Your message dated Sat, 16 Feb 2013 23:17:26 +0000 with message-id <e1u6r0y-0007iu...@franck.debian.org> and subject line Bug#700669: fixed in pyrad 1.2-1+deb7u1 has caused the Debian Bug report #700669, regarding pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pyrad Version: 2.0-1 Severity: grave Tags: security Control: found -1 1.2-1 Hi, the following vulnerabilities were published for pyrad. CVE-2013-0294[0]: potentially predictable password hashing CVE-2013-0295[1]: CreateID() creates serialized packet IDs for RADIUS Note: it's currently under discussion if there should only be assigned one CVE for this issue. A patch is available at [2] using random.SystemRandom() for to use cryptographic-safe random generator instead of random. I have choosen severity grave because of this reasoning: CVE-2013-0294: [...] In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed. (from Red Hat bugreports) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0294 [1] http://security-tracker.debian.org/tracker/CVE-2013-0295 [2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pyrad Source-Version: 1.2-1+deb7u1 We believe that the bug you reported is fixed in the latest version of pyrad, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jeremy Lainé <jeremy.la...@m4x.org> (supplier of updated pyrad package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 16 Feb 2013 23:45:16 +0100 Source: pyrad Binary: python-pyrad Architecture: source all Version: 1.2-1+deb7u1 Distribution: testing-proposed-updates Urgency: high Maintainer: Jeremy Lainé <jeremy.la...@m4x.org> Changed-By: Jeremy Lainé <jeremy.la...@m4x.org> Description: python-pyrad - Python module for creating and decoding RADIUS packets Closes: 700669 Changes: pyrad (1.2-1+deb7u1) testing-proposed-updates; urgency=high . * Use a better random number generator to prevent predictable password hashing and packet IDs (CVE-2013-0294, Closes: #700669). Checksums-Sha1: d9f69d7e8533550eef0b0ea0250677a2de75cbad 1407 pyrad_1.2-1+deb7u1.dsc 6f82dc873039a7ac95baf86f57050a69515d03dd 3127 pyrad_1.2-1+deb7u1.diff.gz 27932b6b0bd4f67f4561843158b859ba505e642d 29926 python-pyrad_1.2-1+deb7u1_all.deb Checksums-Sha256: d67224b4add87fc8f4b914243920636853b8d19b7646fa63ebe0afe436a2749d 1407 pyrad_1.2-1+deb7u1.dsc da458f8baf9bfaed36fb15fc520be1fbb2d80a501c2c71bf05195c880e8f62e2 3127 pyrad_1.2-1+deb7u1.diff.gz 715347cfbb6819e5218adb1694514b1bf8c87f5551bfef61e7b49fc9838b2b65 29926 python-pyrad_1.2-1+deb7u1_all.deb Files: 2a23dd66820a1b0608ff15bb26a8a1e9 1407 python optional pyrad_1.2-1+deb7u1.dsc c7d957d62555f06a4a5807ccb2abdca0 3127 python optional pyrad_1.2-1+deb7u1.diff.gz 4f0a8150570897a9a1366c0e15133d17 29926 python optional python-pyrad_1.2-1+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEgD8cACgkQ4mJJZqJp2SeqJACgzRiqMAmlDz0zzEP8bYaPQSaw Ks8Anj34em9KlGC1Rvb0eB3gVoO1wqxo =8Br9 -----END PGP SIGNATURE-----
--- End Message ---
