dogtag-pki: CVE-2018-1080: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access

Debian Bug report logs - #893690
dogtag-pki: CVE-2018-1080: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dogtag-pki: CVE-2018-1080: Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access

Date: Wed, 21 Mar 2018 09:57:12 +0100

Source: dogtag-pki
Version: 10.5.5-1
Severity: grave
Tags: security upstream
Forwarded: https://pagure.io/freeipa/issue/7453

Hi,

the following vulnerability was published for dogtag-pki.

CVE-2018-1080[0]:
Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1080
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1080
[1] https://pagure.io/freeipa/issue/7453
[2] https://review.gerrithub.io/#/c/404435/

Regards,
Salvatore

Message #10 received at 893690-close@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>

To: 893690-close@bugs.debian.org

Subject: Bug#893690: fixed in dogtag-pki 10.6.0-2

Date: Wed, 18 Apr 2018 12:19:41 +0000

Source: dogtag-pki
Source-Version: 10.6.0-2

We believe that the bug you reported is fixed in the latest version of
dogtag-pki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated dogtag-pki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Apr 2018 15:07:20 +0300
Source: dogtag-pki
Binary: dogtag-pki pki-base pki-base-java python3-pki-base pki-tools pki-server pki-ca dogtag-pki-console-theme dogtag-pki-server-theme pki-console pki-kra pki-ocsp pki-tks pki-tps pki-tps-client pki-javadoc libsymkey-java libsymkey-jni
Architecture: source
Version: 10.6.0-2
Distribution: experimental
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
 dogtag-pki - Dogtag Public Key Infrastructure (PKI) Suite
 dogtag-pki-console-theme - Certificate System - PKI Console User Interface
 dogtag-pki-server-theme - Certificate System - PKI Server User Interface
 libsymkey-java - Symmetric Key Java library
 libsymkey-jni - Symmetric Key JNI Library
 pki-base   - Certificate System - PKI Framework
 pki-base-java - Certificate System - PKI Framework -- java client support
 pki-ca     - Certificate System - Certificate Authority
 pki-console - Certificate System - PKI Console
 pki-javadoc - Certificate System - PKI Framework Javadocs
 pki-kra    - Certificate System - Data Recovery Manager
 pki-ocsp   - Certificate System - Online Certificate Status Protocol Manager
 pki-server - Certificate System - PKI Server Framework
 pki-tks    - Certificate System - Token Key Service
 pki-tools  - Certificate System - PKI Tools
 pki-tps    - Certificate System - Token Processing System
 pki-tps-client - Certificate System - Token Processing System client
 python3-pki-base - Certificate System - PKI Framework -- python3 client support
Closes: 893690
Changes:
 dogtag-pki (10.6.0-2) experimental; urgency=medium
 .
   * rules: Build everything in one pass.
   * Fix ACL evaluation in allow,deny mode. (Closes: #893690)
     - CVE-2018-1080
Checksums-Sha1:
 6ccbb5d35c52f92a2a9910c2c0705f02492447b3 3709 dogtag-pki_10.6.0-2.dsc
 a211a46e56ae28d3e9cf407c694ace203c4c6feb 32584 dogtag-pki_10.6.0-2.debian.tar.xz
 3688da8ee57f57ebbb09eec3eb323f94d869f09a 17932 dogtag-pki_10.6.0-2_source.buildinfo
Checksums-Sha256:
 6bd3401e9afaebc8369e2c50dc3ade4c7c060f2a22134730d9230abd559b7f0e 3709 dogtag-pki_10.6.0-2.dsc
 54fe3534494dd22c7dd23ede490a49515a4d3ce0a238d71cc24ac424e3e30083 32584 dogtag-pki_10.6.0-2.debian.tar.xz
 d7e902752d2944fdda262051999618090c347af8bf699028b6ffce4fba53325c 17932 dogtag-pki_10.6.0-2_source.buildinfo
Files:
 09597b27529fd80763ad92966a99ca1f 3709 java optional dogtag-pki_10.6.0-2.dsc
 3f193ab6d0ea88446943370304e03efc 32584 java optional dogtag-pki_10.6.0-2.debian.tar.xz
 aa9dcf4900bcd484ab8a76b2ff4ab310 17932 java optional dogtag-pki_10.6.0-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAlrXNRsUHHRqYWFsdG9u
QGRlYmlhbi5vcmcACgkQy3AxZaiJhNxSJQ//R8yLU6np9GcBQnRdSFeMxt1TssPW
8TrZZF1mTq8Q5qjjEq/NzRqn3PBCiE3fP0YlSF8iwJGLY2ipSlp8DEAnGcdv7Sfq
Ac58O7ZZy/M1AAD/YiDwUWCAGyML2qG5htWimt7t/wDVNR9SDvUtmeJb4+OlqTlp
wtH21Fwm1uaZU9OrXmV3Jl+0RZFGk3JNqtWf0kaYP7yZyM1Jj6Z2hWBHyVYLlxjP
jCop5r8Wz7FGfrARan3Vimde/pLNQ2I2r8rKupDU6VNJPl1CMFV7vW+pxPS5WUEi
FkPXkvRJw4XXDggQPp2ECLCYjsViTmiRKehYECPn/JNgjh+ut30+8liw6qQMu2Hm
ehdDIQoW861UdY3kkt4oDpQaOZ++aC9KVwrOsC9qW1nmlP+MbrvRfi2zmU7Y5kTE
ZBBg8CsKr3bEu6oSAKBaOrC+ngnZGvmw0YmGswdOohqMaARvDN3kybh9IeRYtw+4
wQF+zT4VX4615viWi/Y+kAU9B9i2E3Jqqpq3aFo/hGPjrNzlj6YBeLrEvUYasO5N
42SXJJ84aPvIvFob+2W8AgQ/uJWXaQ3K7aWb/AOBUNCKIC4VzI/w8s8Re382Xmui
u3DacbgBRCFlfS5IgjP0iAb2XbB/KaU1C97azB0E1scKgDjRNJCteASlW/gn1SKA
fDKhNE3JfLVdLiA=
=Reeo
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.