Your message dated Sun, 31 Oct 2021 22:43:12 +0100
with message-id <e6c432285b4d20f450f82a4570fe7df389cff32c.ca...@debian.org>
and subject line Re: systemd: CVE-2018-20839
has caused the Debian Bug report #929116,
regarding systemd: CVE-2018-20839
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
929116: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929116
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: systemd
Version: 241-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/systemd/systemd/pull/12378
Hi,
The following vulnerability was published for systemd.
CVE-2018-20839[0]:
| systemd 242 changes the VT1 mode upon a logout, which allows attackers
| to read cleartext passwords in certain circumstances, such as watching
| a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because
| the KDGKBMODE (aka current keyboard mode) check is mishandled.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20839
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20839
[1] https://github.com/systemd/systemd/pull/12378
[2]
https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
[3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi,
given that the fix for the upstream issue was reverted and there was no
follow-up since then, I don't think there remains anything actionable on the
Debian side. I'm thus closing this bug report.
Balint, hope this makes sense. If not, it would be great if you can follow-
up on the upstream bug report.
Regards,
Michael
On Fri, 17 May 2019 14:11:21 +0200 Salvatore Bonaccorso <car...@debian.org>
wrote:
> Source: systemd
> Version: 241-3
> Severity: important
> Tags: security upstream
> Forwarded: https://github.com/systemd/systemd/pull/12378
>
> Hi,
>
> The following vulnerability was published for systemd.
>
> CVE-2018-20839[0]:
> | systemd 242 changes the VT1 mode upon a logout, which allows attackers
> | to read cleartext passwords in certain circumstances, such as watching
> | a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because
> | the KDGKBMODE (aka current keyboard mode) check is mishandled.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-20839
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20839
> [1] https://github.com/systemd/systemd/pull/12378
> [2]
https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
> [3] https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>
signature.asc
Description: This is a digitally signed message part
--- End Message ---
