Your message dated Thu, 03 Feb 2005 19:02:08 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#293418: fixed in uw-imap 7:2002edebian1-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 3 Feb 2005 07:37:31 +0000
>From [EMAIL PROTECTED] Wed Feb 02 23:37:31 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CwbYR-0001l8-00; Wed, 02 Feb 2005 23:37:31 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id 25525366D6D; Thu, 3 Feb 2005 08:37:32 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Thu, 3 Feb 2005 08:33:14 +0100 (CET)
Date: Thu, 3 Feb 2005 08:33:14 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2005-0198: Authentication bypass
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="AW8RmF6KeXgMzg/h"
Content-Disposition: inline
X-Debbugs-Cc: Joey Hess <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,X_DEBBUGS_CC
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--AW8RmF6KeXgMzg/h
Content-Type: multipart/mixed; boundary="TydEFKrGQa51aSOi"
Content-Disposition: inline
--TydEFKrGQa51aSOi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: uw-imap
Version: 2002edebian1-5
Severity: grave
Tags: security sarge sid patch
A vulnerability was discovered in the CRAM-MD5 authentication in
UW-IMAP where, on the fourth failed authentication attempt, a user
would be able to access the IMAP server regardless. This problem
exists only if you are using CRAM-MD5 authentication and have an
/etc/cram-md5.pwd file. This is not the default setup. This is
also VU#702777 <http://www.kb.cert.org/vuls/id/702777>
I'm attaching the patch.
Please
. update the package in sid
. mention the CVE id from the subject in the changelog
. use priority=3Dhigh
. no need to upload into sarge directly, except if the version in
sid is not meant to go into testing
Regards,
Joey
--=20
We all know Linux is great... it does infinite loops in 5 seconds.
-- Linus Torvalds
--TydEFKrGQa51aSOi
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename="patch.CAN-2005-0198.uw-imap"
--- imap-2004/src/c-client/auth_md5.c~ 2005-01-17 16:38:46.758527958 -0700
+++ imap-2004/src/c-client/auth_md5.c 2005-01-17 16:38:46.758527958 -0700
@@ -153,7 +153,7 @@
/* get password */
if (p = auth_md5_pwd ((authuser && *authuser) ? authuser : user)) {
pl = strlen (p);
- u = (md5try && strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? NIL : user;
+ u = (md5try && !strcmp (hash,hmac_md5 (chal,cl,p,pl))) ? user : NIL;
memset (p,0,pl); /* erase sensitive information */
fs_give ((void **) &p); /* flush erased password */
/* now log in for real */
--TydEFKrGQa51aSOi--
--AW8RmF6KeXgMzg/h
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCAdO6W5ql+IAeqTIRAiqzAJwKT3P/Ku8modhO4VRDXuUEqJR6CACgp3A4
vuOc4jAPTsbTF0sLj4IFVRk=
=mYZS
-----END PGP SIGNATURE-----
--AW8RmF6KeXgMzg/h--
---------------------------------------
Received: (at 293418-close) by bugs.debian.org; 4 Feb 2005 00:08:05 +0000
>From [EMAIL PROTECTED] Thu Feb 03 16:08:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cwr13-0003He-00; Thu, 03 Feb 2005 16:08:05 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1CwqvI-0005ff-00; Thu, 03 Feb 2005 19:02:08 -0500
From: Jonas Smedegaard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#293418: fixed in uw-imap 7:2002edebian1-6
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 03 Feb 2005 19:02:08 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 2
Source: uw-imap
Source-Version: 7:2002edebian1-6
We believe that the bug you reported is fixed in the latest version of
uw-imap, which is due to be installed in the Debian FTP archive:
