David Härdeman wrote:
> I am still seeing this problem in the version of courier included in
> sarge. Courier seems to happily ignore the result of the pam check and
> continue anyway (when using the pam_tally module).
>
> I would suggest that this warrants the security tag and a security
> update as it allows a user to try to crack passwords with a brute-force
> approach even if countermeasures (i.e. pam-tally) is in place.
>
> This bug should probably be reassigned to courier-authdaemon
> since I have the feeling that it is responsible for the pam
> conversation. See also bug 256231 for related pam problems.
I'm building updated packages now and have assigned CVE-2005-3532 to
this problem. Thanks a lot for the patch.
Regards,
Joey
--
Life is a lot easier when you have someone to share it with. -- Sean Perry
Please always Cc to me when replying to me on the lists.
