Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-0764

Source

Debian Bug report logs - #820354
network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users

Package: src:network-manager; Maintainer for src:network-manager is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Apr 2016 17:45:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in version network-manager/0.9.4.0-10

Fixed in version network-manager/1.1.91-1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#820354; Package src:network-manager. (Thu, 07 Apr 2016 17:45:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Thu, 07 Apr 2016 17:45:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: network-manager
Version: 0.9.4.0-10
Conrol: fixed -1 1.1.91-1

Hi,

On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
> Hi Moritz,
> 
> Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
> > Hi Michael,
> > there's CVE-2016-0764 for network-manager:
> > https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
> > 
> > It's also fixed in 1.0.12:
> > https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
> > 
> > This doesn't warrant a DSA, but you can fix it through a jessie
> > point update.
> 
> Could you turn this into a bug report please, otherwise I'll most
> certainly forget.

Forwarding this to the BTS.

Regards,
Salvatore

Added tag(s) upstream, security, and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 07 Apr 2016 17:48:04 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 07 Apr 2016 17:48:05 GMT) (full text, mbox, link).

Marked as fixed in versions network-manager/1.1.91-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 07 Apr 2016 17:48:06 GMT) (full text, mbox, link).

Changed Bug title to 'network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users' from 'network-manager: CVE-2016-0764'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 07 Apr 2016 17:48:09 GMT) (full text, mbox, link).

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sat, 17 Jun 2017 14:09:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 17 Jun 2017 14:09:03 GMT) (full text, mbox, link).

Message #18 received at 820354-done@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, 7 Apr 2016 19:43:36 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: network-manager
> Version: 0.9.4.0-10
> Conrol: fixed -1 1.1.91-1
> 
> Hi,
> 
> On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
> > Hi Moritz,
> > 
> > Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
> > > Hi Michael,
> > > there's CVE-2016-0764 for network-manager:
> > > https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
> > > 
> > > It's also fixed in 1.0.12:
> > > https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
> > > 
> > > This doesn't warrant a DSA, but you can fix it through a jessie
> > > point update.
> > 
> > Could you turn this into a bug report please, otherwise I'll most
> > certainly forget.
> 
> Forwarding this to the BTS.

With stretch being released any moment now, this will have to be handled
as a debian-lts / oldstable upload.

CCing the debian-lts mailing list, in case they want to make an upload
for this issue (it's not DSA tracked)

Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#820354; Package src:network-manager. (Wed, 28 Jun 2017 17:42:02 GMT) (full text, mbox, link).

Acknowledgement sent to Emilio Pozuelo Monfort <pochu@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Wed, 28 Jun 2017 17:42:02 GMT) (full text, mbox, link).

Message #23 received at 820354@bugs.debian.org (full text, mbox, reply):

On 17/06/17 16:04, Michael Biebl wrote:
> On Thu, 7 Apr 2016 19:43:36 +0200 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
>> Source: network-manager
>> Version: 0.9.4.0-10
>> Conrol: fixed -1 1.1.91-1
>>
>> Hi,
>>
>> On Wed, Apr 06, 2016 at 11:25:58PM +0200, Michael Biebl wrote:
>>> Hi Moritz,
>>>
>>> Am 06.04.2016 um 22:08 schrieb Moritz Muehlenhoff:
>>>> Hi Michael,
>>>> there's CVE-2016-0764 for network-manager:
>>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=60b7ed3bdc3941a3b7c56824fba4b7291e79041f (1.2-beta2)
>>>>
>>>> It's also fixed in 1.0.12:
>>>> https://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/NEWS?h=1.0.12
>>>>
>>>> This doesn't warrant a DSA, but you can fix it through a jessie
>>>> point update.
>>>
>>> Could you turn this into a bug report please, otherwise I'll most
>>> certainly forget.
>>
>> Forwarding this to the BTS.
> 
> With stretch being released any moment now, this will have to be handled
> as a debian-lts / oldstable upload.
> 
> CCing the debian-lts mailing list, in case they want to make an upload
> for this issue (it's not DSA tracked)

jessie is not handled by the LTS team yet. Besides it's still open, you can do a
jessie-pu upload.

Cheers,
Emilio

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Jul 2017 07:27:45 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:49:38 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users

Debian Bug report logs - #820354
network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users

Vulmon Search

About

Products

Connect

network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users

Debian Bug report logs - #820354 network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users

Vulmon Search

About

Products

Connect

Debian Bug report logs - #820354
network-manager: CVE-2016-0764: Race conditions that could disclose connection secrets to authenticated local users