Your message dated Sun, 17 Feb 2013 07:47:29 +0000 with message-id <e1u6yy9-0000oy...@franck.debian.org> and subject line Bug#700669: fixed in pyrad 1.2-1+deb7u2 has caused the Debian Bug report #700669, regarding pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pyrad Version: 2.0-1 Severity: grave Tags: security Control: found -1 1.2-1 Hi, the following vulnerabilities were published for pyrad. CVE-2013-0294[0]: potentially predictable password hashing CVE-2013-0295[1]: CreateID() creates serialized packet IDs for RADIUS Note: it's currently under discussion if there should only be assigned one CVE for this issue. A patch is available at [2] using random.SystemRandom() for to use cryptographic-safe random generator instead of random. I have choosen severity grave because of this reasoning: CVE-2013-0294: [...] In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed. (from Red Hat bugreports) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0294 [1] http://security-tracker.debian.org/tracker/CVE-2013-0295 [2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pyrad Source-Version: 1.2-1+deb7u2 We believe that the bug you reported is fixed in the latest version of pyrad, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jeremy Lainé <jeremy.la...@m4x.org> (supplier of updated pyrad package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 17 Feb 2013 08:21:08 +0100 Source: pyrad Binary: python-pyrad Architecture: source all Version: 1.2-1+deb7u2 Distribution: testing-proposed-updates Urgency: high Maintainer: Jeremy Lainé <jeremy.la...@m4x.org> Changed-By: Jeremy Lainé <jeremy.la...@m4x.org> Description: python-pyrad - Python module for creating and decoding RADIUS packets Closes: 700669 Changes: pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high . * Use a better random number generator to prevent predictable password hashing and packet IDs (CVE-2013-0294, Closes: #700669). Checksums-Sha1: ad15e6490d209ffefa8197ea6a012a1c645d8d35 1400 pyrad_1.2-1+deb7u2.dsc 8c31ff38bbd7564166bbd64ff2375fd0155e49b4 3011 pyrad_1.2-1+deb7u2.diff.gz 1919871040e60642aed07ab9307246642fc1a853 29926 python-pyrad_1.2-1+deb7u2_all.deb Checksums-Sha256: c78758b6be2b52949208380c7d4624c6a3db79563c53479024a654bfb7365dd1 1400 pyrad_1.2-1+deb7u2.dsc 3da9be0a798c8483c20c2bb7da0a40066357283b710218a8e3e6d71491169489 3011 pyrad_1.2-1+deb7u2.diff.gz 5d9ab1b31a7a231bbc9efce97b65baa3a52ee664719cfee655e1238bbeeddbaa 29926 python-pyrad_1.2-1+deb7u2_all.deb Files: 235fd3417e25636a86529f6a6e52597d 1400 python optional pyrad_1.2-1+deb7u2.dsc 5b678fd3330115adb5891a41d1837a35 3011 python optional pyrad_1.2-1+deb7u2.diff.gz 0ee10e5eeb9d8919b0df083f3d8abb75 29926 python optional python-pyrad_1.2-1+deb7u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEgh5sACgkQ4mJJZqJp2SfnNwCgxyW0D6wDoSiRkPU+4ZRCQ1OG qngAoMTOIshs+xOqpBx9kLdpHW+agZI+ =aghV -----END PGP SIGNATURE-----
--- End Message ---
