Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

2013-02-24 Thread Jeremy Lainé 
On 02/23/2013 02:33 PM, Adam D. Barratt wrote:
> On Sun, 2013-02-17 at 13:59 +, Jonathan Wiltshire wrote:
>> Once 1.2-1+deb7u1 reaches wheezy (next 24 hours) we will be able to use
>> 1.2-1+deb6u1 for any hypothetical DSA to slot in between squeeze and
>> wheezy.
> Well, there's a 1.2.1+deb6u1 in p-u-NEW. I can't find a p-u request for
> it though...

I have just filed the missing p-u request.

Cheers,
Jeremy


-- 
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/512b060b.9060...@m4x.org

Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

2013-02-17 Thread Jonathan Wiltshire 
On Sun, Feb 17, 2013 at 08:36:24AM +0100, Jeremy Lainé wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> > It's traditional to seek approval *before* uploading; more so in this case 
> > since adding a
> patch system is a no-no. The change itself is fine, please upload with this 
> only. You will
> have to bump the version number IIRC.
> 
> OK, attached is the resulting debdiff.

Approved, thanks.

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

 i have six years of solaris sysadmin experience, from
8->10. i am well qualified to say it is made from bonghits
layered on top of bonghits


signature.asc
Description: Digital signature

Re: Bug#700669: Allow pyrad 1.2-1+deb7u1 into wheezy

2013-02-16 Thread Jeremy Lainé 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/17/2013 01:19 AM, Jonathan Wiltshire wrote:
> It's traditional to seek approval *before* uploading; more so in this case 
> since adding a
patch system is a no-no. The change itself is fine, please upload with this 
only. You will
have to bump the version number IIRC.

OK, attached is the resulting debdiff.

On a sidenote, you might consider updating the following page to make it 
cristal clear, as
I obviously did not get the message:

http://release.debian.org/wheezy/freeze_policy.html

Rule #1: "Changing patch systems" => "Adding or changing patch systems"

Rule #2: "If in doubt, first contact the release team" => "Always contact the 
release team
first"

Thanks,
Jeremy

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlEgiHgACgkQ4mJJZqJp2SeURwCfehij0NsJR5BO10rIP32pYjqe
On0AnixhAivkdmHVHj82URcWnnCdzTzg
=8wEX
-END PGP SIGNATURE-

diff -u pyrad-1.2/debian/changelog pyrad-1.2/debian/changelog
--- pyrad-1.2/debian/changelog
+++ pyrad-1.2/debian/changelog
@@ -1,3 +1,10 @@
+pyrad (1.2-1+deb7u2) testing-proposed-updates; urgency=high
+
+  * Use a better random number generator to prevent predictable password
+hashing and packet IDs (CVE-2013-0294, Closes: #700669).
+
+ -- Jeremy Lainé   Sun, 17 Feb 2013 08:21:08 +0100
+
 pyrad (1.2-1) unstable; urgency=low
 
   * New upstream release (Closes: #532843).
only in patch2:
unchanged:
--- pyrad-1.2.orig/pyrad/packet.py
+++ pyrad-1.2/pyrad/packet.py
@@ -31,8 +31,11 @@
 CoAACK  = 44
 CoANAK  = 45
 
+# Use cryptographic-safe random generator as provided by the OS.
+random_generator = random.SystemRandom()
+
 # Current ID
-CurrentID   = random.randrange(1, 255)
+CurrentID   = random_generator.randrange(1, 255)
 
 class PacketError(Exception):
 pass
@@ -219,7 +222,7 @@
 
 data=""
 for i in range(16):
-data+=chr(random.randrange(0,256))
+data+=chr(random_generator.randrange(0, 256))
 
 return data
 CreateAuthenticator=staticmethod(CreateAuthenticator)
@@ -234,7 +237,7 @@
 :rtype:  integer
 
 """
-return random.randrange(0,256)
+return random_generator.randrange(0, 256)
 
 
 def ReplyPacket(self):