Bug#212463: marked as done (pam security problem in OpenSSH again?)

To: Matt Zimmerman <mdz@debian.org>
Cc: Matthew Vernon <matthew@debian.org>
Subject: Bug#212463: marked as done (pam security problem in OpenSSH again?)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 23 Sep 2003 16:19:09 -0500
Message-id: <[🔎] handler.212463.D212463.106435128621969.ackdone@bugs.debian.org>
In-reply-to: <20030923210729.GL29549@alcor.net>
References: <20030923210729.GL29549@alcor.net> <[🔎] 20030923210007.GE19245@osiris.978.org>

Your message dated Tue, 23 Sep 2003 17:07:29 -0400
with message-id <20030923210729.GL29549@alcor.net>
and subject line Bug#212463: pam security problem in OpenSSH again?
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Sep 2003 21:00:22 +0000
>From brianr@osiris.978.org Tue Sep 23 16:00:12 2003
Return-path: <brianr@osiris.978.org>
Received: from h006067091a61.ne.client2.attbi.com (osiris.978.org) [24.147.172.248] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1A1uGY-000456-00; Tue, 23 Sep 2003 16:00:10 -0500
Received: (qmail 26417 invoked by uid 1000); 23 Sep 2003 21:00:07 -0000
Date: Tue, 23 Sep 2003 17:00:07 -0400
From: Brian Ristuccia <brian@ristuccia.com>
To: submit@bugs.debian.org
Subject: pam security problem in OpenSSH again?
Message-ID: <[🔎] 20030923210007.GE19245@osiris.978.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
X-Debbugs-Cc: security@debian.org
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0
	tests=BAYES_30,HAS_PACKAGE
	version=2.53-bugs.debian.org_2003_9_21
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_21 (1.174.2.15-2003-03-30-exp)

Package: ssh
Version: 1:3.4p1-1.woody.3
Serverity: grave

Looks like there's some serious security problem in the PAM implementation.
There's been a lot of changes in this area after 1.3.6, so it's not clear if
the version Debian is distributing are affected. Someone, either the
security team or the package maintainer, should have a look.

http://www.securityfocus.com/archive/121/338616
http://www.securityfocus.com/archive/121/338617

-- 
Brian Ristuccia
brian@ristuccia.com
bristucc@cs.uml.edu

---------------------------------------
Received: (at 212463-done) by bugs.debian.org; 23 Sep 2003 21:08:06 +0000
>From mdz@csh.rit.edu Tue Sep 23 16:07:31 2003
Return-path: <mdz@csh.rit.edu>
Received: from smtp01.mrf.mail.rcn.net [207.172.4.60] 
	by master.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1A1uNe-0005cj-00; Tue, 23 Sep 2003 16:07:30 -0500
Received: from 216-15-124-77.c3-0.smr-ubr3.sbo-smr.ma.cable.rcn.com ([216.15.124.77] helo=mizar.alcor.net)
	by smtp01.mrf.mail.rcn.net with esmtp (Exim 3.35 #4)
	id 1A1uNd-0006XO-00; Tue, 23 Sep 2003 17:07:29 -0400
Received: from mdz by mizar.alcor.net with local (Exim 3.36 #1 (Debian))
	id 1A1uNd-0000i7-00; Tue, 23 Sep 2003 17:07:29 -0400
Date: Tue, 23 Sep 2003 17:07:29 -0400
From: Matt Zimmerman <mdz@debian.org>
To: Brian Ristuccia <brian@ristuccia.com>, 212463-done@bugs.debian.org
Subject: Re: Bug#212463: pam security problem in OpenSSH again?
Message-ID: <20030923210729.GL29549@alcor.net>
References: <[🔎] 20030923210007.GE19245@osiris.978.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20030923210007.GE19245@osiris.978.org>
User-Agent: Mutt/1.5.4i
Sender: Matt Zimmerman <mdz@alcor.net>
Delivered-To: 212463-done@bugs.debian.org
X-Spam-Status: No, hits=-5.7 required=4.0
	tests=EMAIL_ATTRIBUTION,QUOTED_EMAIL_TEXT
	version=2.53-bugs.debian.org_2003_9_21
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_9_21 (1.174.2.15-2003-03-30-exp)

On Tue, Sep 23, 2003 at 05:00:07PM -0400, Brian Ristuccia wrote:

> Looks like there's some serious security problem in the PAM implementation.
> There's been a lot of changes in this area after 1.3.6, so it's not clear if
> the version Debian is distributing are affected. Someone, either the
> security team or the package maintainer, should have a look.
> 
> http://www.securityfocus.com/archive/121/338616
> http://www.securityfocus.com/archive/121/338617

Doesn't affect Debian at all; stable, testing or unstable.

-- 
 - mdz

Reply to:

Follow-Ups:
- Bug#212463: marked as done (pam security problem in OpenSSH again?)
  - From: Colin Watson <cjwatson@debian.org>

References:
- Bug#212463: pam security problem in OpenSSH again?
  - From: Brian Ristuccia <brian@ristuccia.com>

Prev by Date: SSH and PAM concerns
Next by Date: Bug#212787: sshd hangs on NIS account when using authorized_keys
Previous by thread: Bug#212463: pam security problem in OpenSSH again?
Next by thread: Bug#212463: marked as done (pam security problem in OpenSSH again?)
Index(es):
- Date
- Thread