Your message dated Sun, 28 Dec 2008 12:41:28 +0100
with message-id <[email protected]>
and subject line Re: Bug#509882: password limited to seven, not eight characters
has caused the Debian Bug report #509882,
regarding password limited to seven, not eight characters
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
509882: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509882
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: qemu
Severity: important
Tags: security, patch
Hi,
It has been reported that the password setting routine in qemu limits the
password length to 7 instead of 8 characters as intended:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5714
It would be very desirable to fix this in lenny, because it could be regarded
to be a security issue in a way. Etch seems not affected.
Please reference the CVE id when fixing this issue.
thanks,
Thijs
pgpJe4Imbi0rJ.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 0.9.1+svn20081214-1
On Sat, Dec 27, 2008 at 01:30:15PM +0100, Thijs Kinkhorst wrote:
> Package: qemu
> Severity: important
> Tags: security, patch
>
> Hi,
>
> It has been reported that the password setting routine in qemu limits the
> password length to 7 instead of 8 characters as intended:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5714
>
> It would be very desirable to fix this in lenny, because it could be regarded
> to be a security issue in a way. Etch seems not affected.
>
> Please reference the CVE id when fixing this issue.
>
To honest, while I agree it is a real problem, I found strange it is
considered as a security problem with a CVE entry. Note also this
problem does not occurs for the initial setting of the password, but
only when changing it.
Given we now have a CVE entry, I'll fix the bug in lenny/unstable. For
the experimental version, I am closing the bug for the experimental
version, as it is a SVN snapshot and the bug has already been fixed
for some days upstream.
Note that KVM is also most probably affected.
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' [email protected] | [email protected]
`- people.debian.org/~aurel32 | www.aurel32.net
--- End Message ---
