pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Debian Bug report logs - #700669
pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: pyrad: CVE-2013-0294 and CVE-2013-0295

Date: Fri, 15 Feb 2013 23:29:12 +0100

Package: pyrad
Version: 2.0-1
Severity: grave
Tags: security
Control: found -1 1.2-1

Hi,
the following vulnerabilities were published for pyrad.

CVE-2013-0294[0]:
potentially predictable password hashing

CVE-2013-0295[1]:
CreateID() creates serialized packet IDs for RADIUS

Note: it's currently under discussion if there should only be assigned
one CVE for this issue.

A patch is available at [2] using random.SystemRandom() for to use
cryptographic-safe random generator instead of random. I have choosen
severity grave because of this reasoning:

CVE-2013-0294: [...] In the case of the authenticator data, it was being
used to secure a password sent over the wire.  Because Python's random
module is not really suited for this purpose (not random enough), it
could lead to password hashing that may be predictable.

CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC
specifies that the ID must not be predictable.  As a result, the ID of
the next packet sent can be spoofed.

(from Red Hat bugreports)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] http://security-tracker.debian.org/tracker/CVE-2013-0294
[1] http://security-tracker.debian.org/tracker/CVE-2013-0295
[2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5

Regards,
Salvatore

Message #12 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 700669@bugs.debian.org

Subject: Re: Bug#700669: pyrad: use only CVE-2013-0294

Date: Sat, 16 Feb 2013 08:20:12 +0100

Control: retitle -1 pyrad: CVE-2013-0294: potentially predictable password hashing

Hi

CVE-2013-0295 was rejected and only CVE-2013-0294 to be used for both
issues. 

 http://marc.info/?l=oss-security&m=136099660015589&w=2

Regards,
Salvatore

Message #21 received at 700669-close@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: 700669-close@bugs.debian.org

Subject: Bug#700669: fixed in pyrad 2.0-2

Date: Sat, 16 Feb 2013 09:33:18 +0000

Source: pyrad
Source-Version: 2.0-2

We believe that the bug you reported is fixed in the latest version of
pyrad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Lainé <jeremy.laine@m4x.org> (supplier of updated pyrad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Feb 2013 09:52:59 +0100
Source: pyrad
Binary: python-pyrad
Architecture: source all
Version: 2.0-2
Distribution: unstable
Urgency: high
Maintainer: Jeremy Lainé <jeremy.laine@m4x.org>
Changed-By: Jeremy Lainé <jeremy.laine@m4x.org>
Description: 
 python-pyrad - Python module for creating and decoding RADIUS packets
Closes: 700669
Changes: 
 pyrad (2.0-2) unstable; urgency=high
 .
   * Use a better random number generator to prevent predictable password
     hashing and packet IDs (CVE-2013-0294, Closes: #700669).
Checksums-Sha1: 
 a688c019c0f7e969a1bab0025d00cef3244a6825 1349 pyrad_2.0-2.dsc
 6fc1168b0ab87b5d396c0878ba87934869343927 3317 pyrad_2.0-2.debian.tar.gz
 9fbc4b80178734835341f87ce421ac18b3edfad9 32462 python-pyrad_2.0-2_all.deb
Checksums-Sha256: 
 a246e86f973abe0478c05a217d32af7cbb8d82c4cc433305b66b07e8585f8c66 1349 pyrad_2.0-2.dsc
 a56034d49586fc744a300ecd12ab27a0bc45c7e251ead99c4cf64a0c849f4317 3317 pyrad_2.0-2.debian.tar.gz
 d5a9cd3a05b633fb58d4699f85b5be806faa963a5b0d806d88e93839d5a66ac2 32462 python-pyrad_2.0-2_all.deb
Files: 
 73790a824c107adfb1c08a1e1bbe553e 1349 python optional pyrad_2.0-2.dsc
 8fa6d49a6465046cc8d8afffeac32440 3317 python optional pyrad_2.0-2.debian.tar.gz
 ee2f922027020dd39e6902a4ce5b24c1 32462 python optional python-pyrad_2.0-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEfSsIACgkQ4mJJZqJp2Sf3cwCfQk/aXKpCmOOyDHVO3RPzv0BY
dYgAoJV53DlMXMLfz1bXxMwjt6Lv6Pi+
=DcxU
-----END PGP SIGNATURE-----

