Debian Bug report logs -
#535877
CVE-2009-1273: user enumeration issue in libpam-ssh
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sun, 5 Jul 2009 18:36:01 UTC
Severity: normal
Tags: security
Fixed in versions libpam-ssh/1.92-7, libpam-ssh/1.91.0-9.3+lenny1
Done: Jens Peter Secher <jps@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jens Peter Secher <jps@debian.org>:
Bug#535877; Package libpam-ssh.
(Sun, 05 Jul 2009 18:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Jens Peter Secher <jps@debian.org>.
(Sun, 05 Jul 2009 18:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libpam-ssh
Tags: security
A user enumeration issue has been disclosed in libpam-ssh:
| pam_ssh 1.92 and possibly other versions, as used when PAM is
| compiled with USE=ssh, generates different error messages depending
| on whether the username is valid or invalid, which makes it easier
| for remote attackers to enumerate usernames.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273>
The Gentoo bug report linked from there contains a patch.
This should probably be uploaded to (old)stable-proposed-updates,
combined with the fix for CVE-2007-0844.
Reply sent
to Jens Peter Secher <jps@debian.org>:
You have taken responsibility.
(Wed, 22 Jul 2009 12:54:13 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Wed, 22 Jul 2009 12:54:14 GMT) (full text, mbox, link).
Message #10 received at 535877-close@bugs.debian.org (full text, mbox, reply):
Source: libpam-ssh
Source-Version: 1.92-7
We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:
libpam-ssh_1.92-7.diff.gz
to pool/main/libp/libpam-ssh/libpam-ssh_1.92-7.diff.gz
libpam-ssh_1.92-7.dsc
to pool/main/libp/libpam-ssh/libpam-ssh_1.92-7.dsc
libpam-ssh_1.92-7_i386.deb
to pool/main/libp/libpam-ssh/libpam-ssh_1.92-7_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535877@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated libpam-ssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 22 Jul 2009 13:59:21 +0200
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.92-7
Distribution: unstable
Urgency: low
Maintainer: Jens Peter Secher <jps@debian.org>
Changed-By: Jens Peter Secher <jps@debian.org>
Description:
libpam-ssh - Single sign-on via private SSH key
Closes: 535877 537155
Changes:
libpam-ssh (1.92-7) unstable; urgency=low
.
* Avoid leaking user names, see CVE-2009-1273.
(Closes: 535877)
* Do not refer to non-existing session config file in README, thanks
to Andrei Popescu.
(Closes: 537155)
Checksums-Sha1:
5c1028c7edef2e0347ef3c29ed807c0980e818be 1274 libpam-ssh_1.92-7.dsc
23fb2684990daa37b292786d2a495f31a87e9ebf 19555 libpam-ssh_1.92-7.diff.gz
d35056a11237f98eb879db55e9fe8c2e72c40747 50912 libpam-ssh_1.92-7_i386.deb
Checksums-Sha256:
b2e6c19970116d896886acd04d037233b33014a52e8c6b228f95211e99c440d8 1274 libpam-ssh_1.92-7.dsc
d88a4f0e03109ce663c3bf559f76c3c0fb567fd90d78a4ae6196fa43ab676ef4 19555 libpam-ssh_1.92-7.diff.gz
7dd3647b2be8dc633b7205bde8b5409a7dbb7fc666b4d648972ba78b6460c021 50912 libpam-ssh_1.92-7_i386.deb
Files:
b6986a101a30248860761a6668119052 1274 admin optional libpam-ssh_1.92-7.dsc
ae5a94db55d27be8978e0230240558a9 19555 admin optional libpam-ssh_1.92-7.diff.gz
3980515496d7d766b3bf9c2bf9217766 50912 admin optional libpam-ssh_1.92-7_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkpnAekACgkQiFVdEFPVQL/cNgP/YIgXeW4ueaaF2+ZEOgDJAtd8
65HBZ0ddxPgciiD9Qps8KssS63o2xX8qZIlCnTFJs5NRsXaG17wNotW7ZBvBryMH
7GAquNGXsm+Ktp5/lAEv8PNqCosjhPdhNp8FFaFwgGTbJvKyidkHvqyhyWeki0u7
ge8U+/LHYDggDUf5KeE=
=F0d4
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Jens Peter Secher <jps@debian.org>:
Bug#535877; Package libpam-ssh.
