Your message dated Fri, 12 Feb 2010 01:52:43 +0000
with message-id <e1nfki3-0001qu...@ries.debian.org>
and subject line Bug#528938: fixed in ajaxterm 0.9-2+etch1
has caused the Debian Bug report #528938,
regarding CVE-2009-1629: generates session IDs with predictable random numbers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
528938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528938
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ajaxterm
Version: 0.10-4
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ajaxterm.
CVE-2009-1629[0]:
| ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with
| predictable random numbers based on certain JavaScript functions,
| which makes it easier for remote attackers to (1) hijack a session or
| (2) cause a denial of service (session ID exhaustion) via a
| brute-force attack.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1629
http://security-tracker.debian.net/tracker/CVE-2009-1629
Cheers,
Giuseppe.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoO0y0ACgkQNxpp46476ap5kQCghMAQafc46v0qdvjymQs/2G8p
jZcAoI7a4mTbI3QBpyrx88Qlr9z9ojLG
=hk2D
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: ajaxterm
Source-Version: 0.9-2+etch1
We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:
ajaxterm_0.9-2+etch1.diff.gz
to main/a/ajaxterm/ajaxterm_0.9-2+etch1.diff.gz
ajaxterm_0.9-2+etch1.dsc
to main/a/ajaxterm/ajaxterm_0.9-2+etch1.dsc
ajaxterm_0.9-2+etch1_all.deb
to main/a/ajaxterm/ajaxterm_0.9-2+etch1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 528...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphael Geissert <geiss...@debian.org> (supplier of updated ajaxterm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 06 Feb 2010 01:46:51 -0600
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.9-2+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Julien Valroff <jul...@kirya.net>
Changed-By: Raphael Geissert <geiss...@debian.org>
Description:
ajaxterm - Web based terminal written in python
Closes: 528938
Changes:
ajaxterm (0.9-2+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix CVE-2009-1629: session IDs are weak and predictable (Closes: #528938)
Files:
4e0e8803297516dd65e13e10836b7700 690 web optional ajaxterm_0.9-2+etch1.dsc
9e48eae37beb62df3f91460b7fe352e0 33751 web optional ajaxterm_0.9.orig.tar.gz
30e20eb2a1a452f9e2711619d3386155 6479 web optional ajaxterm_0.9-2+etch1.diff.gz
4c63417d3dfe2aa14c115042c10cdb97 40490 web optional
ajaxterm_0.9-2+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkttIv4ACgkQYy49rUbZzlqh5wCfa12gJu4zp0mhgdC+SE2zztXz
4ugAnAg32keDqao1pOfhKQsuVDi7nvqM
=4Lng
-----END PGP SIGNATURE-----
--- End Message ---