Message #28 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 700669@bugs.debian.org, Jeremy Lainé <jeremy.laine@m4x.org>

Cc: team@security.debian.org

Subject: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Date: Sat, 16 Feb 2013 11:48:00 +0100

Hi Jeremy

Thanks for already fixing the issue for pyrad in unstable. As the
debdiff between 1.2-1 and 2.0-2 looks quite big, it cannot be a
candidate for a unblock per se to testing.

Could you prepare also a package targetting wheezy (versioned as
1.2-1+deb7u1) only containing the changes to fix CVE-2013-0294? See
[1].

 [1]: http://release.debian.org/wheezy/freeze_policy.html

I don't know if the Security Team want's a DSA for this, CC'ing them.
Else for stable there might be also an update trough proposed-updates.

Thanks a lot for working on this, and
Regards,
Salvatore

Message #33 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: debian-release@lists.debian.org

Cc: 700669@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 00:16:32 +0100

[Message part 1 (text/plain, inline)]

Dear release team,

Yesterday the following security vulnerability in the "pyrad" package was brought to my attention by Salvatore Bonaccorso:

https://security-tracker.debian.org/tracker/CVE-2013-0294

It is tracked in the following bug:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669

I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy?

Thanks in advance,
Jeremy

[pyrad_1.2-1+deb7u1.debdiff (application/octet-stream, attachment)]

[Message part 3 (text/plain, inline)]

Message #38 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 700669@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Date: Sun, 17 Feb 2013 00:09:32 +0100

Hi Salvatore,

I have just uploaded the requested version to testing-proposed-updates and will get in touch with the release team to allow it into wheezy.

For squeeze, the package will be exactly the same (squeeze / wheezy both have pyrad 1.2-1), but what should the version number be?

Cheers,
Jeremy

Message #43 received at 700669-close@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: 700669-close@bugs.debian.org

Subject: Bug#700669: fixed in pyrad 1.2-1+deb7u1

Date: Sat, 16 Feb 2013 23:17:26 +0000

Source: pyrad
Source-Version: 1.2-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
pyrad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Lainé <jeremy.laine@m4x.org> (supplier of updated pyrad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 16 Feb 2013 23:45:16 +0100
Source: pyrad
Binary: python-pyrad
Architecture: source all
Version: 1.2-1+deb7u1
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Jeremy Lainé <jeremy.laine@m4x.org>
Changed-By: Jeremy Lainé <jeremy.laine@m4x.org>
Description: 
 python-pyrad - Python module for creating and decoding RADIUS packets
Closes: 700669
Changes: 
 pyrad (1.2-1+deb7u1) testing-proposed-updates; urgency=high
 .
   * Use a better random number generator to prevent predictable password
     hashing and packet IDs (CVE-2013-0294, Closes: #700669).
Checksums-Sha1: 
 d9f69d7e8533550eef0b0ea0250677a2de75cbad 1407 pyrad_1.2-1+deb7u1.dsc
 6f82dc873039a7ac95baf86f57050a69515d03dd 3127 pyrad_1.2-1+deb7u1.diff.gz
 27932b6b0bd4f67f4561843158b859ba505e642d 29926 python-pyrad_1.2-1+deb7u1_all.deb
Checksums-Sha256: 
 d67224b4add87fc8f4b914243920636853b8d19b7646fa63ebe0afe436a2749d 1407 pyrad_1.2-1+deb7u1.dsc
 da458f8baf9bfaed36fb15fc520be1fbb2d80a501c2c71bf05195c880e8f62e2 3127 pyrad_1.2-1+deb7u1.diff.gz
 715347cfbb6819e5218adb1694514b1bf8c87f5551bfef61e7b49fc9838b2b65 29926 python-pyrad_1.2-1+deb7u1_all.deb
Files: 
 2a23dd66820a1b0608ff15bb26a8a1e9 1407 python optional pyrad_1.2-1+deb7u1.dsc
 c7d957d62555f06a4a5807ccb2abdca0 3127 python optional pyrad_1.2-1+deb7u1.diff.gz
 4f0a8150570897a9a1366c0e15133d17 29926 python optional python-pyrad_1.2-1+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEgD8cACgkQ4mJJZqJp2SeqJACgzRiqMAmlDz0zzEP8bYaPQSaw
Ks8Anj34em9KlGC1Rvb0eB3gVoO1wqxo
=8Br9
-----END PGP SIGNATURE-----

