Checksums-Sha256: 
 41b92ff981914f44d760888258ceb7c7f37a919fd4055a9674f1491ac0fda6a0 1256 ajaxterm_0.10-5.dsc
 7461c253f5455686ecf4e3e2e8e33c8193e4e9d950f4a6a705093d6fdf35c214 16642 ajaxterm_0.10-5.debian.tar.gz
 9cdd8a0a0db4fc1449e5f78ece9bf5664c14a49ecc21ecd89f88dfae60c05b06 43862 ajaxterm_0.10-5_all.deb
Files: 
 0cdad64b1c095bcb551f628bc6fdc7a4 1256 web optional ajaxterm_0.10-5.dsc
 bdf22cac3ec5f1667e074b7463cd01c4 16642 web optional ajaxterm_0.10-5.debian.tar.gz
 3d399bf4ce955475d4c837df05357745 43862 web optional ajaxterm_0.10-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkttMx0ACgkQIQvyq59x1EkEdACgzYwnly5dEggYeQ9M9MG7c3cP
Te4AoJ691oMqDTp21USUNQB+prg0Q1rH
=gKir
-----END PGP SIGNATURE-----

Message #102 received at 528938@bugs.debian.org (full text, mbox, reply):

From: Julien Valroff <julien@kirya.net>

To: Raphael Geissert <geissert@debian.org>

Cc: 528938@bugs.debian.org

Subject: Re: Bug#528938: CVE-2009-1629: generates session IDs with predictable random numbers

Date: Sat, 06 Feb 2010 15:37:41 +0100

Le samedi 06 février 2010 à 08:52 +0100, Julien Valroff a écrit :
> Le samedi 06 février 2010 à 01:25 -0600, Raphael Geissert a écrit :
> > Hi Julien,
> > 
> > On 6 February 2010 01:19, Julien Valroff <julien@kirya.net> wrote:
> > > Hi Raphael,
> > >
> > > Le samedi 06 février 2010 à 01:04 -0600, Raphael Geissert a écrit :
> > >> Hi,
> > >>
> > >> I plan to release a DSA fixing this issue with the attached patch.
> > >> Please upload a new version to sid containing the fix.
> > >
> > > I'll work on this today. Thanks a lot for your work!
> > >
> > > Should I upload a version with the only change being this fix, or can I
> > > also introduce other changes which I have planned?
> > 
> > You can upload whatever other change you want (well, not "whatever",
> > but you get it :).
> 
> Ok, I will prepare a new package ASAP
> 
> > >
> > > What about security fixes for Lenny, should I prepare a package and
> > > upload it somewhere?
> > >
> > 
> > There's no need, I've already prepared the packages and will release
> > them later today.
> 
> Great, I am happy to see this bug at least (about to be) close!

It is now closed, I have uploaded a package containing your fix to
unstable.

Thanks again for your great help!

Cheers,
Julien

Message #107 received at 528938-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 528938-close@bugs.debian.org

Subject: Bug#528938: fixed in ajaxterm 0.9-2+etch4

Date: Fri, 12 Feb 2010 01:52:43 +0000

Source: ajaxterm
Source-Version: 0.9-2+etch4

We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:

ajaxterm_0.9-2+etch4.diff.gz
  to main/a/ajaxterm/ajaxterm_0.9-2+etch4.diff.gz
ajaxterm_0.9-2+etch4.dsc
  to main/a/ajaxterm/ajaxterm_0.9-2+etch4.dsc
ajaxterm_0.9-2+etch4_all.deb
  to main/a/ajaxterm/ajaxterm_0.9-2+etch4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated ajaxterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 06 Feb 2010 01:46:51 -0600
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.9-2+etch4
Distribution: oldstable-security
Urgency: high
Maintainer: Julien Valroff <julien@kirya.net>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 ajaxterm   - Web based terminal written in python
Closes: 528938
Changes: 
 ajaxterm (0.9-2+etch4) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2009-1629: session IDs are weak and predictable (Closes: #528938)
Files: 
 4e0e8803297516dd65e13e10836b7700 690 web optional ajaxterm_0.9-2+etch4.dsc
 9e48eae37beb62df3f91460b7fe352e0 33751 web optional ajaxterm_0.9.orig.tar.gz
 30e20eb2a1a452f9e2711619d3386155 6479 web optional ajaxterm_0.9-2+etch4.diff.gz
 4c63417d3dfe2aa14c115042c10cdb97 40490 web optional ajaxterm_0.9-2+etch4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkttIv4ACgkQYy49rUbZzlqh5wCfa12gJu4zp0mhgdC+SE2zztXz
4ugAnAg32keDqao1pOfhKQsuVDi7nvqM
=4Lng
-----END PGP SIGNATURE-----

Message #112 received at 528938-close@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 528938-close@bugs.debian.org

Subject: Bug#528938: fixed in ajaxterm 0.10-2+lenny1

Date: Fri, 12 Feb 2010 01:52:52 +0000

Source: ajaxterm
Source-Version: 0.10-2+lenny1

We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:

ajaxterm_0.10-2+lenny1.diff.gz
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1.diff.gz
ajaxterm_0.10-2+lenny1.dsc
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1.dsc
ajaxterm_0.10-2+lenny1_all.deb
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528938@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geissert@debian.org> (supplier of updated ajaxterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Feb 2010 01:50:47 -0600
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.10-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Julien Valroff <julien@kirya.net>
Changed-By: Raphael Geissert <geissert@debian.org>
Description: 
 ajaxterm   - Web based terminal written in Python
Closes: 528938
Changes: 
 ajaxterm (0.10-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2009-1629: session IDs are weak and predictable (Closes: #528938)
Checksums-Sha1: 
 c1dcb7b9b72306485827045bad2111b854a4c3ec 1275 ajaxterm_0.10-2+lenny1.dsc
 c262ee115150f3d912b1040638b76fe0113668a4 34372 ajaxterm_0.10.orig.tar.gz
 224c15951cadcc112a304b600c5aa09903de7c6a 8309 ajaxterm_0.10-2+lenny1.diff.gz
 4cce4924fdb0419fec70f961aaf88f61956f7e9f 41606 ajaxterm_0.10-2+lenny1_all.deb
Checksums-Sha256: 
 c677fa77be7709346375d7b63779b0791d1480697c58739ddfdf7d73247d5cae 1275 ajaxterm_0.10-2+lenny1.dsc
 71a1dcfd731e56985348b263c16b0506c1c1bda148fb3093db776c42f58a969c 34372 ajaxterm_0.10.orig.tar.gz
 f6c6d5617c52040ab9d95bbc3ba0ed55368ec89fae48c324e5f6e240f51dbb38 8309 ajaxterm_0.10-2+lenny1.diff.gz
 214be7b5bfd96a90505397cc400cb4841c4851e5583385ccdf9fb9a81bdc523b 41606 ajaxterm_0.10-2+lenny1_all.deb
Files: 
 dac2c51d75700af66248358265c77897 1275 web optional ajaxterm_0.10-2+lenny1.dsc
 b10830a7a81d2a4c9f8815510dafb87a 34372 web optional ajaxterm_0.10.orig.tar.gz
 63860e0b5b279d0fe92012abef36628e 8309 web optional ajaxterm_0.10-2+lenny1.diff.gz
 287e8220fce3fc0b673ed6f392094b71 41606 web optional ajaxterm_0.10-2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkttISsACgkQYy49rUbZzlpL/ACfer9BJDMzC31WNRcJftWMMsaO
Gi8An3C05PxEO8ahXyVPIIjZ+M5+6i2P
=hW/w
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.