Your message dated Sat, 06 Feb 2010 09:32:53 +0000
with message-id <[email protected]>
and subject line Bug#528938: fixed in ajaxterm 0.10-5
has caused the Debian Bug report #528938,
regarding CVE-2009-1629: generates session IDs with predictable random numbers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
528938: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=528938
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ajaxterm
Version: 0.10-4
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ajaxterm.

CVE-2009-1629[0]:
| ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with
| predictable random numbers based on certain JavaScript functions,
| which makes it easier for remote attackers to (1) hijack a session or
| (2) cause a denial of service (session ID exhaustion) via a
| brute-force attack.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1629
    http://security-tracker.debian.net/tracker/CVE-2009-1629

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoO0y0ACgkQNxpp46476ap5kQCghMAQafc46v0qdvjymQs/2G8p
jZcAoI7a4mTbI3QBpyrx88Qlr9z9ojLG
=hk2D
-----END PGP SIGNATURE-----



--- End Message ---
--- Begin Message ---
Source: ajaxterm
Source-Version: 0.10-5

We believe that the bug you reported is fixed in the latest version of
ajaxterm, which is due to be installed in the Debian FTP archive:

ajaxterm_0.10-5.debian.tar.gz
  to main/a/ajaxterm/ajaxterm_0.10-5.debian.tar.gz
ajaxterm_0.10-5.dsc
  to main/a/ajaxterm/ajaxterm_0.10-5.dsc
ajaxterm_0.10-5_all.deb
  to main/a/ajaxterm/ajaxterm_0.10-5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Valroff <[email protected]> (supplier of updated ajaxterm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Feb 2010 09:57:33 +0100
Source: ajaxterm
Binary: ajaxterm
Architecture: source all
Version: 0.10-5
Distribution: unstable
Urgency: low
Maintainer: Julien Valroff <[email protected]>
Changed-By: Julien Valroff <[email protected]>
Description: 
 ajaxterm   - Web based terminal written in Python
Closes: 515987 528208 528938 531165 541850 568372
Changes: 
 ajaxterm (0.10-5) unstable; urgency=low
 .
   * Make use of python-support >= 0.6
   * Updated to new policy 3.8.4 (no changes needed)
   * Bumped debhelper compat to 7
   * Removed useless lintian override
   * Updated Debian packaging copyright
   * Added $AJAXTERM_UID in default file, allowing to change the user running
     ajaxterm (Closes: #531165)
   * Make use of start-stop-daemon --group option to also allow to change the
     GID (Closes: #528208)
   * Updated README.Debian
   * Added patch from Berki Lukács T. <[email protected]>:
     + Make it work with Chrome and possibly other Webkit-based browsers
     + Returns Connection: keep-alive and Content-Length HTTP headers to
       avoid doing a complete SSL handshake on every keystroke and screen update
     + Added a reaper thread to kill off disconnected sessions
     + Sends SIGHUP rather than SIGTERM on end of session
     + Threaded mode is default
   * CVE-2009-1629: ajaxterm generated session IDs with predictable random
     numbers - thanks to Raphael Geissert <[email protected]> (Closes: 
#528938)
   * Added configuration file allowing to set terminal size (Closes: #515987)
   * Fixed typo in copyright file - license for sarissa* files is now correct
   * Added patch from Sergej Pupykin <[email protected]> to switch ajaxterm from
     Latin-1 to UTF-8 encoding (Closes: #541850)
   * Use start-stop-daemon return code in the init script
   * Removed sleep call when restarting ajaxterm daemon
   * Added patch to display hostname in login prompt
   * Fixed manpage to make lintian happy
   * Switched to GIT - updated VCS-* fields accordingly
   * Converted package to dh minimal rules files
   * Switched to 3.0 (quilt) source format
   * Removed pyversions file and use XS-Python-Version field instead
   * Build-depend on python rather than on python-dev
   * Fixed issue in sarissa with Firefox/Iceweasel 3.6 (Closes: #568372)
Checksums-Sha1: 
 48bdc3acca9d96f32e87b7b8b02059b44c5e3d67 1256 ajaxterm_0.10-5.dsc
 6ef1283e7009236f8b102e685a2574328a332fac 16642 ajaxterm_0.10-5.debian.tar.gz
 170e10dc842c74103fb306515fc30373f0edc81d 43862 ajaxterm_0.10-5_all.deb
Checksums-Sha256: 
 41b92ff981914f44d760888258ceb7c7f37a919fd4055a9674f1491ac0fda6a0 1256 
ajaxterm_0.10-5.dsc
 7461c253f5455686ecf4e3e2e8e33c8193e4e9d950f4a6a705093d6fdf35c214 16642 
ajaxterm_0.10-5.debian.tar.gz
 9cdd8a0a0db4fc1449e5f78ece9bf5664c14a49ecc21ecd89f88dfae60c05b06 43862 
ajaxterm_0.10-5_all.deb
Files: 
 0cdad64b1c095bcb551f628bc6fdc7a4 1256 web optional ajaxterm_0.10-5.dsc
 bdf22cac3ec5f1667e074b7463cd01c4 16642 web optional 
ajaxterm_0.10-5.debian.tar.gz
 3d399bf4ce955475d4c837df05357745 43862 web optional ajaxterm_0.10-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkttMx0ACgkQIQvyq59x1EkEdACgzYwnly5dEggYeQ9M9MG7c3cP
Te4AoJ691oMqDTp21USUNQB+prg0Q1rH
=gKir
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to