Message #48 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Jeremy Lainé <jeremy.laine@m4x.org>

Cc: debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 00:19:00 +0000

[Message part 1 (text/plain, inline)]

On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote:
> Dear release team,
> 
> Yesterday the following security vulnerability in the "pyrad" package was brought to my attention by Salvatore Bonaccorso:
> 
> https://security-tracker.debian.org/tracker/CVE-2013-0294
> 
> It is tracked in the following bug:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669
> 
> I have uploaded version 1.2-1+deb7u1 targeted at testing-proposed-updates (debdiff attached), as unstable carries a different upstream version. Could you please let this version into wheezy?

It's traditional to seek approval *before* uploading; more so in this case
since adding a patch system is a no-no. The change itself is fine, please
upload with this only. You will have to bump the version number IIRC.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

[signature.asc (application/pgp-signature, inline)]

Message #53 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: Jeremy Lainé <jeremy.laine@m4x.org>, debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 08:06:36 +0100

Hi all

On Sun, Feb 17, 2013 at 12:19:00AM +0000, Jonathan Wiltshire wrote:
> On Sun, Feb 17, 2013 at 12:16:32AM +0100, Jeremy Lainé wrote:
> > Dear release team,
> > 
> > Yesterday the following security vulnerability in the "pyrad"
> > package was brought to my attention by Salvatore Bonaccorso:
> > 
> > https://security-tracker.debian.org/tracker/CVE-2013-0294
> > 
> > It is tracked in the following bug:
> > 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669
> > 
> > I have uploaded version 1.2-1+deb7u1 targeted at
> > testing-proposed-updates (debdiff attached), as unstable carries a
> > different upstream version. Could you please let this version into
> > wheezy?
> 
> It's traditional to seek approval *before* uploading; more so in this case
> since adding a patch system is a no-no. The change itself is fine, please
> upload with this only. You will have to bump the version number IIRC.

I was involved reporting the problem: I noticed now a possible problem
about the versioning:

Current situation:

 pyrad | 1.2-1        | squeeze    | source
 pyrad | 1.2-1        | wheezy     | source
 pyrad | 1.2-1+deb7u1 | wheezy-p-u | source
 pyrad | 2.0-2        | sid        | source

Assuming there will be also either a DSA or a pu for pyrad, how should
that be versioned? Traditionally for Squeeze it was +squeeze1, but:

1.2-1 <= 1.2-1+deb7u1

but

1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1.

Regards,
Salvatore

Message #58 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jeremy Lainé <jeremy.laine@m4x.org>

Cc: 700669@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Date: Sun, 17 Feb 2013 08:12:18 +0100

Hi Jeremy

On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote:
> I have just uploaded the requested version to
> testing-proposed-updates and will get in touch with the release team
> to allow it into wheezy.

Thank you, have seen the mail.

> For squeeze, the package will be exactly the same (squeeze / wheezy
> both have pyrad 1.2-1), but what should the version number be?

This actually is a problem. Because the traditionall aproach for
Squeeze was +squeeze1. But 1.2-1+squeeze1 is not smaller than
1.2-1+deb7u1.

So in both cases either a DSA by the security team or a pu to stable,
it will need some tweak to the version number. I asked for advice from
the release team as reply to your previous mail.

Regards,
Salvatore

Message #63 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: Jonathan Wiltshire <jmw@debian.org>, 700669@bugs.debian.org

Cc: debian-release@lists.debian.org

Subject: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 08:36:24 +0100

[Message part 1 (text/plain, inline)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> It's traditional to seek approval *before* uploading; more so in this case since adding a
patch system is a no-no. The change itself is fine, please upload with this only. You will
have to bump the version number IIRC.