(Tue, 11 Aug 2009 17:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jens Peter Secher <jps@debian.org>.
(Tue, 11 Aug 2009 17:09:04 GMT) (full text, mbox, link).
Message #15 received at 535877@bugs.debian.org (full text, mbox, reply):
On Sun, Jul 05, 2009 at 08:35:15PM +0200, Florian Weimer wrote:
> Package: libpam-ssh
> Tags: security
>
> A user enumeration issue has been disclosed in libpam-ssh:
>
> | pam_ssh 1.92 and possibly other versions, as used when PAM is
> | compiled with USE=ssh, generates different error messages depending
> | on whether the username is valid or invalid, which makes it easier
> | for remote attackers to enumerate usernames.
>
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273>
>
> The Gentoo bug report linked from there contains a patch.
>
> This should probably be uploaded to (old)stable-proposed-updates,
> combined with the fix for CVE-2007-0844.
Jens, can you take care of an upload to stable-proposed-updates?
Cheers,
Moritz
Information stored
:
Bug#535877; Package libpam-ssh.
(Tue, 11 Aug 2009 19:51:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Jens Peter Secher <jpsecher@diku.dk>:
Extra info received and filed, but not forwarded.
(Tue, 11 Aug 2009 19:51:10 GMT) (full text, mbox, link).
Message #20 received at 535877-quiet@bugs.debian.org (full text, mbox, reply):
2009/8/11 Moritz Muehlenhoff <jmm@inutil.org>:
>
> Jens, can you take care of an upload to stable-proposed-updates?
Will do.
--
Jens Peter Secher.
_DD6A 05B0 174E BFB2 D4D9 B52E 0EE5 978A FE63 E8A1 jpsecher gmail com_.
A. Because it breaks the logical sequence of discussion.
Q. Why is top posting bad?
Reply sent
to Jens Peter Secher <jps@debian.org>:
You have taken responsibility.
(Thu, 13 Aug 2009 02:00:08 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Thu, 13 Aug 2009 02:00:09 GMT) (full text, mbox, link).
Message #25 received at 535877-close@bugs.debian.org (full text, mbox, reply):
Source: libpam-ssh
Source-Version: 1.91.0-9.3+lenny1
We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.diff.gz
libpam-ssh_1.91.0-9.3+lenny1.dsc
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.dsc
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535877@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated libpam-ssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Aug 2009 22:37:21 +0200
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.91.0-9.3+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Aurelien Labrosse <aurelien.labrosse@free.fr>
Changed-By: Jens Peter Secher <jps@debian.org>
Description:
libpam-ssh - enable SSO behavior for ssh and pam
Closes: 535877
Changes:
libpam-ssh (1.91.0-9.3+lenny1) stable-proposed-updates; urgency=low
.
* Avoid leaking user names by backporting Dmitry Butskoy's patch
for CVE-2009-1273.
(Closes: #535877)
Checksums-Sha1:
0ca364d5c3f5b3bc865185129d63c6831eeb08e5 1289 libpam-ssh_1.91.0-9.3+lenny1.dsc
28aaaf09f6d7ada52f2ffc784ba221f0f441aa7a 284109 libpam-ssh_1.91.0-9.3+lenny1.diff.gz
467b464527733be0d6ee1abfa49a56dd9a0cb533 48840 libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Checksums-Sha256:
0fced317374ef251cfcf3e28d4cd36e865bb4f2e215f59f8a0f56b03b4c45d45 1289 libpam-ssh_1.91.0-9.3+lenny1.dsc
610959f4dd348b813cb7f230a9f7cace0066cd715352905748c7cdbfc1210347 284109 libpam-ssh_1.91.0-9.3+lenny1.diff.gz
843453e189925d2c28f3e207d49ea0d94d1f532f82695dc68287f5b6636376ae 48840 libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Files:
19a6537123281e3682bbf16bf3919d9a 1289 admin optional libpam-ssh_1.91.0-9.3+lenny1.dsc
3e646b17494731e5da09a14ea472279b 284109 admin optional libpam-ssh_1.91.0-9.3+lenny1.diff.gz
b84410ff4795ccd62f533d944e871bc9 48840 admin optional libpam-ssh_1.91.0-9.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkqDL30ACgkQiFVdEFPVQL99YwP9HAf2HpS0dgk1c3vONrCxn9Up
8Y2fcVvtAvfV0fXVvLZFRSt8q/2CELqfxCeJQxhjtssey1bcQkGB2jLhh48OXe3l
M7fBhSQG0FYpQHFf1haZWwrHtHLEU2zFqIx1SSeS9q7fYLUdZ/KHahne6E9rQy7e
xlhiXB5l7ZaOAkVdn7o=
=Ty8r
-----END PGP SIGNATURE-----
Reply sent
to Jens Peter Secher <jps@debian.org>:
You have taken responsibility.
