Bug#353589: marked as done (CVE-2005-4713 and CVE-2006-0056: remote vulnerabilities )

Fri, 21 Apr 2006 15:18:22 -0700 

Your message dated Fri, 21 Apr 2006 14:33:25 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#353589: fixed in pam-mysql 0.6.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libpam-mysql
Severity: important
Tags: security


Hello,

CVE-2005-4713 and CVE-2006-0056 indicate that there are two vulnerabilities in
libpam-mysql. The first is a remote debian of service
vulnerability in the SQL logging facility of libpam-mysql. The second is
a "double-free" vulnerability. These issues allow local *and* remote
attackers to execute arbitrary machine code in the context of the
affected module. Attackers may also crash applications that use the PAM
module, denying service to legitimate users. Applications that execute
the PAM module with superuser privileges will allow attackers to
completely compromise affected computers. 

According to http://www.securityfocus.com/bid/16564 the versions in oldstable
(woody), stable (sarge) and testing/unstable are all vulnerabile to this
issue. 

The vendor has released versions 0.6.2 and 0.7pre3 of the affected
package to address these issues.

The official advisory is here:
http://sourceforge.net/forum/forum.php?forum_id=499394

Please mention these CVE ids in any changelog addressing this issue.

Thanks,
Micah

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

--- End Message ---
--- Begin Message --- 
Source: pam-mysql
Source-Version: 0.6.2-1

We believe that the bug you reported is fixed in the latest version of
pam-mysql, which is due to be installed in the Debian FTP archive:

libpam-mysql_0.6.2-1_i386.deb
  to pool/main/p/pam-mysql/libpam-mysql_0.6.2-1_i386.deb
pam-mysql_0.6.2-1.diff.gz
  to pool/main/p/pam-mysql/pam-mysql_0.6.2-1.diff.gz
pam-mysql_0.6.2-1.dsc
  to pool/main/p/pam-mysql/pam-mysql_0.6.2-1.dsc
pam-mysql_0.6.2.orig.tar.gz
  to pool/main/p/pam-mysql/pam-mysql_0.6.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paweł Więcek <[EMAIL PROTECTED]> (supplier of updated pam-mysql package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 21 Apr 2006 07:20:56 +0200
Source: pam-mysql
Binary: libpam-mysql
Architecture: source i386
Version: 0.6.2-1
Distribution: unstable
Urgency: high
Maintainer: Paweł Więcek <[EMAIL PROTECTED]>
Changed-By: Paweł Więcek <[EMAIL PROTECTED]>
Description: 
 libpam-mysql - PAM module allowing authentication from a MySQL server
Closes: 292097 307861 332714 353589 356745
Changes: 
 pam-mysql (0.6.2-1) unstable; urgency=high
 .
   * New upstream version (closes: #332714, #353589, #307861, #292097)
   * Severity high because it fixes critical vulnerabilities (CVE-2005-4713,
     CVE-2006-0056)
   * Rebuilt against libmysqlclient15 (closes: #356745)
   * Updated standards version and debhelper compatibility level
Files: 
 9278c9943ededb5fda67d6f96982a877 608 admin extra pam-mysql_0.6.2-1.dsc
 7f0ffb17c7aefe62ad07beaa6bbbc641 325746 admin extra pam-mysql_0.6.2.orig.tar.gz
 07233bc868556e6917e6ebce49fe9d7a 2481 admin extra pam-mysql_0.6.2-1.diff.gz
 7e7c5e478cd3bf2d1f1c60b40fdf8f35 21488 admin extra 
libpam-mysql_0.6.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFESUYRBOdjEO/Bh3ARAlbAAJ4z/NdKoGjOA/yC/oIaCZgxbd6y+wCdEmXi
oyJgtzZL8o3RUwlAgysZ+Uw=
=8XYB
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to