Your message dated Sat, 21 Jun 2014 18:32:04 +0000 with message-id <e1wyq56-0007a9...@franck.debian.org> and subject line Bug#751834: fixed in iodine 0.6.0~rc1-12+deb7u1 has caused the Debian Bug report #751834, regarding iodine: CVE-2014-4168: authentication bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 751834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: iodine Version: 0.6.0~rc1-2 Severity: grave Tags: security upstream patch fixed-upstream Justification: user security hole Hi Gregor, There was a new upstream version for iodine released fixing an authentication bypass vulnerability. Upstream commit is at [1], but no CVE is yet assigned[2] so far. [1] https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 [2] http://www.openwall.com/lists/oss-security/2014/06/16/5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: iodine Source-Version: 0.6.0~rc1-12+deb7u1 We believe that the bug you reported is fixed in the latest version of iodine, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 751...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated iodine package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Jun 2014 21:27:48 +0200 Source: iodine Binary: iodine Architecture: source amd64 Version: 0.6.0~rc1-12+deb7u1 Distribution: wheezy-security Urgency: high Maintainer: gregor herrmann <gre...@debian.org> Changed-By: gregor herrmann <gre...@debian.org> Description: iodine - tool for tunneling IPv4 data through a DNS server Closes: 751834 Changes: iodine (0.6.0~rc1-12+deb7u1) wheezy-security; urgency=high . * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's iodine-0.6.0 branch. . This fixes a security problem where the client could bypass the password check by continuing after getting an error from the server and guessing the network parameters and the server would still accept the rest of the setup and also network traffic. The patch adds checks for normal and raw mode that user has authenticated before allowing any other communication. . Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for backporting the fix super fast. (Closes: #751834) . Set urgency=high. Checksums-Sha1: d486c694b46c3a5649cef671d71a23b5409c6aed 2061 iodine_0.6.0~rc1-12+deb7u1.dsc 4fa9a248b8a84df8a727a5d749e669e58136edca 89827 iodine_0.6.0~rc1.orig.tar.gz bb3f93234e68d9817be9ab625b347e84c33c4a53 27040 iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz 10a99e633ffd13976a348a2bea64952dd0bba752 108094 iodine_0.6.0~rc1-12+deb7u1_amd64.deb Checksums-Sha256: d7fd95f50d3a7624916efee576ee9b7ac065658e01c21f84e0e7e51e4d074c60 2061 iodine_0.6.0~rc1-12+deb7u1.dsc dacf950198b68fd1dae09fe980080155b0c75718f581c08e069eee0c1b6c5e60 89827 iodine_0.6.0~rc1.orig.tar.gz 2da3e327499ff0058e80a482485af84e419ce68648f1e07b6aa150db7e0c3225 27040 iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz 984a57ab9ce0b879238bdd61bd393786e5d169ecafd0169d71996194cee791f6 108094 iodine_0.6.0~rc1-12+deb7u1_amd64.deb Files: d52034363286b295ebb368d221d880f8 2061 net extra iodine_0.6.0~rc1-12+deb7u1.dsc a15bb4faba020d217016fde6e231074a 89827 net extra iodine_0.6.0~rc1.orig.tar.gz 17b9b004e2dfff1ed6e8b0347364ad5d 27040 net extra iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz bf2f4f576f623e636ab29c276464f87d 108094 net extra iodine_0.6.0~rc1-12+deb7u1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJrBAEBCgBVBQJToJcaThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK CRC7OmgBhkmqBosyEACZjvTdjV9Z7Sp1IUP5oVPlCIEhjWt3nYXPGX8dEzuwi2nA kO3O6Ou4h7H/L7vxur1MN1NXEYxuWZdyl/ZJYne/gDoL9Pk3YscnR/AbSnRNIkI2 Mh67TepCaNk2QvIzh4nWQWwDCWJMNHm+wbIXDh5zFD1OCVXx8Pd7vWXoMkNESeX+ 7+UuKwiLRsygHp3vi0z6L7o6aANFSrrx13ld2/ONbW7HPXDs8kLV8MUddQLtzrGS jVuqaAS5sfnbCnANk6jmO4c7lTRiGJwSH1vL2SElb03u1RJykM6Tz2RP/UYkJSLN M5PwxteuK5pFYrQj4NkYm4gjccdQq6pgCMXqa5cTUaRX1TeNbvGYrWLJhH8MTz3+ tn7Ixj2JJuDDtqP+b7+87Ltas8JIYjUkA4pzCrNc3vNMq5Q6RPQDkV/XguDY84V0 9fPsO1gadJKRbxmsLM0geodtLtzCYHeYMipeFOGMIpWCgKZtjeRK7IEKWkBICw5n 9cEGoD1n0PGekLsOE961mq74Xf1LLBL08BRDBRWtNesfV0nUTim9W+rMHZEO2cz/ +hrwY3d5ZIpX5XKq277hNCv220kdWpLy22C+1JferdLQOJTadzUD5UIB9yb/RlEm RrF11qgxIh2zGTb/6iTOPl0HjQDv0A5OsSnHZkoDeFKx76ZD4SMTxUIasv4DjA== =a5k7 -----END PGP SIGNATURE-----
--- End Message ---