ipopd-ssl_2002edebian1-6_all.deb
to pool/main/u/uw-imap/ipopd-ssl_2002edebian1-6_all.deb
ipopd_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/ipopd_2002edebian1-6_powerpc.deb
libc-client-dev_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/libc-client-dev_2002edebian1-6_powerpc.deb
libc-client2002edebian_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/libc-client2002edebian_2002edebian1-6_powerpc.deb
mlock_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/mlock_2002edebian1-6_powerpc.deb
uw-imap_2002edebian1-6.diff.gz
to pool/main/u/uw-imap/uw-imap_2002edebian1-6.diff.gz
uw-imap_2002edebian1-6.dsc
to pool/main/u/uw-imap/uw-imap_2002edebian1-6.dsc
uw-imapd-ssl_2002edebian1-6_all.deb
to pool/main/u/uw-imap/uw-imapd-ssl_2002edebian1-6_all.deb
uw-imapd_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/uw-imapd_2002edebian1-6_powerpc.deb
uw-mailutils_2002edebian1-6_powerpc.deb
to pool/main/u/uw-imap/uw-mailutils_2002edebian1-6_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonas Smedegaard <[EMAIL PROTECTED]> (supplier of updated uw-imap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Feb 2005 20:22:23 +0100
Source: uw-imap
Binary: libc-client2002edebian uw-imapd libc-client-dev mlock ipopd ipopd-ssl
uw-imapd-ssl uw-mailutils
Architecture: source all powerpc
Version: 7:2002edebian1-6
Distribution: unstable
Urgency: high
Maintainer: Jonas Smedegaard <[EMAIL PROTECTED]>
Changed-By: Jonas Smedegaard <[EMAIL PROTECTED]>
Description:
ipopd - POP2 and POP3 servers from UW
ipopd-ssl - Dummy upgrade package for ipopd
libc-client-dev - UW c-client library for mail protocols
libc-client2002edebian - UW c-client library for mail protocols
mlock - Mailbox locking program from UW
uw-imapd - remote mail folder access server
uw-imapd-ssl - Dummy upgrade package for uw-imapd
uw-mailutils - C-client support programs from UW
Closes: 292606 293418
Changes:
uw-imap (7:2002edebian1-6) unstable; urgency=high
.
* Fix CERT security bug VU#702777: CRAM-MD5 authentication (disabled
by default in Debian) would always grant access after 4 failed
attempts. This closes: bug#292606, #293418 (thanks to Tomas Pospisek
<[EMAIL PROTECTED]> for first reporting it and Martin Schulze
<[EMAIL PROTECTED]> for providing a patch).
* Set urgency=high due to above security fix.
* Update local cdbs snippets:
+ buildinfo.mk: Make it actually work (tie to proper targets).
+ debhelper.mk: Add CDBS_BUILD_DEPENDS.
+ bts.mk: Make a test more quiet.
Files:
1033d18ff70d48972a34a9ba9ee6e5e9 771 mail optional uw-imap_2002edebian1-6.dsc
55432671e26d994dfe8c88c8be4bc214 81715 mail optional
uw-imap_2002edebian1-6.diff.gz
c6b008cdd2be460a054baa42ca84efdd 19504 mail optional
uw-imapd-ssl_2002edebian1-6_all.deb
8ba960aafc51439676a7771bc76c2a30 19494 mail optional
ipopd-ssl_2002edebian1-6_all.deb
78af18326b83e0ece97ed9cb665bcfa5 67932 mail optional
uw-imapd_2002edebian1-6_powerpc.deb
d05b4a5a4dfd05344a4cb9609edcf10a 42330 mail optional
ipopd_2002edebian1-6_powerpc.deb
00ec85a065ce820a7ad7e817dc460f3a 1367906 libdevel optional
libc-client-dev_2002edebian1-6_powerpc.deb
db241d8b61979a5248694c9baa137ff6 583856 libs optional
libc-client2002edebian_2002edebian1-6_powerpc.deb
009f3b6eb5269a64b0487cc577a0c3b0 25216 mail optional
mlock_2002edebian1-6_powerpc.deb
3eac2a5918c0c04a0b90931136bcec6e 49056 mail optional
uw-mailutils_2002edebian1-6_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCAoGIn7DbMsAkQLgRAgM8AJ47EY+BSrbuC3w8t6LllFeC8Ns4PwCeJbwf
Ro7+iZABkFuLrVsSxpRARgA=
=YDa9
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
