Debian Bug report logs -
#893690
dogtag-pki: CVE-2018-1080: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
:
Bug#893690
; Package src:dogtag-pki
.
(Wed, 21 Mar 2018 09:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
.
(Wed, 21 Mar 2018 09:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: dogtag-pki
Version: 10.5.5-1
Severity: grave
Tags: security upstream
Forwarded: https://pagure.io/freeipa/issue/7453
Hi,
the following vulnerability was published for dogtag-pki.
CVE-2018-1080[0]:
Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-1080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1080
[1] https://pagure.io/freeipa/issue/7453
[2] https://review.gerrithub.io/#/c/404435/
Regards,
Salvatore
Reply sent
to Timo Aaltonen <tjaalton@debian.org>
:
You have taken responsibility.
(Wed, 18 Apr 2018 12:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 18 Apr 2018 12:21:07 GMT) (full text, mbox, link).
Message #10 received at 893690-close@bugs.debian.org (full text, mbox, reply):
Source: dogtag-pki
Source-Version: 10.6.0-2
We believe that the bug you reported is fixed in the latest version of
dogtag-pki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated dogtag-pki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Apr 2018 15:07:20 +0300
Source: dogtag-pki
Binary: dogtag-pki pki-base pki-base-java python3-pki-base pki-tools pki-server pki-ca dogtag-pki-console-theme dogtag-pki-server-theme pki-console pki-kra pki-ocsp pki-tks pki-tps pki-tps-client pki-javadoc libsymkey-java libsymkey-jni
Architecture: source
Version: 10.6.0-2
Distribution: experimental
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
dogtag-pki - Dogtag Public Key Infrastructure (PKI) Suite
dogtag-pki-console-theme - Certificate System - PKI Console User Interface
dogtag-pki-server-theme - Certificate System - PKI Server User Interface
libsymkey-java - Symmetric Key Java library
libsymkey-jni - Symmetric Key JNI Library
pki-base - Certificate System - PKI Framework
pki-base-java - Certificate System - PKI Framework -- java client support
pki-ca - Certificate System - Certificate Authority
pki-console - Certificate System - PKI Console
pki-javadoc - Certificate System - PKI Framework Javadocs
pki-kra - Certificate System - Data Recovery Manager
pki-ocsp - Certificate System - Online Certificate Status Protocol Manager
pki-server - Certificate System - PKI Server Framework
pki-tks - Certificate System - Token Key Service
pki-tools - Certificate System - PKI Tools
pki-tps - Certificate System - Token Processing System
pki-tps-client - Certificate System - Token Processing System client
python3-pki-base - Certificate System - PKI Framework -- python3 client support
Closes: 893690
Changes:
dogtag-pki (10.6.0-2) experimental; urgency=medium
.
* rules: Build everything in one pass.
* Fix ACL evaluation in allow,deny mode. (Closes: #893690)
- CVE-2018-1080
Checksums-Sha1:
6ccbb5d35c52f92a2a9910c2c0705f02492447b3 3709 dogtag-pki_10.6.0-2.dsc
a211a46e56ae28d3e9cf407c694ace203c4c6feb 32584 dogtag-pki_10.6.0-2.debian.tar.xz
3688da8ee57f57ebbb09eec3eb323f94d869f09a 17932 dogtag-pki_10.6.0-2_source.buildinfo
Checksums-Sha256:
6bd3401e9afaebc8369e2c50dc3ade4c7c060f2a22134730d9230abd559b7f0e 3709 dogtag-pki_10.6.0-2.dsc
54fe3534494dd22c7dd23ede490a49515a4d3ce0a238d71cc24ac424e3e30083 32584 dogtag-pki_10.6.0-2.debian.tar.xz
d7e902752d2944fdda262051999618090c347af8bf699028b6ffce4fba53325c 17932 dogtag-pki_10.6.0-2_source.buildinfo
Files:
09597b27529fd80763ad92966a99ca1f 3709 java optional dogtag-pki_10.6.0-2.dsc
3f193ab6d0ea88446943370304e03efc 32584 java optional dogtag-pki_10.6.0-2.debian.tar.xz
aa9dcf4900bcd484ab8a76b2ff4ab310 17932 java optional dogtag-pki_10.6.0-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlrXNRsUHHRqYWFsdG9u
QGRlYmlhbi5vcmcACgkQy3AxZaiJhNxSJQ//R8yLU6np9GcBQnRdSFeMxt1TssPW
8TrZZF1mTq8Q5qjjEq/NzRqn3PBCiE3fP0YlSF8iwJGLY2ipSlp8DEAnGcdv7Sfq
Ac58O7ZZy/M1AAD/YiDwUWCAGyML2qG5htWimt7t/wDVNR9SDvUtmeJb4+OlqTlp
wtH21Fwm1uaZU9OrXmV3Jl+0RZFGk3JNqtWf0kaYP7yZyM1Jj6Z2hWBHyVYLlxjP
jCop5r8Wz7FGfrARan3Vimde/pLNQ2I2r8rKupDU6VNJPl1CMFV7vW+pxPS5WUEi
FkPXkvRJw4XXDggQPp2ECLCYjsViTmiRKehYECPn/JNgjh+ut30+8liw6qQMu2Hm
ehdDIQoW861UdY3kkt4oDpQaOZ++aC9KVwrOsC9qW1nmlP+MbrvRfi2zmU7Y5kTE
ZBBg8CsKr3bEu6oSAKBaOrC+ngnZGvmw0YmGswdOohqMaARvDN3kybh9IeRYtw+4
wQF+zT4VX4615viWi/Y+kAU9B9i2E3Jqqpq3aFo/hGPjrNzlj6YBeLrEvUYasO5N
42SXJJ84aPvIvFob+2W8AgQ/uJWXaQ3K7aWb/AOBUNCKIC4VzI/w8s8Re382Xmui
u3DacbgBRCFlfS5IgjP0iAb2XbB/KaU1C97azB0E1scKgDjRNJCteASlW/gn1SKA
fDKhNE3JfLVdLiA=
=Reeo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 24 Aug 2018 07:31:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:18:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.