Your message dated Tue, 28 Oct 2014 04:34:02 +0000 with message-id <e1xiytq-0003de...@franck.debian.org> and subject line Bug#725507: fixed in pwgen 2.07-1 has caused the Debian Bug report #725507, regarding CVE-2013-4440: trivially weak passwords if no tty to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 725507: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725507 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: pwgen Version: 2.06-1+b2 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I created 813950 passwords with while true; do pwgen -N 50 >> /tmp/passwords; done sorted them and looked for duplicates with uniq -c -d. In theory, there are 26^8=2E11 different possible passwords. But in reality, I got many duplicates: Number of non unique passwords Number of duplications of one password 34841 2 times 5636 3 times 1725 4 times 895 5 times 1045 6 or more times ====== 44142 105146 out of 813950 generated passwords where non-unique. This is around 13 percent or every seventh password. My statistics classes were a few years ago but I don't feel comfortable with this numbers. Regards, Thomas Koch - -- System Information: Debian Release: 7.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.10-0.bpo.3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pwgen depends on: ii libc6 2.13-38 pwgen recommends no packages. pwgen suggests no packages. - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJSUaKUAAoJEAf8SJEEK6Za/9gP/iIqZ2UatsXlkWeFDMZoUrgz hUUpM/zO2Todmx8jydYqpNXP3osFu0ZQmSuurBvcIaxx4jbYhpn+/7Ml6Ljva2Ia WYZ+KCSvP9N7dc0D97K+Tq9KEAMD6gWT9vH/oiJg21fcL3g64axjsYoPTcNTyBSz imv6WZVghyo3Rj4U9odNR12UxgEFrqhjZhM3GL3OVgDCIq6IB/UD4+urwWc7exFn Mj94etvUBev7Gfy1T9ln4ObVzZndGYo5Hju2nPLI/i+r3e87TdpOUqBmlsGOMek7 S4j2j+NnJzmzMxyZPeZrlzs4p8sNbwwUiB/r3K5BsbbUeHmeKmxu8wL0I1Y2zmE6 ETSqwHoVb5KHCLGLDCcikOy0MBQrLFCvBHG/uE9xlqSA9kwp/QmnbiViKoMTNoVz DmyJ9lFjg/KJpbS5RdNa9APRgCrRrcsZmFBWY8ztmBOPQnxUghAB0EZgDWKl87Kd 9xhHkvxNc6wnFyQbmzl9OaqLh2xRDbDXbjyqA+l+zIpw7m9xF/xehOm4LKvHdgBN WuP6cMENyDfx8k7M3OmElAvl3e1KoWH3GPhugn0uEyjUJTDH/n3iht+grgEFB3PN jbum0c0FBj2bcdbYKBWoj3IeLpX0ugDfhayvFbc0puuLMp+u5F3pZ4YB7F46pU/3 bacDuhDLuiNhC7y3EIe/ =L1Yq -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: pwgen Source-Version: 2.07-1 We believe that the bug you reported is fixed in the latest version of pwgen, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 725...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Theodore Y. Ts'o <ty...@mit.edu> (supplier of updated pwgen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 27 Oct 2014 23:30:52 -0400 Source: pwgen Binary: pwgen pwgen-udeb Architecture: source i386 Version: 2.07-1 Distribution: unstable Urgency: high Maintainer: Theodore Y. Ts'o <ty...@mit.edu> Changed-By: Theodore Y. Ts'o <ty...@mit.edu> Description: pwgen - Automatic Password generation pwgen-udeb - Automatic Password generation (udeb) Closes: 725507 767008 Changes: pwgen (2.07-1) unstable; urgency=high . * New upstream version * Remove backwards compatibility for no-tty mode. Addresses CVE-2013-4440 (Closes: #725507) * Fail hard if /dev/urandom and /dev/random are not available. Addresses CVE-2013-4442 and Launchpad #1183213 (Closes: #767008) * Fix pwgen -B so that it doesn't accidentally generate passwords with ambiguous characters after changing the case of some letters. Addresses Launchpad Bugs #638418 and #1349863 * Fix potential portability bug on architectures where unsgined ints are not 4 bytes long * Update Debian policy compliance to 3.9.6.0 * Build with Debian hardening using dpkg-buildflags Checksums-Sha1: 5349f33b329613c8d29d9a4596d79f9b63d7131b 1676 pwgen_2.07-1.dsc 51180f9cd5530d79eea18b2443780dec4ec5ea43 53513 pwgen_2.07.orig.tar.gz 2d79357c1ad54f4e6ea38753ad09698651e76037 5240 pwgen_2.07-1.debian.tar.xz 7fc60ae6ce736fd0f09bbd6c42d204d59e59e78d 16030 pwgen_2.07-1_i386.deb 35212b633a183199aad89dfebf2eb4b3054074e9 9414 pwgen-udeb_2.07-1_i386.udeb Checksums-Sha256: 4994f1bd2d7165e8d4258fceec92e421765284909d3ec795673697d44278f2c0 1676 pwgen_2.07-1.dsc eb74593f58296c21c71cd07933e070492e9222b79cedf81d1a02ce09c0e11556 53513 pwgen_2.07.orig.tar.gz 86226155068172fdbfb7d90a303f3eeeee94612c46a2d80521b1474dafeb7e46 5240 pwgen_2.07-1.debian.tar.xz 8e05679e05088e0b1852288187303fbcd4b9293bc3c2d172c5fd9e83b7af0f7c 16030 pwgen_2.07-1_i386.deb 37e65a199149b0c79e2f47271ae30d450dfe7101b73a9cb7a91b5746cb0f9515 9414 pwgen-udeb_2.07-1_i386.udeb Files: 597d10318b3d0d8e6c5d559a7b9172e1 1676 admin optional pwgen_2.07-1.dsc 910b1008cdd86445e9e01305d21ee4c5 53513 admin optional pwgen_2.07.orig.tar.gz 7ac0998d6c01fa602622d097f88517f7 5240 admin optional pwgen_2.07-1.debian.tar.xz e97a0fc4f480ccf9c074ffc6a9a9c994 16030 admin optional pwgen_2.07-1_i386.deb 838e91790a3d47f967c78d7b136f7ec2 9414 debian-installer optional pwgen-udeb_2.07-1_i386.udeb Package-Type: udeb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUTxgyAAoJENNvdpvBGATwKFgP/2B0/6iYYbPtEYJZq1t3Kf8K 1xzZRK1aY68EVa/459CuxoWYTHqjW62I2XMQDRbBR1ojd+cww5LGOTPMHxgGAGEZ vk1tVFM5SjbStPmg6bx5hhXhxzTslabGbIYe56vfQbIs34nhSGYLS4oaBAHhFbyP 9Yuso1bF+e/XktWluMjo2QXjL/NREpFdNUDcG1p2pY/x3vbaTr6sQ3JcacVYvQlB IU3YApBv9jWf1TEs5azlUtEEyw1NN2X+SOptmx2UZ+Cg8hDrMS40N14b7u+FCTAT dp1/s/GhxK3oCm6X/7RR2sMl/wIrqKFlBLsJ1RAP6nVtHLVpmBQU5BeMBVvHZM3S yuqrLd4koGvmQuBWwktW6b/Ry++bOnqfGfwfB+g2+Q1mR1ctbBv6vOnYk5t2YI2n jSzSKsDhOuBtPxoJs3jp/V7RtmQtTHka+MtbuX8UyHbSXpLRK3J3ancIpBr6L6pg hbJFgg0XQ9Hmwi7MvzJr3gEMLOM5XtyJl3NGLsQuJrZE0vrMVyQ+rc+dKTCcTiHV csuZ+yT7SlNozT2Yi4Xbpein8WpBcOfyBM0buweuLZ4CYc7F1hs0uZWN7LEYEdT+ 4ar3OE57aeyK/nBjODG/zMNG9iy10pupnMOhOWQvAWiQJziFV2RxQPbybT090fDR eFO3gM8J+mBVnu4YfILf =WbQn -----END PGP SIGNATURE-----
--- End Message ---
