Your message dated Sat, 02 Mar 2013 19:17:04 +0000 with message-id <e1ubrvc-0006wr...@franck.debian.org> and subject line Bug#700669: fixed in pyrad 1.2-1+deb6u1 has caused the Debian Bug report #700669, regarding pyrad: CVE-2013-0294: potentially predictable password hashing and packet IDs to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700669: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pyrad Version: 2.0-1 Severity: grave Tags: security Control: found -1 1.2-1 Hi, the following vulnerabilities were published for pyrad. CVE-2013-0294[0]: potentially predictable password hashing CVE-2013-0295[1]: CreateID() creates serialized packet IDs for RADIUS Note: it's currently under discussion if there should only be assigned one CVE for this issue. A patch is available at [2] using random.SystemRandom() for to use cryptographic-safe random generator instead of random. I have choosen severity grave because of this reasoning: CVE-2013-0294: [...] In the case of the authenticator data, it was being used to secure a password sent over the wire. Because Python's random module is not really suited for this purpose (not random enough), it could lead to password hashing that may be predictable. CVE-2013-0295: [...] This is not suitable for RADIUS as the RFC specifies that the ID must not be predictable. As a result, the ID of the next packet sent can be spoofed. (from Red Hat bugreports) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://security-tracker.debian.org/tracker/CVE-2013-0294 [1] http://security-tracker.debian.org/tracker/CVE-2013-0295 [2] https://github.com/wichert/pyrad/commit/38f74b36814ca5b1a27d9898141126af4953bee5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: pyrad Source-Version: 1.2-1+deb6u1 We believe that the bug you reported is fixed in the latest version of pyrad, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jeremy Lainé <jeremy.la...@m4x.org> (supplier of updated pyrad package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 19 Feb 2013 08:43:13 +0100 Source: pyrad Binary: python-pyrad Architecture: source all Version: 1.2-1+deb6u1 Distribution: stable-proposed-updates Urgency: high Maintainer: Jeremy Lainé <jeremy.la...@m4x.org> Changed-By: Jeremy Lainé <jeremy.la...@m4x.org> Description: python-pyrad - Python module for creating and decoding RADIUS packets Closes: 700669 Changes: pyrad (1.2-1+deb6u1) stable-proposed-updates; urgency=high . * Use a better random number generator to prevent predictable password hashing and packet IDs (CVE-2013-0294, Closes: #700669). Checksums-Sha1: 26e3da7197f1901966a84fe83aab0f89b4ad19a3 1351 pyrad_1.2-1+deb6u1.dsc 6179c7eea6e7020de95108b13f421d1fc670e651 3008 pyrad_1.2-1+deb6u1.diff.gz ae0e8e2d5c0309c509fa0ba36e56c630d0aab59d 29918 python-pyrad_1.2-1+deb6u1_all.deb Checksums-Sha256: 29f5fea3dac57c3acaed69df64cb7c4725a0a300de32219bce31085750d1c923 1351 pyrad_1.2-1+deb6u1.dsc a5f74b8515b67f1b72d15c946a4fff45c6c290f35ff630037c68ac931dd5e7c5 3008 pyrad_1.2-1+deb6u1.diff.gz 1044a2e45c45b4a6bfe6031fe6fa369c42d6b27ec425ce0c0597cc75c81ebc0e 29918 python-pyrad_1.2-1+deb6u1_all.deb Files: f4d6ad3662815cc294060927c91dad32 1351 python optional pyrad_1.2-1+deb6u1.dsc ce7c3a7a49fc155f2f1b077cd0109218 3008 python optional pyrad_1.2-1+deb6u1.diff.gz f7dfaaab17e14ba97d7218221ec4937f 29918 python optional python-pyrad_1.2-1+deb6u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlEjcFgACgkQ4mJJZqJp2ScI7QCfcvLnZHxC6H3z6GKqpe2bq80d uKUAnjZYMMyUUEnCWsx7jQ664aDf/E73 =ZrzJ -----END PGP SIGNATURE-----
--- End Message ---
