Control: retitle 666129 new upstream version fixes security problem with the secret file (CVE-2012-6140)
Hi all On Thu, Apr 18, 2013 at 09:13:24AM +0200, Alexander Wirt wrote: > tag 666129 security > severity 666129 critical > retitle 666129 new upstream version fixes security problem with the secret > file > thanks > > On Sat, 22 Sep 2012, rk wrote: > > > There is also a severe and somewhat undocumented security issue fixed > > by the "user=" parameter added in this commit: > > https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8 > > > > Without this option, the SECRET file is required to be user-readable > > which can expose the secret to an attacker under certain > > configurations (notably when required for `sudo`, but not system > > login). > This is indeed a security problem. Lenart, do you need any help to get the > package updated? I also think it doesn't make sense to ship the package in > this state with wheezy and there I asked for removal from testing. A CVE was assigned for this issue: CVE-2012-6140, see[1]. [1]: http://marc.info/?l=oss-security&m=136630281802738&w=2 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
