Your message dated Wed, 16 Apr 2008 09:17:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#475154: fixed in gnome-screensaver 2.22.2-1
has caused the Debian Bug report #475154,
regarding gnome-screensaver: CVE-2008-1683 unlocks session if it fails to get
user attributes via getpwnam()
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
475154: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475154
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: gnome-screensaver
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnome-screensaver.
CVE-2008-1683[0]:
| xscreensaver on Fedora 8, when an NIS authentication server is
| enabled, exits if this server is unavailable as the xscreensaver
| process is starting, which allows physically proximate attackers to
| gain access to a workstation session for which locking was intended, a
| related issue to CVE-2007-1859.
The CVE text is somehow wrong I think. Reading the redhat
bugzilla in the references this is a gnome-screensaver issue
and was not reproducible in xscreensaver.
Patch is on:
https://bugzilla.redhat.com/attachment.cgi?id=297817
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1683
http://security-tracker.debian.net/tracker/CVE-2008-1683
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpxBmTUrCTEb.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: gnome-screensaver
Source-Version: 2.22.2-1
We believe that the bug you reported is fixed in the latest version of
gnome-screensaver, which is due to be installed in the Debian FTP archive:
gnome-screensaver_2.22.2-1.diff.gz
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1.diff.gz
gnome-screensaver_2.22.2-1.dsc
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1.dsc
gnome-screensaver_2.22.2-1_i386.deb
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1_i386.deb
gnome-screensaver_2.22.2.orig.tar.gz
to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Dröge <[EMAIL PROTECTED]> (supplier of updated gnome-screensaver
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Apr 2008 10:50:22 +0200
Source: gnome-screensaver
Binary: gnome-screensaver
Architecture: source i386
Version: 2.22.2-1
Distribution: unstable
Urgency: high
Maintainer: Guilherme de S. Pastore <[EMAIL PROTECTED]>
Changed-By: Sebastian Dröge <[EMAIL PROTECTED]>
Description:
gnome-screensaver - GNOME screen saver and locker
Closes: 475154
Changes:
gnome-screensaver (2.22.2-1) unstable; urgency=high
.
* New upstream bugfix release:
+ SECURITY: CVE-2008-1683 unlocks session if
it fails to get user attributes via getpwnam() (Closes: #475154).
Checksums-Sha1:
5771cd9353666a3342147cfa9ee98b93cdfed571 1726 gnome-screensaver_2.22.2-1.dsc
83a524c956e5cea7c8e563842d660ef3997ddcb7 2321751
gnome-screensaver_2.22.2.orig.tar.gz
c051912b17db91817784304f937e41e91c34ebce 9812
gnome-screensaver_2.22.2-1.diff.gz
621a62dad850d5ca873725a8fa21e44f6bf51f51 1887872
gnome-screensaver_2.22.2-1_i386.deb
Checksums-Sha256:
a0cc3935139cc57a38459d1f21afeb409c754ac858d6a97a81b5503ac618dad2 1726
gnome-screensaver_2.22.2-1.dsc
c79f0a77ef282d03f0d91c570248551ec7b01bb8fe3982dd4fd45307bc25ed99 2321751
gnome-screensaver_2.22.2.orig.tar.gz
9100d153dd71e110adbfe7d7ebe9733cbeb54ce9b9ab4c1ce403b2dd5bb28e66 9812
gnome-screensaver_2.22.2-1.diff.gz
9b75f04b2d4f8cb640fdf36fde555ce4871d7ecfcbc55e2929a0a64cea7c3e5b 1887872
gnome-screensaver_2.22.2-1_i386.deb
Files:
304328c0ba9e88c5e42c1728ec399b82 1726 gnome optional
gnome-screensaver_2.22.2-1.dsc
389cf978782b5ec1637459852e657797 2321751 gnome optional
gnome-screensaver_2.22.2.orig.tar.gz
170cb70a02ca63e806aa7cb9da7f787e 9812 gnome optional
gnome-screensaver_2.22.2-1.diff.gz
70bc0bea4ec1454298f54e733ba365a3 1887872 gnome optional
gnome-screensaver_2.22.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIBb//BsBdh1vkHyERApj0AJ4queXFK3JwYsI0IWajAp2EC54aCACfZpzj
I76JB1+sVjmlC/m6kQH0ZR8=
=NXAy
-----END PGP SIGNATURE-----
--- End Message ---
