Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

freeipa: CVE-2014-7828: password not required when OTP in use

Related Vulnerabilities: CVE-2014-7828  

Source

Debian Bug report logs - #768294
freeipa: CVE-2014-7828: password not required when OTP in use

version graph

Package: src:freeipa; Maintainer for src:freeipa is Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 6 Nov 2014 10:09:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version freeipa/4.0.4-2

Fixed in version freeipa/4.0.5-1

Done: Timo Aaltonen <tjaalton@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>:
Bug#768294; Package src:freeipa. (Thu, 06 Nov 2014 10:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>. (Thu, 06 Nov 2014 10:09:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: freeipa: CVE-2014-7828: password not required when OTP in use
Date: Thu, 06 Nov 2014 11:07:00 +0100
Source: freeipa
Version: 4.0.4-2
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for freeipa.

CVE-2014-7828[0]:
password not required when OTP in use

See [1] for details and upstream ticket[2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-7828
[1] https://www.redhat.com/archives/freeipa-devel/2014-November/msg00068.html
[2] https://fedorahosted.org/freeipa/ticket/4690

Regards,
Salvatore

Reply sent to Timo Aaltonen <tjaalton@debian.org>:
You have taken responsibility. (Tue, 11 Nov 2014 09:24:18 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 11 Nov 2014 09:24:18 GMT) (full text, mbox, link).

Message #10 received at 768294-close@bugs.debian.org (full text, mbox, reply):

From: Timo Aaltonen <tjaalton@debian.org>
To: 768294-close@bugs.debian.org
Subject: Bug#768294: fixed in freeipa 4.0.5-1
Date: Tue, 11 Nov 2014 09:21:28 +0000
Source: freeipa
Source-Version: 4.0.5-1

