Bug#593466: marked as done (zope-ldapuserfolder: Fails to check password for emergency user)

Wed, 25 Aug 2010 01:03:24 -0700 

Your message dated Wed, 25 Aug 2010 07:59:52 +0000
with message-id <e1ooatk-0005dq...@franck.debian.org>
and subject line Bug#593466: fixed in zope-ldapuserfolder 2.9-1+lenny1
has caused the Debian Bug report #593466,
regarding zope-ldapuserfolder: Fails to check password for emergency user
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
593466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593466
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: zope-ldapuserfolder
Version: 2.9-1
Severity: grave
Tags: security
Justification: user security hole


When an LDAP user folder is enabled, any password is accepted when attempting 
to log in
as the emergency user (that is, the one defined in the 'access' file using 
zpasswd.py).

/usr/share/zope/Products/LDAPUserFolder/LDAPUserFolder.py fails to check the 
password is
correct, leading to the above security issue. Patch should be:

--- LDAPUserFolder.py.orig      2010-08-18 12:58:18.000000000 +0100
+++ LDAPUserFolder.py.fixed     2010-08-18 13:50:22.000000000 +0100
@@ -800,7 +800,7 @@
         if not name:
             return None

-        if super and name == super.getUserName():
+        if super and name == super.getUserName() and 
super.authenticate(password, request):
             user = super
         else:
             user = self.getUser(name, password)

-- System Information:
Debian Release: 5.0.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages zope-ldapuserfolder depends on:
ii  python-ldap                 2.3.5-1      An LDAP interface module for Pytho
ii  zope-common                 0.5.45       common settings and scripts for Zo
ii  zope2.9                     2.9.6-4etch2 Open Source Web Application Server

zope-ldapuserfolder recommends no packages.

zope-ldapuserfolder suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: zope-ldapuserfolder
Source-Version: 2.9-1+lenny1

We believe that the bug you reported is fixed in the latest version of
zope-ldapuserfolder, which is due to be installed in the Debian FTP archive:

zope-ldapuserfolder_2.9-1+lenny1.diff.gz
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.diff.gz
zope-ldapuserfolder_2.9-1+lenny1.dsc
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1.dsc
zope-ldapuserfolder_2.9-1+lenny1_all.deb
  to main/z/zope-ldapuserfolder/zope-ldapuserfolder_2.9-1+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 593...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated zope-ldapuserfolder 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Aug 2010 15:33:32 +0200
Source: zope-ldapuserfolder
Binary: zope-ldapuserfolder
Architecture: source all
Version: 2.9-1+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Mark Hymers <m...@debian.org>
Changed-By: Sebastien Delafond <s...@debian.org>
Description: 
 zope-ldapuserfolder - LDAP user and group source for Zope/Plone
Closes: 593466
Changes: 
 zope-ldapuserfolder (2.9-1+lenny1) stable-security; urgency=high
 .
   * Fix authentication bypass problem (Closes: #593466).
     CVE-2010-2944.
Checksums-Sha1: 
 b4253325654b835f42f7b82e7384973e88470afa 1122 
zope-ldapuserfolder_2.9-1+lenny1.dsc
 0071cbd5408822733be7c05bbb9ca8a08799eb6e 106677 
zope-ldapuserfolder_2.9.orig.tar.gz
 b637534b048563fe71a979699115b183dce9cf42 2635 
zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 1d4169077ab0260e940e4b302750de2b95bf5de6 110686 
zope-ldapuserfolder_2.9-1+lenny1_all.deb
Checksums-Sha256: 
 2815a1c50c17c367b2a0e8657d0a14e2bbf894728ea30d4d3595e7bc0c6b4c1e 1122 
zope-ldapuserfolder_2.9-1+lenny1.dsc
 ed2bd11dff772e9730bea679b860365d3d86c0e5b7c82c1449920362eca485aa 106677 
zope-ldapuserfolder_2.9.orig.tar.gz
 b4b7e50c7e60a9037a52a7771c1e575039312c3d350b40516386ddace2c7c7eb 2635 
zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 079d462e9cf904c1451fe82c2b4044c0e346556c965727d8b7a223a307f8dd49 110686 
zope-ldapuserfolder_2.9-1+lenny1_all.deb
Files: 
 65bc92834fb17c525b9c5a43589a05e6 1122 web extra 
zope-ldapuserfolder_2.9-1+lenny1.dsc
 c380401e4de43c4aa5aad8c7af104ac5 106677 web extra 
zope-ldapuserfolder_2.9.orig.tar.gz
 fdfc884244f970d77f3da18a638a135c 2635 web extra 
zope-ldapuserfolder_2.9-1+lenny1.diff.gz
 44db774a6142e62e71ac0e0cb9e6fafa 110686 web extra 
zope-ldapuserfolder_2.9-1+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxuhRQACgkQiZgNKcDdyD/5GACeL0dNDzSlBZMjj4he8PdFOs1D
o+cAn2UPYrBs5Dls8hgS8hsjjBG5ql8n
=/XuT
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to