Your message dated Tue, 04 Aug 2009 19:32:13 +0000
with message-id <e1mypk5-0005d8...@ries.debian.org>
and subject line Bug#516695: fixed in libpam-heimdal 3.15-1
has caused the Debian Bug report #516695,
regarding libpam-heimdal: new version (3.13) fixing two security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
516695: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516695
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-heimdal
Version: 3.10-2.1
Severity: critical
Tags: security
Justification: root security hole
libpam-heimdal needs to be braought upto curent libpam-krb5
I know this was all stalled by the freeze, but 'tis time now
------------------------------------------------------------------------
Date: Tue, 17 Feb 2009 16:32:07 +0000
...
libpam-krb5 (3.13-2) unstable; urgency=low
.
* Upload to unstable.
.
libpam-krb5 (3.13-1) experimental; urgency=high
.
* New upstream release.
- SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
user environment variables that specify the local keytab and
Kerberos configuration. Protects against a privilege escalation
vulnerability.
- SECURITY (CVE-2009-0361): Protect against applications calling
pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
context. This API call is designed to reinitialize an existing
Kerberos ticket cache and therefore trusts the KRB5CCNAME
environment variable, but in a setuid context, this may allow
overwriting arbitrary files.
-------------------------------------------------------------------------
-- System Information:
Debian Release: 5.0
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27.15 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-heimdal depends on:
ii libc6 2.9-3 GNU C Library: Shared libraries
ii libkrb5-25-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - libraries
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
libpam-heimdal recommends no packages.
libpam-heimdal suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libpam-heimdal
Source-Version: 3.15-1
We believe that the bug you reported is fixed in the latest version of
libpam-heimdal, which is due to be installed in the Debian FTP archive:
libpam-heimdal_3.15-1.diff.gz
to pool/main/libp/libpam-heimdal/libpam-heimdal_3.15-1.diff.gz
libpam-heimdal_3.15-1.dsc
to pool/main/libp/libpam-heimdal/libpam-heimdal_3.15-1.dsc
libpam-heimdal_3.15-1_amd64.deb
to pool/main/libp/libpam-heimdal/libpam-heimdal_3.15-1_amd64.deb
libpam-heimdal_3.15.orig.tar.gz
to pool/main/libp/libpam-heimdal/libpam-heimdal_3.15.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 516...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matthijs Mohlmann <matth...@cacholong.nl> (supplier of updated libpam-heimdal
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 04 Aug 2009 21:16:13 +0200
Source: libpam-heimdal
Binary: libpam-heimdal
Architecture: source amd64
Version: 3.15-1
Distribution: testing-security
Urgency: low
Maintainer: Matthijs Mohlmann <matth...@cacholong.nl>
Changed-By: Matthijs Mohlmann <matth...@cacholong.nl>
Description:
libpam-heimdal - PAM module for Heimdal Kerberos 5
Closes: 485250 516695
Changes:
libpam-heimdal (3.15-1) testing-security; urgency=low
.
* Acknowledge NMU.
* New upstream (Closes: #516695) (Fixing CVE-2009-0360 and CVE-2009-0361)
* Bump Standards-Version to 3.8.2
* Convert patches for possible switch to new source format (Closes: #485250)
Checksums-Sha1:
0f0adc62916a515d9c842c85e043a73aa92db4ed 1088 libpam-heimdal_3.15-1.dsc
946c17114ac62bb77c2bd76947f23d72bd272b4d 164019 libpam-heimdal_3.15.orig.tar.gz
5c0e823350688ce10cd72165d68f3a02eb73612c 7633 libpam-heimdal_3.15-1.diff.gz
1454c4f80542222e33760a28c3f9fcf2d5b861e7 60616 libpam-heimdal_3.15-1_amd64.deb
Checksums-Sha256:
1338cb2b258386dc7772d1de5099b43a5253e0f63f96fd2a065be59110d767cd 1088
libpam-heimdal_3.15-1.dsc
7bfb3745e54f29155873af4218ca3c49faba929ed96b5884d4cab55f3cf745ac 164019
libpam-heimdal_3.15.orig.tar.gz
0fb9a6828dcb4110ef9ab1d5d707e7aac33a63a83c0a43e78e5419379f33e28f 7633
libpam-heimdal_3.15-1.diff.gz
1d75b8d68d20b4bb61e430a68bc7430e2be02521e84447f49e75d991a48fab3a 60616
libpam-heimdal_3.15-1_amd64.deb
Files:
82533c3c5bd86170c0552223d6389111 1088 net optional libpam-heimdal_3.15-1.dsc
312d194ec53353aa8afd91cdf8781d2e 164019 net optional
libpam-heimdal_3.15.orig.tar.gz
a28c7b4afdffd8b562e5821268e9189e 7633 net optional
libpam-heimdal_3.15-1.diff.gz
0c062b666379c7b084c0340eaf2f0410 60616 net optional
libpam-heimdal_3.15-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkp4i98ACgkQ2n1ROIkXqbBsAgCePdynA+fMO9r70epaBIBc/ZsW
AEcAoJeRT/A3EZhwj7vsfqUfyhMmDUb4
=lB4k
-----END PGP SIGNATURE-----
--- End Message ---
