Your message dated Sat, 02 Dec 2023 19:47:14 +0000
with message-id <[email protected]>
and subject line Bug#1055521: fixed in opensc 0.23.0-0.3+deb12u1
has caused the Debian Bug report #1055521,
regarding opensc: CVE-2023-40660
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055521
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: opensc
Version: 0.23.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for opensc.
CVE-2023-40660[0]:
| A flaw was found in OpenSC packages that allow a potential PIN
| bypass. When a token/card is authenticated by one process, it can
| perform cryptographic operations in other processes when an empty
| zero-length pin is passed. This issue poses a security risk,
| particularly for OS logon/screen unlock and for small, permanently
| connected tokens to computers. Additionally, the token can
| internally track login status. This flaw allows an attacker to gain
| unauthorized access, carry out malicious actions, or compromise the
| system without the user's awareness.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-40660
https://www.cve.org/CVERecord?id=CVE-2023-40660
[1] https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
[2] https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40660
[3]
https://github.com/OpenSC/OpenSC/commit/868f76fb31255fd3fdacfc3e476452efeb61c3e7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: opensc
Source-Version: 0.23.0-0.3+deb12u1
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
opensc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated opensc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 08 Nov 2023 01:26:46 +0100
Source: opensc
Architecture: source
Version: 0.23.0-0.3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian OpenSC Maintainers <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1055520 1055521 1055522
Changes:
opensc (0.23.0-0.3+deb12u1) bookworm; urgency=medium
.
* Team upload
* Fix CVE-2023-4535 with two upstream patches (Closes: #1055520)
* Fix CVE-2023-40660 with upstream patch (Closes: #1055521)
* Fix CVE-2023-40661 with upstream patches (Closes: #1055522)
Checksums-Sha1:
b20952b6ec4b4f19482c8c351c1e29af06594575 2040 opensc_0.23.0-0.3+deb12u1.dsc
68cd16efbfff8af86e72e73e3e9ab5b842d81965 19960
opensc_0.23.0-0.3+deb12u1.debian.tar.xz
0912b017fc144107c4c2ff7fd2b0291421807862 6958
opensc_0.23.0-0.3+deb12u1_source.buildinfo
Checksums-Sha256:
b013241aeb3e886cc6903f4cff0149cf800c40af22e85e9f3c0a112339c7b4cf 2040
opensc_0.23.0-0.3+deb12u1.dsc
af5bba026e83d897eefe4bf195ce1445e915187773d156588405a3a686350c36 19960
opensc_0.23.0-0.3+deb12u1.debian.tar.xz
4055382a6611e302bd02097af9b05adfebc0d71ea475b4fca7a891c2cf64d93c 6958
opensc_0.23.0-0.3+deb12u1_source.buildinfo
Files:
ac72f76b85a7d7d5f7689655693c05e4 2040 utils optional
opensc_0.23.0-0.3+deb12u1.dsc
e0a49a9740fecef9fac080c217aba753 19960 utils optional
opensc_0.23.0-0.3+deb12u1.debian.tar.xz
9e3b952b1d837260c2ad910e30d226af 6958 utils optional
opensc_0.23.0-0.3+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmVpHhYQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFO+7C/4kwnCf3tDIcaDAsAKIJEYmAjkemxR9733m
phGd/ItlPK+VuGUDVTHmQXFjESsWjI3jFyDLbIMrLJmcOsGzCcPkKDHfgVFvS6qr
9IyXEGZuY/Bcqebgz8u/AL7Y//PdXpMfI29Ujr/PiptrZuMVfgct191muhcB+GUw
mF9MajQTduJjmtA5iph7c+WtdpcXCKHWngZ/BJcHGdfPYtYbfErExgonthp3tgUe
CAh+y/iCLX2xD5uwKyDIaiQ1scGbMbsxyLZA+WmsDmVKFd3Ub4F9wRxKxcVeJqKa
fHyRiywX/vDZhwA4F4UKACekc1ePRAikOL87wqKWMv6HGJJbKCEhncUi5cNaO85r
sYgooISUe5T6WqpVGzmyhTc/9WvcGKRduTymKBd/enPU5PiP3Y2zdFIp7NpQ6bjS
Jmbv6X8JuiYUn5xw4L2qVztrCDxO7xOddFF/I/MeYTX/LbO07kDp1h0DYMBGwaCz
FfzZM5gjFh0CKsPgevisAZGuNKitNMc=
=m2ka
-----END PGP SIGNATURE-----
--- End Message ---
