Debian Bug report logs -
#820354
network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 7 Apr 2016 17:45:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version network-manager/0.9.4.0-10
Fixed in version network-manager/1.1.91-1
Done: Michael Biebl <biebl@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#820354
; Package src:network-manager
.
(Thu, 07 Apr 2016 17:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Thu, 07 Apr 2016 17:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: network-manager
Version: 0.9.4.0-10
Conrol: fixed -1 1.1.91-1
Hi,
On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
> Hi Moritz,
>
> Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
> > Hi Michael,
> > there's CVE-2016-0764 for network-manager:
> > https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
> >
> > It's also fixed in 1.0.12:
> > https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
> >
> > This doesn't warrant a DSA, but you can fix it through a jessie
> > point update.
>
> Could you turn this into a bug report please, otherwise I'll most
> certainly forget.
Forwarding this to the BTS.
Regards,
Salvatore
Added tag(s) upstream, security, and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 07 Apr 2016 17:48:04 GMT) (full text, mbox, link).
Severity set to 'important' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 07 Apr 2016 17:48:05 GMT) (full text, mbox, link).
Marked as fixed in versions network-manager/1.1.91-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 07 Apr 2016 17:48:06 GMT) (full text, mbox, link).
Changed Bug title to 'network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users' from 'network-manager: CVE-2016-0764'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 07 Apr 2016 17:48:09 GMT) (full text, mbox, link).
Reply sent
to Michael Biebl <biebl@debian.org>
:
You have taken responsibility.
(Sat, 17 Jun 2017 14:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 17 Jun 2017 14:09:03 GMT) (full text, mbox, link).
Message #18 received at 820354-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thu, 7 Apr 2016 19:43:36 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: network-manager
> Version: 0.9.4.0-10
> Conrol: fixed -1 1.1.91-1
>
> Hi,
>
> On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
> > Hi Moritz,
> >
> > Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
> > > Hi Michael,
> > > there's CVE-2016-0764 for network-manager:
> > > https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
> > >
> > > It's also fixed in 1.0.12:
> > > https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
> > >
> > > This doesn't warrant a DSA, but you can fix it through a jessie
> > > point update.
> >
> > Could you turn this into a bug report please, otherwise I'll most
> > certainly forget.
>
> Forwarding this to the BTS.
With stretch being released any moment now, this will have to be handled
as a debian-lts / oldstable upload.
CCing the debian-lts mailing list, in case they want to make an upload
for this issue (it's not DSA tracked)
Michael
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
:
Bug#820354
; Package src:network-manager
.
(Wed, 28 Jun 2017 17:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Emilio Pozuelo Monfort <pochu@debian.org>
:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
.
(Wed, 28 Jun 2017 17:42:02 GMT) (full text, mbox, link).
Message #23 received at 820354@bugs.debian.org (full text, mbox, reply):
On 17/06/17 16:04, Michael Biebl wrote:
> On Thu, 7 Apr 2016 19:43:36 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
>> Source: network-manager
>> Version: 0.9.4.0-10
>> Conrol: fixed -1 1.1.91-1
>>
>> Hi,
>>
>> On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
>>> Hi Moritz,
>>>
>>> Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
>>>> Hi Michael,
>>>> there's CVE-2016-0764 for network-manager:
>>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
>>>>
>>>> It's also fixed in 1.0.12:
>>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
>>>>
>>>> This doesn't warrant a DSA, but you can fix it through a jessie
>>>> point update.
>>>
>>> Could you turn this into a bug report please, otherwise I'll most
>>> certainly forget.
>>
>> Forwarding this to the BTS.
>
> With stretch being released any moment now, this will have to be handled
> as a debian-lts / oldstable upload.
>
> CCing the debian-lts mailing list, in case they want to make an upload
> for this issue (it's not DSA tracked)
jessie is not handled by the LTS team yet. Besides it's still open, you can do a
jessie-pu upload.
Cheers,
Emilio
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 27 Jul 2017 07:27:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:49:38 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.