Your message dated Tue, 07 Nov 2017 13:19:54 +0000 with message-id <e1ec3ng-000fjq...@fasolo.debian.org> and subject line Bug#879001: fixed in libpam4j 1.4-3 has caused the Debian Bug report #879001, regarding CVE-2017-12197: libpam4j: Account check bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 879001: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879001 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: libpam4j Version: 1.4-2 Severity: grave Tags: security Hi, the following vulnerability was published for libpam4j. CVE-2017-12197[0]: libpam4j: Account check bypass PAM.authentication() does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account is able to log in. https://bugzilla.redhat.com/show_bug.cgi?id=1503103 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12197 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12197 Please adjust the affected versions in the BTS as needed. -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: libpam4j Source-Version: 1.4-3 We believe that the bug you reported is fixed in the latest version of libpam4j, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 879...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated libpam4j package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 07 Nov 2017 13:40:55 +0100 Source: libpam4j Binary: libpam4j-java libpam4j-java-doc Architecture: source Version: 1.4-3 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libpam4j-java - Java binding for libpam.so libpam4j-java-doc - Documentation for Java binding for libpam.so Closes: 879001 Changes: libpam4j (1.4-3) unstable; urgency=high . * Team upload. * Fix CVE-2017-12197 (Closes: #879001): It was discovered that libpam4j does not call pam_acct_mgmt(). As a consequence, the PAM account is not properly verified. Any user with a valid password but with deactivated or disabled account was able to log in. Checksums-Sha1: 09cf4f00202a0e858f4dab4b5987989bc14c73a6 2260 libpam4j_1.4-3.dsc 082cf148e4d423e647c598863f02bc375c3ca234 4956 libpam4j_1.4-3.debian.tar.xz 60496ca22fd92cea6f78a1891fbfc23602edc0ad 16230 libpam4j_1.4-3_amd64.buildinfo Checksums-Sha256: 7e0bf2e67bc7320e3983d9c80d581fd118b822951e78c75b7e913f959bf5203b 2260 libpam4j_1.4-3.dsc 0b1e66a7958dc008d2eeffff21c98df531fd804c3ff3733e1637051fba8f5b5d 4956 libpam4j_1.4-3.debian.tar.xz f7cada6ddf911f4643cc0f47330da436d29b28650fcba4b3b7a0da61dd90d726 16230 libpam4j_1.4-3_amd64.buildinfo Files: 8ea6b153c05b0193a1413d17fc18dfda 2260 java optional libpam4j_1.4-3.dsc e8a77cfa527236beb2c464dd2f827292 4956 java optional libpam4j_1.4-3.debian.tar.xz 350d738fbac170aaa49a3f0431a861fb 16230 java optional libpam4j_1.4-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAloBsBNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk1rAP/1kYubmlK59X+ZHfTYTRn8T7peSo3A32fPuk eVw8tPOFXONWrZnVkWWt+sDGCA4OGAbTXlby0iLFiwrnMB4FyQ/kyvZvF2vBFstE C79fg6oZg3rZUJqQguNB1JhcMWax/3OKgCsvO0VWGxXaVcXCI2RVT8jik0ObN99s vTpXfQ10J9fHwYXq/CZ7E0Wx1l3vxBexAwqcrEPJAk060S1KziM4L4l57SDGxTsY 42SY1IsnSlnA42GNcZeV2A6Zi7ATgH0sL1HEeIFvU/zXO0zt8JBAS9N839/NiUVU uc45q6umpILA2p0l8EFxFsnI79+1fwvUPmU3iQVhjjszEdEs5uA+sMLSeMr04e4r YzwOggTGCfoKgSglHMdpK1Bhd63H4/in17LSQAYZfeqOxPsYEjWlMBPxqWKvA5AF HqRj6mxf676mB5NMFCI0V7vcnXP5KKAyMy2jk7bJzdn5laR45FACaAwwLoauAuRE BTUGRCejQvb1RoKMJ3V0i7HtiCDBSfi1yD8BZLlxFg8EFCBaVEU5pDRTdz/C5MEu gvFJXP6gCdFYU/Ke0kRKdKUwv4ceZG5jmfmk/+rTdSVAOnRax597s5J4c/Lk3+lN OvR52erfxXYEes/LftiGmORnlLhy5da/06WB+PwMfgdaSgu3ChDcr8thMtWo2qqO V4eOBdie =F+Bf -----END PGP SIGNATURE-----
--- End Message ---
