tag 666129 security severity 666129 critical retitle 666129 new upstream version fixes security problem with the secret file thanks
On Sat, 22 Sep 2012, rk wrote: > There is also a severe and somewhat undocumented security issue fixed > by the "user=" parameter added in this commit: > https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 > > Without this option, the SECRET file is required to be user-readable > which can expose the secret to an attacker under certain > configurations (notably when required for `sudo`, but not system > login). This is indeed a security problem. Lenart, do you need any help to get the package updated? I also think it doesn't make sense to ship the package in this state with wheezy and there I asked for removal from testing. Alex -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org