OK, attached is the resulting debdiff.

On a sidenote, you might consider updating the following page to make it cristal clear, as
I obviously did not get the message:

http://release.debian.org/wheezy/freeze_policy.html

Rule #1: "Changing patch systems" => "Adding or changing patch systems"

Rule #2: "If in doubt, first contact the release team" => "Always contact the release team
first"

Thanks,
Jeremy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlEgiHgACgkQ4mJJZqJp2SeURwCfehij0NsJR5BO10rIP32pYjqe
On0AnixhAivkdmHVHj82URcWnnCdzTzg
=8wEX
-----END PGP SIGNATURE-----

[pyrad_1.2-1+deb7u2.debdiff (text/plain, attachment)]

Message #68 received at 700669-close@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: 700669-close@bugs.debian.org

Subject: Bug#700669: fixed in pyrad 1.2-1+deb7u2

Date: Sun, 17 Feb 2013 07:47:29 +0000

Source: pyrad
Source-Version: 1.2-1+deb7u2

We believe that the bug you reported is fixed in the latest version of
pyrad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Lainé <jeremy.laine@m4x.org> (supplier of updated pyrad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 17 Feb 2013 08:21:08 +0100
Source: pyrad
Binary: python-pyrad
Architecture: source all
Version: 1.2-1+deb7u2
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Jeremy Lainé <jeremy.laine@m4x.org>
Changed-By: Jeremy Lainé <jeremy.laine@m4x.org>
Description: 
 python-pyrad - Python module for creating and decoding RADIUS packets
Closes: 700669
Changes: 
 pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high
 .
   * Use a better random number generator to prevent predictable password
     hashing and packet IDs (CVE-2013-0294, Closes: #700669).
Checksums-Sha1: 
 ad15e6490d209ffefa8197ea6a012a1c645d8d35 1400 pyrad_1.2-1+deb7u2.dsc
 8c31ff38bbd7564166bbd64ff2375fd0155e49b4 3011 pyrad_1.2-1+deb7u2.diff.gz
 1919871040e60642aed07ab9307246642fc1a853 29926 python-pyrad_1.2-1+deb7u2_all.deb
Checksums-Sha256: 
 c78758b6be2b52949208380c7d4624c6a3db79563c53479024a654bfb7365dd1 1400 pyrad_1.2-1+deb7u2.dsc
 3da9be0a798c8483c20c2bb7da0a40066357283b710218a8e3e6d71491169489 3011 pyrad_1.2-1+deb7u2.diff.gz
 5d9ab1b31a7a231bbc9efce97b65baa3a52ee664719cfee655e1238bbeeddbaa 29926 python-pyrad_1.2-1+deb7u2_all.deb
Files: 
 235fd3417e25636a86529f6a6e52597d 1400 python optional pyrad_1.2-1+deb7u2.dsc
 5b678fd3330115adb5891a41d1837a35 3011 python optional pyrad_1.2-1+deb7u2.diff.gz
 0ee10e5eeb9d8919b0df083f3d8abb75 29926 python optional python-pyrad_1.2-1+deb7u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEgh5sACgkQ4mJJZqJp2SfnNwCgxyW0D6wDoSiRkPU+4ZRCQ1OG
qngAoMTOIshs+xOqpBx9kLdpHW+agZI+
=aghV
-----END PGP SIGNATURE-----

Message #73 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: carnil@debian.org

Cc: Jeremy Lainé <jeremy.laine@m4x.org>, debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 13:59:18 +0000

[Message part 1 (text/plain, inline)]

On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote:
> I was involved reporting the problem: I noticed now a possible problem
> about the versioning:
> 
> Current situation:
> 
>  pyrad | 1.2-1        | squeeze    | source
>  pyrad | 1.2-1        | wheezy     | source
>  pyrad | 1.2-1+deb7u1 | wheezy-p-u | source
>  pyrad | 2.0-2        | sid        | source
> 
> Assuming there will be also either a DSA or a pu for pyrad, how should
> that be versioned? Traditionally for Squeeze it was +squeeze1, but:
> 
> 1.2-1 <= 1.2-1+deb7u1
> 
> but
> 
> 1.2-1+squeeze1 is not smaller than 1.2-1 or 1.2-1+deb7u1.

Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
wheezy.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

[signature.asc (application/pgp-signature, inline)]

Message #78 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: Jeremy Lainé <jeremy.laine@m4x.org>

Cc: 700669@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 17 Feb 2013 14:00:09 +0000

[Message part 1 (text/plain, inline)]

On Sun, Feb 17, 2013 at 08:36:24AM +0100, Jeremy Lainé wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> > It's traditional to seek approval *before* uploading; more so in this case since adding a
> patch system is a no-no. The change itself is fine, please upload with this only. You will
> have to bump the version number IIRC.
> 
> OK, attached is the resulting debdiff.

Approved, thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

[signature.asc (application/pgp-signature, inline)]

Message #83 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jeremy Lainé <jeremy.laine@m4x.org>, 700669@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#700669: pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs

Date: Mon, 18 Feb 2013 18:20:54 +0100

Hi Jeremy

On Sun, Feb 17, 2013 at 12:09:32AM +0100, Jeremy Lainé wrote:
> For squeeze, the package will be exactly the same (squeeze / wheezy
> both have pyrad 1.2-1), but what should the version number be?

This issue was now classified as 'no-dsa'[1]. Could you prepare an
upload targeting stable and to go trough a stable-proposed-updates?

According to previous comment a versioning like 1.2-1+deb6u1 would
solve the sorting issue 1.2-1 <= 1.2-1+deb6u1 <= 1.2-1+deb7u2.

 [1]: https://security-tracker.debian.org/tracker/CVE-2013-0294

Many thanks for your work!

Regards,
Salvatore

Message #88 received at 700669@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: carnil@debian.org, Jeremy Lainé <jeremy.laine@m4x.org>, debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sat, 23 Feb 2013 13:33:58 +0000

On Sun, 2013-02-17 at 13:59 +0000, Jonathan Wiltshire wrote:
> On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote:
> > Assuming there will be also either a DSA or a pu for pyrad, how should
> > that be versioned? Traditionally for Squeeze it was +squeeze1, but:
[...]
> Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
> 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
> wheezy.

Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for
it though...

Regards,

Adam

Message #93 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: carnil@debian.org, Jeremy Lainé <jeremy.laine@m4x.org>, debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 24 Feb 2013 18:09:45 +0000

[Message part 1 (text/plain, inline)]

On Sat, Feb 23, 2013 at 01:33:58PM +0000, Adam D. Barratt wrote:
> On Sun, 2013-02-17 at 13:59 +0000, Jonathan Wiltshire wrote:
> > On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote:
> > > Assuming there will be also either a DSA or a pu for pyrad, how should
> > > that be versioned? Traditionally for Squeeze it was +squeeze1, but:
> [...]
> > Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
> > 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
> > wheezy.
> 
> Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for
> it though...


This is the first I know of it.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

<directhex> i have six years of solaris sysadmin experience, from
            8->10. i am well qualified to say it is made from bonghits
			layered on top of bonghits

[signature.asc (application/pgp-signature, inline)]

Message #98 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>

Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Jeremy Lainé <jeremy.laine@m4x.org>, debian-release@lists.debian.org, 700669@bugs.debian.org

Subject: Re: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Sun, 24 Feb 2013 22:29:31 +0100

Hi

On Sun, Feb 24, 2013 at 06:09:45PM +0000, Jonathan Wiltshire wrote:
> On Sat, Feb 23, 2013 at 01:33:58PM +0000, Adam D. Barratt wrote:
> > On Sun, 2013-02-17 at 13:59 +0000, Jonathan Wiltshire wrote:
> > > On Sun, Feb 17, 2013 at 08:06:36AM +0100, Salvatore Bonaccorso wrote:
> > > > Assuming there will be also either a DSA or a pu for pyrad, how should
> > > > that be versioned? Traditionally for Squeeze it was +squeeze1, but:
> > [...]
> > > Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
> > > 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
> > > wheezy.
> > 
> > Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for
> > it though...
> 
> 
> This is the first I know of it.

