Your message dated Thu, 11 Dec 2008 00:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#508312: fixed in libuser-simple-perl 1.42-1
has caused the Debian Bug report #508312,
regarding libuser-simple-perl: session id: highly predictable and
collisions-prone
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
508312: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508312
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: libuser-simple-perl
Version: 1.40-1
Severity: important
Tags: security, patch
Session id, computed by this package, is just md5 of unix timestamp at
the call moment. Thus, this session id can be simply bruteforced by
attacker if he knows user authorizing time approximately. And, this is
also means that two happy users that authorize in the same second
will have the identical session id.
I would suggest adding login and password to timestamp, and only then do
md5(...) (can be considered as a simplest patch :)), this approach will
fix problems mentioned above.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-rc7jackyf (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libuser-simple-perl depends on:
ii libdate-calc-perl 5.4-5+b1 Perl library for accessing dates
ii libdbi-perl 1.607-1 Perl5 database interface by Tim Bu
ii perl 5.10.0-18 Larry Wall's Practical Extraction
libuser-simple-perl recommends no packages.
libuser-simple-perl suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libuser-simple-perl
Source-Version: 1.42-1
We believe that the bug you reported is fixed in the latest version of
libuser-simple-perl, which is due to be installed in the Debian FTP archive:
libuser-simple-perl_1.42-1.diff.gz
to pool/main/libu/libuser-simple-perl/libuser-simple-perl_1.42-1.diff.gz
libuser-simple-perl_1.42-1.dsc
to pool/main/libu/libuser-simple-perl/libuser-simple-perl_1.42-1.dsc
libuser-simple-perl_1.42-1_all.deb
to pool/main/libu/libuser-simple-perl/libuser-simple-perl_1.42-1_all.deb
libuser-simple-perl_1.42.orig.tar.gz
to pool/main/libu/libuser-simple-perl/libuser-simple-perl_1.42.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <[EMAIL PROTECTED]> (supplier of updated libuser-simple-perl
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 10 Dec 2008 17:52:09 -0600
Source: libuser-simple-perl
Binary: libuser-simple-perl
Architecture: source all
Version: 1.42-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <[EMAIL PROTECTED]>
Changed-By: Gunnar Wolf <[EMAIL PROTECTED]>
Description:
libuser-simple-perl - Simple user sessions management
Closes: 508312
Changes:
libuser-simple-perl (1.42-1) unstable; urgency=low
.
[ gregor herrmann ]
* debian/control: Changed: Switched Vcs-Browser field to ViewSVN
(source stanza).
.
[ Gunnar Wolf ]
* New upstream release (Closes: #508312)
Checksums-Sha1:
af38b4850bef06d42d2bf35d9653b52c04e929bf 1443 libuser-simple-perl_1.42-1.dsc
772a5779cda0948cf28da3d3ce38c6276447ca89 19257
libuser-simple-perl_1.42.orig.tar.gz
b0a7e42ea8da239430cb80146315092aff2ec3ad 2729
libuser-simple-perl_1.42-1.diff.gz
b31a3e1b771e46e3dff793e536e06d8181773611 29154
libuser-simple-perl_1.42-1_all.deb
Checksums-Sha256:
9de2c8131fef0b477323c7a24cb6cda2a02ca90fb19a54f87ff62e10dd650544 1443
libuser-simple-perl_1.42-1.dsc
0482769745297a0f852f5c9857a7ddc9747e633f321e14a40a4996822ad9caff 19257
libuser-simple-perl_1.42.orig.tar.gz
920c0065e408d37dd86d69d8f11193dc31039c64f89787b9ce00942868b89de4 2729
libuser-simple-perl_1.42-1.diff.gz
b1bb983d7f710338e2b7d88082d235a886b28892a3a329e6983c01db022c2fdf 29154
libuser-simple-perl_1.42-1_all.deb
Files:
01bf829d0155d0a99e254d17c4582ade 1443 perl optional
libuser-simple-perl_1.42-1.dsc
9104cba2261317ca29d495d8ccd6959f 19257 perl optional
libuser-simple-perl_1.42.orig.tar.gz
028faad87266dad563ee2fa0d6b45772 2729 perl optional
libuser-simple-perl_1.42-1.diff.gz
b3a16be9577ffc1d51c7d9bcad926e30 29154 perl optional
libuser-simple-perl_1.42-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklAVx8ACgkQ2A7zWou1J6/WzgCcD0uwRdGFDu/YkmME+LuoOZ+3
+8sAn1kzTA5S+8oN2HZ6lzJ0wkhnG3B7
=vowi
-----END PGP SIGNATURE-----
--- End Message ---
