Bug#296662: marked as done (security hole in LDAP login code (CAN-2005-0505))

Debian Bug Tracking System Mon, 21 Mar 2005 03:38:16 -0800

Your message dated Mon, 21 Mar 2005 22:20:24 +1100
with message-id <[EMAIL PROTECTED]>
and subject line New upstream version
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Feb 2005 20:53:14 +0000
>From [EMAIL PROTECTED] Wed Feb 23 12:53:14 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D43VS-0004y0-00; Wed, 23 Feb 2005 12:53:14 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
        (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
        by kitenet.net (Postfix) with ESMTP id 6B909181A8
        for <[EMAIL PROTECTED]>; Wed, 23 Feb 2005 20:53:13 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
        id CA1FF6F031; Wed, 23 Feb 2005 15:55:39 -0500 (EST)
Date: Wed, 23 Feb 2005 15:55:38 -0500
From: Joey Hess <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: security hole in LDAP login code (CAN-2005-0505)
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO"
Content-Disposition: inline
X-Reportbug-Version: 3.8
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--M9NhX3UHpAaciwkO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: irm
Version: 1.5.1.1-2
Severity: serious
Tags: security
CVE: CAN-2005-0505

According to
http://sourceforge.net/project/shownotes.php?release_id=3D306629 :

  IRM 1.5.2.1 fixes a potential security flaw in the LDAP login code.  All
  users (especially those running on LDAP) are urged to upgrade.

http://secunia.com/advisories/14342 has a bit more info:

   Fulvio Civitareale has reported a vulnerability in IRM, which can be
   exploited by malicious people to bypass certain security restrictions.

   The vulnerability is caused due to an error in the LDAP login code where=
 a
   user with a non-existent username can login.

Please mention CAN-2005-0505 in any changelog entries.

--=20
see shy jo

--M9NhX3UHpAaciwkO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCHO3Jd8HHehbQuO8RAjv0AJ4x58qQfeQ2g2823h/3pDbrpBvtuQCffUxA
YEUhlP9FyG5r7vleLSZJxoo=
=UCpf
-----END PGP SIGNATURE-----

--M9NhX3UHpAaciwkO--

---------------------------------------
Received: (at 296662-done) by bugs.debian.org; 21 Mar 2005 11:21:29 +0000
>From [EMAIL PROTECTED] Mon Mar 21 03:21:29 2005
Return-path: <[EMAIL PROTECTED]>
Received: from eth1859.nsw.adsl.internode.on.net (gryphon.hezmatt.org) 
[150.101.200.66] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DDKyP-0002Yg-00; Mon, 21 Mar 2005 03:21:29 -0800
Received: from mpalmer by gryphon.hezmatt.org with local (Exim 3.34 #1 (Debian))
        id 1DDKxM-0001yZ-00
        for <[EMAIL PROTECTED]>; Mon, 21 Mar 2005 22:20:24 +1100
Date: Mon, 21 Mar 2005 22:20:24 +1100
From: Matthew Palmer <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: New upstream version
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
        protocol="application/pgp-signature"; boundary="WplhKdTI2c8ulnbP"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
        version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 


--WplhKdTI2c8ulnbP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

As much as this bug ever existed, it should now be fixed.

--WplhKdTI2c8ulnbP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCPq34BEnrTWk1E4cRAldAAJ9IOchrEKtp7YfYbFIJSfatnavgTQCglHm1
uhikZ6TkIoJUR007fg/v8lg=
=NXRC
-----END PGP SIGNATURE-----

--WplhKdTI2c8ulnbP--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#296662: marked as done (security hole in LDAP login code (CAN-2005-0505))

Reply via email to