Bug#528938: marked as done (CVE-2009-1629: generates session IDs with predictable random numbers)

Thu, 11 Feb 2010 18:04:22 -0800 

Your message dated Fri, 12 Feb 2010 01:52:52 +0000
with message-id <e1nfkic-0001t1...@ries.debian.org>
and subject line Bug#528938: fixed in ajaxterm 0.10-2+lenny1
has caused the Debian Bug report #528938,
regarding CVE-2009-1629: generates session IDs with predictable random numbers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
528938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528938
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ajaxterm
Version: 0.10-4
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ajaxterm.

CVE-2009-1629[0]:
| ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with
| predictable random numbers based on certain JavaScript functions,
| which makes it easier for remote attackers to (1) hijack a session or
| (2) cause a denial of service (session ID exhaustion) via a
| brute-force attack.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1629
    http://security-tracker.debian.net/tracker/CVE-2009-1629

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoO0y0ACgkQNxpp46476ap5kQCghMAQafc46v0qdvjymQs/2G8p
jZcAoI7a4mTbI3QBpyrx88Qlr9z9ojLG
=hk2D
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: ajaxterm
Source-Version: 0.10-2+lenny1

We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:

ajaxterm_0.10-2+lenny1.diff.gz
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1.diff.gz
ajaxterm_0.10-2+lenny1.dsc
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1.dsc
ajaxterm_0.10-2+lenny1_all.deb
  to main/a/ajaxterm/ajaxterm_0.10-2+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 528...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphael Geissert <geiss...@debian.org> (supplier of updated ajaxterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Feb 2010 01:50:47 -0600
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.10-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Julien Valroff <jul...@kirya.net>
Changed-By: Raphael Geissert <geiss...@debian.org>
Description: 
 ajaxterm   - Web based terminal written in Python
Closes: 528938
Changes: 
 ajaxterm (0.10-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix CVE-2009-1629: session IDs are weak and predictable (Closes: #528938)
Checksums-Sha1: 
 c1dcb7b9b72306485827045bad2111b854a4c3ec 1275 ajaxterm_0.10-2+lenny1.dsc
 c262ee115150f3d912b1040638b76fe0113668a4 34372 ajaxterm_0.10.orig.tar.gz
 224c15951cadcc112a304b600c5aa09903de7c6a 8309 ajaxterm_0.10-2+lenny1.diff.gz
 4cce4924fdb0419fec70f961aaf88f61956f7e9f 41606 ajaxterm_0.10-2+lenny1_all.deb
Checksums-Sha256: 
 c677fa77be7709346375d7b63779b0791d1480697c58739ddfdf7d73247d5cae 1275 
ajaxterm_0.10-2+lenny1.dsc
 71a1dcfd731e56985348b263c16b0506c1c1bda148fb3093db776c42f58a969c 34372 
ajaxterm_0.10.orig.tar.gz
 f6c6d5617c52040ab9d95bbc3ba0ed55368ec89fae48c324e5f6e240f51dbb38 8309 
ajaxterm_0.10-2+lenny1.diff.gz
 214be7b5bfd96a90505397cc400cb4841c4851e5583385ccdf9fb9a81bdc523b 41606 
ajaxterm_0.10-2+lenny1_all.deb
Files: 
 dac2c51d75700af66248358265c77897 1275 web optional ajaxterm_0.10-2+lenny1.dsc
 b10830a7a81d2a4c9f8815510dafb87a 34372 web optional ajaxterm_0.10.orig.tar.gz
 63860e0b5b279d0fe92012abef36628e 8309 web optional 
ajaxterm_0.10-2+lenny1.diff.gz
 287e8220fce3fc0b673ed6f392094b71 41606 web optional 
ajaxterm_0.10-2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkttISsACgkQYy49rUbZzlpL/ACfer9BJDMzC31WNRcJftWMMsaO
Gi8An3C05PxEO8ahXyVPIIjZ+M5+6i2P
=hW/w
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to