Might be that my reply in #700669 (message #83[1]), made the
confusion. I mentioned there that #700669 was marked as no-dsa and
needs to go trough a p-u.

@Jeremy: to clarify: I'm not part of the Release Team, so the p-u
should have a official request to the release team (peferably as
bugreport via release.debian.org pseudo-package) 

 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669#83

@Adam and Jonathan: will make it clearer in future replies that this
needs an approval first from Release Team when I say "was classified
no-dsa, could you please prepare targeting stable and to go trough a
stable-proposed-updates" (in case this was part of the problem).

Regards,
Salvatore

Message #103 received at 700669@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 700669@bugs.debian.org

Cc: Jonathan Wiltshire <jmw@debian.org>, carnil@debian.org, debian-release@lists.debian.org

Subject: Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

Date: Mon, 25 Feb 2013 07:34:51 +0100

On 02/23/2013 02:33 PM, Adam D. Barratt wrote:
> On Sun, 2013-02-17 at 13:59 +0000, Jonathan Wiltshire wrote:
>> Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
>> 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
>> wheezy.
> Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for
> it though...

I have just filed the missing p-u request.

Cheers,
Jeremy

Message #108 received at 700669-close@bugs.debian.org (full text, mbox, reply):

From: Jeremy Lainé <jeremy.laine@m4x.org>

To: 700669-close@bugs.debian.org

Subject: Bug#700669: fixed in pyrad 1.2-1+deb6u1

Date: Sat, 02 Mar 2013 19:17:04 +0000

Source: pyrad
Source-Version: 1.2-1+deb6u1

We believe that the bug you reported is fixed in the latest version of
pyrad, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Lainé <jeremy.laine@m4x.org> (supplier of updated pyrad package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 19 Feb 2013 08:43:13 +0100
Source: pyrad
Binary: python-pyrad
Architecture: source all
Version: 1.2-1+deb6u1
Distribution: stable-proposed-updates
Urgency: high
Maintainer: Jeremy Lainé <jeremy.laine@m4x.org>
Changed-By: Jeremy Lainé <jeremy.laine@m4x.org>
Description: 
 python-pyrad - Python module for creating and decoding RADIUS packets
Closes: 700669
Changes: 
 pyrad (1.2-1+deb6u1) stable-proposed-updates; urgency=high
 .
   * Use a better random number generator to prevent predictable password
     hashing and packet IDs (CVE-2013-0294, Closes: #700669).
Checksums-Sha1: 
 26e3da7197f1901966a84fe83aab0f89b4ad19a3 1351 pyrad_1.2-1+deb6u1.dsc
 6179c7eea6e7020de95108b13f421d1fc670e651 3008 pyrad_1.2-1+deb6u1.diff.gz
 ae0e8e2d5c0309c509fa0ba36e56c630d0aab59d 29918 python-pyrad_1.2-1+deb6u1_all.deb
Checksums-Sha256: 
 29f5fea3dac57c3acaed69df64cb7c4725a0a300de32219bce31085750d1c923 1351 pyrad_1.2-1+deb6u1.dsc
 a5f74b8515b67f1b72d15c946a4fff45c6c290f35ff630037c68ac931dd5e7c5 3008 pyrad_1.2-1+deb6u1.diff.gz
 1044a2e45c45b4a6bfe6031fe6fa369c42d6b27ec425ce0c0597cc75c81ebc0e 29918 python-pyrad_1.2-1+deb6u1_all.deb
Files: 
 f4d6ad3662815cc294060927c91dad32 1351 python optional pyrad_1.2-1+deb6u1.dsc
 ce7c3a7a49fc155f2f1b077cd0109218 3008 python optional pyrad_1.2-1+deb6u1.diff.gz
 f7dfaaab17e14ba97d7218221ec4937f 29918 python optional python-pyrad_1.2-1+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlEjcFgACgkQ4mJJZqJp2ScI7QCfcvLnZHxC6H3z6GKqpe2bq80d
uKUAnjZYMMyUUEnCWsx7jQ664aDf/E73
=ZrzJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.