(Fri, 04 Sep 2009 19:21:29 GMT) (full text, mbox, link).
Notification sent
to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(Fri, 04 Sep 2009 19:21:30 GMT) (full text, mbox, link).
Message #30 received at 535877-close@bugs.debian.org (full text, mbox, reply):
Source: libpam-ssh
Source-Version: 1.91.0-9.3+lenny1
We believe that the bug you reported is fixed in the latest version of
libpam-ssh, which is due to be installed in the Debian FTP archive:
libpam-ssh_1.91.0-9.3+lenny1.diff.gz
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.diff.gz
libpam-ssh_1.91.0-9.3+lenny1.dsc
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1.dsc
libpam-ssh_1.91.0-9.3+lenny1_i386.deb
to pool/main/libp/libpam-ssh/libpam-ssh_1.91.0-9.3+lenny1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535877@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jens Peter Secher <jps@debian.org> (supplier of updated libpam-ssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Aug 2009 22:37:21 +0200
Source: libpam-ssh
Binary: libpam-ssh
Architecture: source i386
Version: 1.91.0-9.3+lenny1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Aurelien Labrosse <aurelien.labrosse@free.fr>
Changed-By: Jens Peter Secher <jps@debian.org>
Description:
libpam-ssh - enable SSO behavior for ssh and pam
Closes: 535877
Changes:
libpam-ssh (1.91.0-9.3+lenny1) stable-proposed-updates; urgency=low
.
* Avoid leaking user names by backporting Dmitry Butskoy's patch
for CVE-2009-1273.
(Closes: #535877)
Checksums-Sha1:
0ca364d5c3f5b3bc865185129d63c6831eeb08e5 1289 libpam-ssh_1.91.0-9.3+lenny1.dsc
28aaaf09f6d7ada52f2ffc784ba221f0f441aa7a 284109 libpam-ssh_1.91.0-9.3+lenny1.diff.gz
467b464527733be0d6ee1abfa49a56dd9a0cb533 48840 libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Checksums-Sha256:
0fced317374ef251cfcf3e28d4cd36e865bb4f2e215f59f8a0f56b03b4c45d45 1289 libpam-ssh_1.91.0-9.3+lenny1.dsc
610959f4dd348b813cb7f230a9f7cace0066cd715352905748c7cdbfc1210347 284109 libpam-ssh_1.91.0-9.3+lenny1.diff.gz
843453e189925d2c28f3e207d49ea0d94d1f532f82695dc68287f5b6636376ae 48840 libpam-ssh_1.91.0-9.3+lenny1_i386.deb
Files:
19a6537123281e3682bbf16bf3919d9a 1289 admin optional libpam-ssh_1.91.0-9.3+lenny1.dsc
3e646b17494731e5da09a14ea472279b 284109 admin optional libpam-ssh_1.91.0-9.3+lenny1.diff.gz
b84410ff4795ccd62f533d944e871bc9 48840 admin optional libpam-ssh_1.91.0-9.3+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkqDL30ACgkQiFVdEFPVQL99YwP9HAf2HpS0dgk1c3vONrCxn9Up
8Y2fcVvtAvfV0fXVvLZFRSt8q/2CELqfxCeJQxhjtssey1bcQkGB2jLhh48OXe3l
M7fBhSQG0FYpQHFf1haZWwrHtHLEU2zFqIx1SSeS9q7fYLUdZ/KHahne6E9rQy7e
xlhiXB5l7ZaOAkVdn7o=
=Ty8r
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 03 Oct 2009 07:45:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:04:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon