The operator precedence you quote from line 696 looks like the fixed
one, not the buggy one ?
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs
Naive question about a bug that was closed a year ago...
Can a user do a similar thing with pam_pgsql when changing her password?
For example the operator precedence in pam_sm_chauthtok() line 696 is:
if ((rc = pam_get_pass(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT,
options->std_flags)) == PAM
** Changed in: pam-pgsql (Ubuntu Intrepid)
Status: Fix Committed => Fix Released
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs maili
This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.7.10.1
---
pam-pgsql (0.6.3-0ubuntu1.7.10.1) gutsy-security; urgency=low
* SECURITY UPDATE: local users may bypass authentication and gain
privileges by sending at the password prompt.
* pam_pgsql.c: applied Debian
This bug was fixed in the package pam-pgsql - 0.6.3-0ubuntu1.8.04.1
---
pam-pgsql (0.6.3-0ubuntu1.8.04.1) hardy-security; urgency=low
* SECURITY UPDATE: local users may bypass authentication and gain
privileges by sending at the password prompt.
* pam_pgsql.c: applied Debian
** Changed in: pam-pgsql (Ubuntu Intrepid)
Status: Triaged => Fix Committed
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing li
** Changed in: pam-pgsql (Ubuntu Gutsy)
Status: Triaged => Fix Committed
** Changed in: pam-pgsql (Ubuntu Hardy)
Status: Triaged => Fix Committed
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a mem
Subscribing ubuntu-universe-sponsors to help getting the fake-sync in
comment 2 into Intrepid first.
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubun
Debdiff for gutsy.
The package also FTBFS in pbuilder so I applied the same patch.
** Attachment added: "pam-pgsql_0.6.3-0ubuntu1.7.10.1.debdiff"
http://launchpadlibrarian.net/15607234/pam-pgsql_0.6.3-0ubuntu1.7.10.1.debdiff
--
might allow to bypass authentication
https://bugs.launchpad.net
New debdiff for hardy, with proper version number.
Furthermore I've tested on a basic setup that there was no obvious regression.
I'm working on the gutsy one.
** Attachment added: "pam-pgsql_0.6.3-0ubuntu1.8.04.1.debdiff"
http://launchpadlibrarian.net/15606923/pam-pgsql_0.6.3-0ubuntu1.8.04.1
Here is the debdiff for hardy.
I had to apply an extra patch because the current version in hardy FTBFS.
I have tested that it closes the hole, but I've not tested that there are no
regressions in usual features.
** Attachment added: "pam-pgsql_0.6.3-0ubuntu1.1.debdiff"
http://launchpadlibrar
Are you able to prepare and test fixes for Gutsy and Hardy as well?
Simply applying that parentheses-addition patch should do, but I've
nowhere to test this.
** Changed in: pam-pgsql (Ubuntu Gutsy)
Importance: Undecided => High
Status: New => Triaged
** Changed in: pam-pgsql (Ubuntu Har
** Changed in: pam-pgsql (Debian)
Status: Unknown => Fix Released
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-
Debdiff for the fake sync to 0.6.3-2 to intrepid
** Attachment added:
"pam-pgsql_0.6.3-0ubuntu1_to_pam-pgsql_0.6.3-2build1.debdiff"
http://launchpadlibrarian.net/15563014/fakesync2.debdiff
** Bug watch added: Debian Bug tracker #481970
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=4819
The minimal fix, for the record (and learning).
** Attachment added: "CVE-2008-2516.patch"
http://launchpadlibrarian.net/15562272/security_481970.patch
** Visibility changed to: Public
--
might allow to bypass authentication
https://bugs.launchpad.net/bugs/242690
You received this bug notif
15 matches
Mail list logo
