Your message dated Tue, 17 Jun 2014 19:03:29 +0000 with message-id <e1wwyfj-0006mg...@franck.debian.org> and subject line Bug#751834: fixed in iodine 0.6.0~rc1-19 has caused the Debian Bug report #751834, regarding iodine: authentication bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 751834: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751834 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: iodine Version: 0.6.0~rc1-2 Severity: grave Tags: security upstream patch fixed-upstream Justification: user security hole Hi Gregor, There was a new upstream version for iodine released fixing an authentication bypass vulnerability. Upstream commit is at [1], but no CVE is yet assigned[2] so far. [1] https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850 [2] http://www.openwall.com/lists/oss-security/2014/06/16/5 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: iodine Source-Version: 0.6.0~rc1-19 We believe that the bug you reported is fixed in the latest version of iodine, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 751...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. gregor herrmann <gre...@debian.org> (supplier of updated iodine package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Jun 2014 20:50:54 +0200 Source: iodine Binary: iodine Architecture: source amd64 Version: 0.6.0~rc1-19 Distribution: unstable Urgency: high Maintainer: gregor herrmann <gre...@debian.org> Changed-By: gregor herrmann <gre...@debian.org> Description: iodine - tool for tunneling IPv4 data through a DNS server Closes: 751834 Changes: iodine (0.6.0~rc1-19) unstable; urgency=high . * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's iodine-0.6.0 branch. . This fixes a security problem where the client could bypass the password check by continuing after getting an error from the server and guessing the network parameters and the server would still accept the rest of the setup and also network traffic. The patch adds checks for normal and raw mode that user has authenticated before allowing any other communication. . Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for backporting the fix super fast. (Closes: #751834) . Set urgency=high. . * Declare compliance with Debian Policy 3.9.5. Checksums-Sha1: 52e503284bedb3970c61b50cc3dd32551b2749dc 2064 iodine_0.6.0~rc1-19.dsc fa9a67df80775ba8236132c22818dcd867c8fda7 24328 iodine_0.6.0~rc1-19.debian.tar.xz 3ed28f69a03fe468f61fb24ee67e8e0d6ecc6dc6 86512 iodine_0.6.0~rc1-19_amd64.deb Checksums-Sha256: 3682c0477523ae1e5cc2fc74ac57ce22af661d8b3c1070b890aade7d50c14d98 2064 iodine_0.6.0~rc1-19.dsc 9a91089cbb8d8dcc7b70dbfa995d8f1fcdd36da641d9cec85da6662059d84723 24328 iodine_0.6.0~rc1-19.debian.tar.xz f7ea219c154d3d0cc916c1643eaa719a4e17f70741ad9c776139544b5f497200 86512 iodine_0.6.0~rc1-19_amd64.deb Files: d3c27abe85ac8c21b34ec29606465595 86512 net extra iodine_0.6.0~rc1-19_amd64.deb 400033f8968708f5c6e7aa01fb3704d3 2064 net extra iodine_0.6.0~rc1-19.dsc 7951cf486be2fdb24dbfc958e73a4160 24328 net extra iodine_0.6.0~rc1-19.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJrBAEBCgBVBQJToI5SThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK CRC7OmgBhkmqBqW7D/0QCgwAk5NyjNfgSZT/5gpO6Jtq+TNg66GiGHBl7NOy3Ijz e6GRe7IHqsv2yZT7nmxoxOEq3DASXtU0Gr/a4WxUituhjMwPKyopToVxnzZzE0Rj h5E0TIFSOSWornBcIiiOJL6G4DfXNiCdwM2NyrS8ipkbUNoNsMMkZZxVlJf1Qj+0 w1iPOOZfgqHJrwnNxVrVgzEJGquyL88cXCC+0Lrayjd0eR7SPKtaUwK5mPN1gKKI cl8otdr4vvydRiw/3PozyfvgoZXcFn1tD/CksifCtfRh+zLa174ZctdZ9Ta9WQ1a DKcouGSGI3ftJeKovO3Gh+jbCnaR+n3XKxMr/ZEdUwvtmG4ZgolFjb+n+MsuvYKD OuiAI4UBStlYtNqy3WKJY74lSj9/jStQEseygBnv3ENHy9tpatwvgzGwQ/tCgKL5 7pH3AyEIYwQitlfpbDFtYGoUdo9C5JFr0Ae9giwUuavuJyWF0BLLK49EDjXbg08a XqBbRzYCsE9tJeMDKMfw2PDSMLhd6AvsXu7P2inPFnyxm3pKHqUg4LI3ES4MQv5C ANNzHZZ2B306a74hj4rs9rONY16qt9RjoVNpfDWAh1xT6lpbQ60HM1XeBtcuMOV2 vPTnZdFwmW40XarBarvKA/9lnz6UOePl5OwUiFRlkon+73YW9OytICJMELSGcg== =07A3 -----END PGP SIGNATURE-----
--- End Message ---
