Bug#805659: marked as done (lxdm: CVE-2015-8308: X server started without -auth, exposing it to connections form any local user)

[Debian Bug Tracking System]

Your message dated Thu, 26 Nov 2015 12:45:35 +0000
with message-id <e1a1vvb-0002g3...@franck.debian.org>
and subject line Bug#805659: fixed in lxdm 0.5.3-1
has caused the Debian Bug report #805659,
regarding lxdm: CVE-2015-8308: X server started without -auth, exposing it to 
connections form any local user
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
805659: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=805659
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: lxdm
Version: 0.5.1-1
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for lxdm.

CVE-2015-8308[0]:
X server started without -auth, exposing it to connections form any local user

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

Note that the Red Hat bug report though mentions a regression problem,
referencing to [5] and [6].

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8308
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1268900
[2] http://advisories.mageia.org/MGASA-2015-0411.html
[3] http://www.openwall.com/lists/oss-security/2015/11/20/2
[4] 
http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1283581
[6] http://sourceforge.net/p/lxde/bugs/786/

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: lxdm
Source-Version: 0.5.3-1

We believe that the bug you reported is fixed in the latest version of
lxdm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 805...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andriy Grytsenko <and...@rep.kiev.ua> (supplier of updated lxdm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 26 Nov 2015 13:32:17 +0200
Source: lxdm
Binary: lxdm lxdm-dbg
Architecture: source amd64
Version: 0.5.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian LXDE Maintainers 
<pkg-lxde-maintain...@lists.alioth.debian.org>
Changed-By: Andriy Grytsenko <and...@rep.kiev.ua>
Description:
 lxdm       - LXDE display manager
 lxdm-dbg   - LXDE display manager (debug symbols)
Closes: 797244 805659
Changes:
 lxdm (0.5.3-1) unstable; urgency=low
 .
   * Removing lxsession from Recommends, it doesn't related to lxdm in any way.
   * Stopping kill all user processes in PostLogout (Closes: #797244).
   * Merging upstream version 0.5.3 (Closes: #805659 CVE-2015-8308).
Checksums-Sha1:
 957f1cf00c98dd4e9e991a0ecc1ec119c04c9a84 2075 lxdm_0.5.3-1.dsc
 8c4f7439fa7b56a97e8b19dc62af02a88ae12b45 239132 lxdm_0.5.3.orig.tar.xz
 05bddd2b57ab16eeeb79eb7e8139d01d0dcb8bbb 26112 lxdm_0.5.3-1.debian.tar.xz
 1bccc883a2d8f2d7091e7b8a18662972f0d90b3f 202010 lxdm-dbg_0.5.3-1_amd64.deb
 f6335f797867f22530aa70451d1bb7ce9dd78ec0 116556 lxdm_0.5.3-1_amd64.deb
Checksums-Sha256:
 421f9d6375b82cf137bbfb817d8930e509c398468032de6a724b112e657f638e 2075 
lxdm_0.5.3-1.dsc
 4891efee81c72a400cc6703e40aa76f3f3853833d048b72ec805da0f93567f2f 239132 
lxdm_0.5.3.orig.tar.xz
 e0616c078c8ebbc031cf353b40bfaf8a689b711dfa49e3e9ec2177a594080521 26112 
lxdm_0.5.3-1.debian.tar.xz
 ca9e40aa39bb2ed514c66029654440e53e6347eba966413bd6bc6878a2ed7f8c 202010 
lxdm-dbg_0.5.3-1_amd64.deb
 c161b8c507e6e0859404e2285312a139d948dd83258d8d974fc4f267e7fcb2f3 116556 
lxdm_0.5.3-1_amd64.deb
Files:
 8a90867ebbfb0b8bd0decb553a8a6cd6 2075 x11 optional lxdm_0.5.3-1.dsc
 061caae432634e6db38bbdc84bc6ffa0 239132 x11 optional lxdm_0.5.3.orig.tar.xz
 6e152a561e606365b27bcecdb1a28a62 26112 x11 optional lxdm_0.5.3-1.debian.tar.xz
 4e94c60f24d6da1ffbf6bfca1d720788 202010 debug extra lxdm-dbg_0.5.3-1_amd64.deb
 375cf68d6a4d45eaa4c8e56da4991620 116556 x11 optional lxdm_0.5.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJWVvDrAAoJEAV2MC/hidTSTpcQALfg4Ne/vrmKvte+NJ7/uWA5
4FZN5JtJm2I5hSVYHgbSbVPnWIlrLioTRB0Xcs1xU9SXKhPfw7VGePCQfW+8fbIi
g1QScsXJiGyV5QJqwwSn3zGLn/BMCOuF3RqT5bdIQq1P2VJVg2uKxDeMekjx3oHy
ISmvSTXmZMItkaqGXr02r1vlGbilm6oDqS+GPLon7daDYhi1ex8HbXOpIvr37IA3
YPcds0KXxBdyU7HGf2ZzVnyuzyzQmuJELSfjUfzBPk7wTDIyeTpmTB1uXEuNCRRZ
U0droehqSk8H9rWIZ/WlQbTsN67eTeWRvQI/MSA1AHmJ5tMNwqCSOf6d7yX0JMW+
wTEmJVQxQJ1HJG4PvR3EDQqYmMhWjyZlAg0xLAAYpMp4eQR02t4qWHRVG9Fwg0dE
NsOiFxo23tkT1Wm6nPfTmKzAUbCRWGIPzqarp7U5E8kj2bAI2bjbw/b97I5JTp4U
wLNT0Vm1Jc6zDxuee3nNsrVkPf4huajtCWN4SU2tYTqjLaYnMGnTud2jFAZm38Gj
bsJg0AqIBAbWqO0R1rsnBsquRe5QWWBpm+DmSRDf1eexh/uUjPIRP8L3WnqpoWFC
IdOe8NmvBKo+BRRMT/IZaE5BKU0BpDvHRqUOZQCy9idxdf2qbZe8w+n2GsCQLpzU
wpfhvpA4Lt34t69jBh8P
=Vkpu
-----END PGP SIGNATURE-----

--- End Message ---