-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
While the current changelog in source is much more detailed I repeat a
reduced compilation of security-related issues with trac-accountmanager
0.2.1+r7731-1 as per developer request for convenience to emphasis the
need for an update of this package from point of view of the upstream
maintainer.
Order of appearance in the following list corresponds to
importance/severity of the issue (my suggestion - most of these have not
received peer-review by now).
* -----: prevent easy account take-over via password reset [1]
additional hint: even back-ported to 0.10 at that time
* #816: prevent a DoS by not overwriting password before login [2]
* #4276: prevent a DoS by inaccessible user file in shared use [3]
* #3200: prevent a DoS by invalid entries for last and newly
registered users [4]
* #9088: lower probability of take-over for persistent sessions [5]
* #7396: improved hash protection by feeding at maximum length [6]
I suggest splitting into discrete bug reports with reference to tickets
in the trac-hacks.org SVN home repository of this Trac plugin. Maybe
after review some of these issues could even be worth getting a CVE
number for, because certain other distributions lag behind in a similar
fashion like Debian today. Especially [1] and [2] do look critical to me.
Thanks for taking care.
[1] http://trac-hacks.org/changeset/10313
[2] http://trac-hacks.org/ticket/816
[3] http://trac-hacks.org/ticket/4276
[4] http://trac-hacks.org/ticket/3200
[5] http://trac-hacks.org/ticket/9088
[6] http://trac-hacks.org/ticket/7396
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlGT+LoACgkQ31DJeiZFuHc7swCgrzCtRXk9u6wE62TF0DKzITtk
Di0AniyvNHuQ9XLdlNSoVzF4V+koPR/X
=zQ2j
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]