Your message dated Sat, 21 Jun 2014 13:48:24 +0000 with message-id <e1wylea-0001wa...@franck.debian.org> and subject line Bug#751834: fixed in iodine 0.6.0~rc1-2+deb6u1 has caused the Debian Bug report #751834, regarding iodine: CVE-2014-4168: authentication bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 751834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: iodine Version: 0.6.0~rc1-2 Severity: grave Tags: security upstream patch fixed-upstream Justification: user security hole Hi Gregor, There was a new upstream version for iodine released fixing an authentication bypass vulnerability. Upstream commit is at [1], but no CVE is yet assigned[2] so far. [1] https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 [2] http://www.openwall.com/lists/oss-security/2014/06/16/5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: iodine Source-Version: 0.6.0~rc1-2+deb6u1 We believe that the bug you reported is fixed in the latest version of iodine, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 751...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated iodine package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 21 Jun 2014 15:31:04 +0200 Source: iodine Binary: iodine Architecture: source amd64 Version: 0.6.0~rc1-2+deb6u1 Distribution: squeeze-lts Urgency: high Maintainer: gregor herrmann <gre...@debian.org> Changed-By: gregor herrmann <gre...@debian.org> Description: iodine - tool for tunneling IPv4 data through a DNS server Closes: 751834 Changes: iodine (0.6.0~rc1-2+deb6u1) squeeze-lts; urgency=high . * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's iodine-0.6.0 branch. . This fixes a security problem where the client could bypass the password check by continuing after getting an error from the server and guessing the network parameters and the server would still accept the rest of the setup and also network traffic. The patch adds checks for normal and raw mode that user has authenticated before allowing any other communication. . Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for backporting the fix super fast. (Closes: #751834 - CVE-2014-4168) . Set urgency=high. Checksums-Sha1: 3a25f71009fa497aac42c8391ca8fe3ba36810e9 2027 iodine_0.6.0~rc1-2+deb6u1.dsc 0bda271c95a6a787bd743ac924987a01f7b6a3da 22944 iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz c146335ae7d7c777d71b297cac9e5f56af875743 101862 iodine_0.6.0~rc1-2+deb6u1_amd64.deb Checksums-Sha256: 8b6de30787e0c915e911eff7c874c8a34406025d5fa05a4daad2dead346d2dd8 2027 iodine_0.6.0~rc1-2+deb6u1.dsc 254369787a66b034926a3301e633e427f948f5cfa093a3336017adc2a2a730a8 22944 iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz 8bceda8ed8a001d954eb8c1d29d60a298aeb5efa3995ea031273c88ea9b6d1c1 101862 iodine_0.6.0~rc1-2+deb6u1_amd64.deb Files: 1f75c49544ce4ec3075d3edd0d24f8fd 2027 net extra iodine_0.6.0~rc1-2+deb6u1.dsc 36e1384c41321083b6f01b2b01fb6d9c 22944 net extra iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz 12380f3052698334617a166011b33fb8 101862 net extra iodine_0.6.0~rc1-2+deb6u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJrBAEBCgBVBQJTpYlaThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK CRC7OmgBhkmqBqBCD/wJ/XZlsyS/E9MpEc1JzbxSEKgscmuAgcbwv8L7CPGYOvoG Au5BQ9wyYbvx6EsKAL++leiWN0H90YnRK8BdpQgrSJQOJOF/fgPUDlXsh+fxEt4J AtqErbi4yiRX08SF6ipETnLXF8EPT3RELJ/jDyUtaaKHmrskFLRTVM1qHPzmPBPS xUkHidmEefrWiFY8GkoT8nqiQzQN0O6dGRUAvFP0p1KqbOqMCcnm47xEXiwr3/HM xdCpj9z5m7qdcHAG1QrsOsQl5bjDfvTuchFPzN1QF+AnRisKC6TJpL8M9uINcpCz /lnsNfUXCCW/Zjnyl3sVTdvFo89aFjazedD4rWYSpf1fmenSeRRuf021VFPDQOZ2 hQuD50lgfLG4IAEiobb+Hmuhrcw4H3lFZQiLZOa3qr9KnkbI5YGDxIxm1Iwi85aY fLv+Vi/kvcXvTkkWPqHgUKLQZHn/RXxMD26Nl0VhmjIAUGs8bom81mYxGsh5aS9B DVGquIk7RXvW6bPi87AOSl0JhKRmi3GSUUvJFgoN+RJYE3J4XeVJU1blxUMiTSQ9 aijTa+SDS1agNkhjQOArZSihjHHjcG/ICWFDUB1iUWu/YMgGOaKnhAAcIcdESCH5 SA320ixdfSRic8TsPhAZgNEbCZSLxcafBRMIJvNGJZjurGZ164FJh6M4VAhOyQ== =XNKu -----END PGP SIGNATURE-----
--- End Message ---
