Your message dated Sat, 20 Oct 2012 12:33:06 +0000 with message-id <e1tpyek-0001di...@franck.debian.org> and subject line Bug#680059: fixed in revelation 0.4.13-1.2 has caused the Debian Bug report #680059, regarding revelation: FPM exporter doesn't encrypt password files [CVE-2012-3818] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 680059: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680059 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: revelation Version: 0.4.13-1 Severity: grave Tags: security Justification: user security hole Hey, it seems that the revelation password manager has an issue in export function for the Figaro Password Manager format. A quick test seems to reveal that it uses in fact the XML (unencrypted) format, while still asking for a password and not warning the user that the export is insecure. I didn't test the other export formats but it might be worth looking at them. This has been allowed CVE-2012-3818 References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3818 http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html http://als.regnet.cz/fpm2/feedback/2 Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages revelation depends on: ii gconf2 3.2.5-1 ii gnome-extra-icons 1.1-2 ii gnome-icon-theme 3.4.0-2 ii python 2.7.3-1 ii python-cracklib 2.8.19-1 ii python-crypto 2.6-2 ii python-gnome2 2.28.1+dfsg-1 ii python-gobject 3.2.2-1 ii python-gtk2 2.24.0-3 ii python2.6 2.6.8-0.2 ii python2.7 2.7.3-1 ii shared-mime-info 1.0-1 revelation recommends no packages. revelation suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: revelation Source-Version: 0.4.13-1.2 We believe that the bug you reported is fixed in the latest version of revelation, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 680...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thomas Pierson <cont...@thomaspierson.fr> (supplier of updated revelation package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 20 Jul 2012 12:12:24 +0200 Source: revelation Binary: revelation Architecture: source amd64 Version: 0.4.13-1.2 Distribution: unstable Urgency: high Maintainer: Stefan Völkel <ste...@bc-bd.org> Changed-By: Thomas Pierson <cont...@thomaspierson.fr> Description: revelation - GNOME2 Password manager Closes: 680059 Changes: revelation (0.4.13-1.2) unstable; urgency=high . * Non-maintainer upload. - Add a new patch to fix CVE-2012-3818 (Closes: #680059). It just disables the FPM exporter until it's properly fixep upstream. Checksums-Sha1: d26326588a00f9c811abecd8fa780980349eedb4 2234 revelation_0.4.13-1.2.dsc 3d6305981d56e1b9039a4249a90db5c2aafed27a 10371 revelation_0.4.13-1.2.debian.tar.gz b298c76e40ffc0b829b8710a0409039abd4b6864 305828 revelation_0.4.13-1.2_amd64.deb Checksums-Sha256: ae3040a8f3e2efdf9e38cc9d0744b15f8aa21728ed3d0f2272627dadaebf5572 2234 revelation_0.4.13-1.2.dsc 904cbde5cc6050ee45d15d9810959bbeaad5bba571659c07545adc1401265084 10371 revelation_0.4.13-1.2.debian.tar.gz 56d679bf2571c4bace265201bb7dd3bcd22d92ba91b48387f04bc2b83b5bfb95 305828 revelation_0.4.13-1.2_amd64.deb Files: b741a8ec67b199938772826cc2c92026 2234 gnome optional revelation_0.4.13-1.2.dsc 029f77de0c26d806d88ebbc1609a1de8 10371 gnome optional revelation_0.4.13-1.2.debian.tar.gz e38905119880e0ea7adb7ffdeb84ed9c 305828 gnome optional revelation_0.4.13-1.2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Signed by Raphael Hertzog iQIcBAEBCAAGBQJQf+/8AAoJEOYZBF3yrHKagIcQAInLm4ANw6lVvTnvqhIl+oA1 8468G1bY6NMnPTLRWSSTHVlXCfzP9XNv1U+LSFXLkTijvXj2Sed2y4Y9z7YvgHSs 2PMLuBHW71aQCZg6uJTBdrx0LPL4bsrEXXAaSizsgdu8q6xHDOb2LYuJKcNVl/0j bop4fS6Mb98NBxHQyP+xlPQrv/q5f1awVygyxo+BrGZyiNdquMkdjX/OHkF1SBtZ 3aPjXuA3jZRBPvWMQrAyiJvrlg5em25ut+9GGSan3a3m0txvddAdUtPTWTYCXCuJ 0Jrzmbvg4Lx0+YEZJcfmV1RERkd1BX/IFPaPp32xUnKF4yrqqrR5eo4AnrvelrIA ApB5nrSZyXT49jGezOWCBujCZLLou1qkw2EKBuwVMK9zWeLfOvLuzDmYxm5gMvNB rzY5/XtYdamfNRGdxLu7qp92GF64Qt7JCuUkSTt1gdA1jBkP7KZnpS8LavqM/O4I fMu+ymJl0yvYh1hK6UCYOgYMD55Gi3DXQa17XDpJViEUceWz8XLQHo0rAzQK/2Za 0oWldAk4YsWXfFhRMegjl+zXXCwW7s+DOlWK5FC1nQuATmXSminXP7wvySHA/lL6 IVeIPca9y6bWGTjm3THvzMqsbTBFsZ/wsJ3K5V8fXd/ejHMLWWAu1Ovj94PG8e86 JHCuhlp2G/5aE9T5tA+x =OUAA -----END PGP SIGNATURE-----
--- End Message ---