We believe that the bug you reported is fixed in the latest version of
freeipa, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 768294@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated freeipa package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 11 Nov 2014 10:38:52 +0200
Source: freeipa
Binary: freeipa-server freeipa-server-trust-ad freeipa-client freeipa-admintools freeipa-tests python-freeipa
Architecture: source amd64
Version: 4.0.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@lists.alioth.debian.org>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Description:
 freeipa-admintools - FreeIPA centralized identity framework -- admintools
 freeipa-client - FreeIPA centralized identity framework -- client
 freeipa-server - FreeIPA centralized identity framework -- server
 freeipa-server-trust-ad - FreeIPA centralized identity framework -- AD trust installer
 freeipa-tests - FreeIPA centralized identity framework -- tests
 python-freeipa - FreeIPA centralized identity framework -- Python modules
Closes: 768122 768187 768294 769037
Changes:
 freeipa (4.0.5-1) unstable; urgency=medium
 .
   * New upstream release
     - Fix CVE-2014-7828. (Closes: #768294)
   * control: Update my email address.
   * fix-bind-conf.diff, add-debian-platform.diff: Fix bind config
     template to use Debian specific paths, and replace named.conf not
     named.conf.local. (Closes: #768122)
   * rules, -server.postinst: Create /var/cache/bind/data owned by bind
     user.
   * rules: Fix /var/lib/ipa/backup permissions.
   * Add non-standard-dir-perm to server lintian overrides.
   * copyright: Fix a typo.
   * control: Bump dependency on bind9-dyndb-ldap to 6.0-4~.
   * control: Move dependency on python-qrcode and python-yubico from
     server to python-freeipa and drop python-selinux which belongs to
     pki-server.
   * control: Relax libxmlrpc-core-c3-dev buil-dep and 389-ds-base dep
     for easier backporting.
   * control: Add python-dateutils to server, and python-dbus and python-
     memcache to python-freeipa dependencies. (Closes: #768187)
   * platform: Handle /etc/default/nfs-common and /etc/default/autofs,
     drop NSS_DB_DIR since it's inherited already. (Closes: #769037)
   * control: Bump policy to 3.9.6, no changes.
Checksums-Sha1:
 e7a21e9a8dea3987c587aba764228acfadb73a59 2980 freeipa_4.0.5-1.dsc
 1b690aae94b34e81a612363a4624994f14ffd79f 4730699 freeipa_4.0.5.orig.tar.gz
 5ab3c24b7f22416ea617df4c0956d2425e55b9f8 21684 freeipa_4.0.5-1.debian.tar.xz
 976d0a4ffad604489e97c40c15fd435337aac2f8 688738 freeipa-server_4.0.5-1_amd64.deb
 fc09721587cfb64e853ce387d2ba08801d6084fe 77262 freeipa-server-trust-ad_4.0.5-1_amd64.deb
 1272261305649c9e3b19e3544f2314ec1b16a68d 82428 freeipa-client_4.0.5-1_amd64.deb
 9cdd08fa42330b40ef01f6685fe2be08167cd4fb 12868 freeipa-admintools_4.0.5-1_amd64.deb
 20ca014e840ced292f777699250ef6016084a286 220542 freeipa-tests_4.0.5-1_amd64.deb
 2ced9c8ce071da6f7100c92dac0f3f5d5312aa0d 518254 python-freeipa_4.0.5-1_amd64.deb
Checksums-Sha256:
 4bf6e4f2ee06991e4bd4d0d77150ab389a097133c3b27efe708d13da517a1891 2980 freeipa_4.0.5-1.dsc
 fa95de2b99d242a4a794d316bc272333e954eefd2857ebdac7380ceabca5c8cd 4730699 freeipa_4.0.5.orig.tar.gz
 cd54f522ae95050554ad7bdf3504b9458e7d1cdadd63057f0b331ec7ea603137 21684 freeipa_4.0.5-1.debian.tar.xz
 c7712b2450baf8a025a9829fd71f4c86fede2f0294403b11916308ae95af4a91 688738 freeipa-server_4.0.5-1_amd64.deb
 05d1cb3246c044a918df23ce06787fbedae1614d8d92c4797a7a6175203b8a6e 77262 freeipa-server-trust-ad_4.0.5-1_amd64.deb
 27466c1f5dc229b3299b6b313f3aae4974539e1af82e14a9866b36fd25622954 82428 freeipa-client_4.0.5-1_amd64.deb
 27eadd5d8e294b9cfdb6c91315d50c99b20224b0cba88deae2c6e0c27fdafc05 12868 freeipa-admintools_4.0.5-1_amd64.deb
 ef35c88419a3bd44b59e05c37e9ec8e63a11198b31addf6724ac8053150b98b2 220542 freeipa-tests_4.0.5-1_amd64.deb
 8701f101ecd732f16ca023ce6c80e920d02fe957eb79097cd8ce6c4cbcdf88aa 518254 python-freeipa_4.0.5-1_amd64.deb
Files:
 b889c3f60a7cb9221a89a1182d5e0752 2980 net extra freeipa_4.0.5-1.dsc
 dc0ebfe24a20bd850641df05ff0a7268 4730699 net extra freeipa_4.0.5.orig.tar.gz
 838a684bfb35a1e1dfd41a5a26a72399 21684 net extra freeipa_4.0.5-1.debian.tar.xz
 6d521796b4d68c75fedc04309e5ebe8b 688738 net extra freeipa-server_4.0.5-1_amd64.deb
 be5b4c8830e6edc2a7e817fd9b9db454 77262 net extra freeipa-server-trust-ad_4.0.5-1_amd64.deb
 1ad855f09aea880f4cdfafbb0f8c63be 82428 net extra freeipa-client_4.0.5-1_amd64.deb
 83aa40f0d87636f3a75da16afdf738da 12868 net extra freeipa-admintools_4.0.5-1_amd64.deb
 516b26954182ea806ef45a06806c0f34 220542 net extra freeipa-tests_4.0.5-1_amd64.deb
 79694996af91154771312f6b278141a7 518254 python extra python-freeipa_4.0.5-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUYdDaAAoJEMtwMWWoiYTcJA4P/RDRgVa8cY/47FVfEwim5YPz
pLWn4BjOk3yO8e7rM9C8HPz+z79b9nZiTiagLvjLwzFy/1in+xMWld61HGwwILhB
RO8mEGMHCtJqHxYrvq9s16t86qws5NWIAwvExgqbcSVbCIvX948/8cbWycUe5FBB
iNYBT1FGQi6gFKGQCqWWAFewSPuZg+PBiZlk2aN5hhklmaN5oKd7MHVeCjEstmQ6
J0gxdEfRVFo31zOGeU3Aib87iDoYbN0DYYHLQUGzGjBebWPmk24JaEEXdTgbCH4b
9dP0fzkewKln/Wn+HeHfUEDjRX9jP5K58kulDmwgUTUXRnvpuCzhUD/c6dc5038g
7MY2X/2/jR1E1qxy2xMAxDuEvKY0SRmzxK8YpM2koHw5MnVUSUiwvYXl5THmLnw+
RqfvENqwX5LMKOg1C35zOmKDJwqW1bSnvNLzrlXph4tdraUoWcx1E0wx61co1Sor
UY9i+bBlsjocWmW8k95jsvGadz99ZmSO8447b0LIgw8doTHDeQ+52VZFnom7Oueo
nfOxO73ZDjG66Yx87boAjZc85nb6Y49LoUpak8pvSlN2mW0Ac4RkK6BfOFV01V6r
UHvAlyVfOZ6CMFT2fXIVdHg5/Zv0xoRDpGtUPDdaN4XmfMKfLfPW9AxWjbBPZJpM
8NL/VFRfK4Kcjnac8+/G
=Kd9z
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 23 Dec 2014 07:36:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:59:50 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started