Debian Bug report logs - #608289
CVE-2010-3905

Package: eucalyptus; Maintainer for eucalyptus is (unknown);

Reported by: Giuseppe Iuculano <iuculano@debian.org>

Date: Wed, 29 Dec 2010 17:39:02 UTC

Severity: serious

Tags: security

Done: Charles Plessy <plessy@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#608289; Package eucalyptus. (Wed, 29 Dec 2010 17:39:05 GMT) (full text, mbox, link).

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Wed, 29 Dec 2010 17:39:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: eucalyptus
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for eucalyptus.

CVE-2010-3905[0]:
| The password reset feature in the administrator interface for
| Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which
| allows remote attackers to gain privileges by sending password reset
| requests for other users.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3905
    http://security-tracker.debian.org/tracker/CVE-2010-3905

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk0bcX4ACgkQNxpp46476aolcACdEyRVzIIcJcjb3MnpIkIa6U/6
JMAAn2y10CbObsCW/xQxWLkOCyJIq4E6
=IPi5
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#608289; Package eucalyptus. (Fri, 31 Dec 2010 14:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Fri, 31 Dec 2010 14:51:07 GMT) (full text, mbox, link).

Message #10 received at 608289@bugs.debian.org (full text, mbox, reply):

tag 608289 + moreinfo
thanks

Le Wed, Dec 29, 2010 at 06:35:59PM +0100, Giuseppe Iuculano a écrit :
> Package: eucalyptus
> Severity: serious
> Tags: security
> 
> CVE-2010-3905[0]:
> | The password reset feature in the administrator interface for
> | Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which
> | allows remote attackers to gain privileges by sending password reset
> | requests for other users.

Dear Giuseppe and Eucalyptus packagers,

Do you know if this bug also affects Eucalyptus 1.6.2 ? If not, we can close
it, since Debian does not distribute 2.0.0 or 2.0.1, and since I suppose that
we will jump directly to 2.0.2 or later when we will upgrade the package.

Have a nice day,

-- 
Charles Plessy
Tsurumi, Kanagawa, Japan

Added tag(s) moreinfo. Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Fri, 31 Dec 2010 14:51:08 GMT) (full text, mbox, link).

Acknowledgement sent to Neil Soman <neil@eucalyptus.com>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Fri, 31 Dec 2010 16:03:03 GMT) (full text, mbox, link).

Message #17 received at 608289@bugs.debian.org (full text, mbox, reply):

Folks, this regression was introduced in the 2.0 series and does not
affect Eucalyptus 1.6.2 to the best of my knowledge.

neil



On Dec 31, 2010, at 6:51 AM, Charles Plessy <plessy@debian.org> wrote:

> tag 608289 + moreinfo
> thanks
>
> Le Wed, Dec 29, 2010 at 06:35:59PM +0100, Giuseppe Iuculano a écrit :
>> Package: eucalyptus
>> Severity: serious
>> Tags: security
>>
>> CVE-2010-3905[0]:
>> | The password reset feature in the administrator interface for
>> | Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which
>> | allows remote attackers to gain privileges by sending password reset
>> | requests for other users.
>
> Dear Giuseppe and Eucalyptus packagers,
>
> Do you know if this bug also affects Eucalyptus 1.6.2 ? If not, we can close
> it, since Debian does not distribute 2.0.0 or 2.0.1, and since I suppose that
> we will jump directly to 2.0.2 or later when we will upgrade the package.
>
> Have a nice day,
>
> --
> Charles Plessy
> Tsurumi, Kanagawa, Japan
>
>
>
> _______________________________________________
> pkg-eucalyptus-maintainers mailing list
> pkg-eucalyptus-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-eucalyptus-maintainers

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>:
Bug#608289; Package eucalyptus. (Sat, 01 Jan 2011 15:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Charles Plessy <plessy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Eucalyptus Maintainers <pkg-eucalyptus-maintainers@lists.alioth.debian.org>. (Sat, 01 Jan 2011 15:54:03 GMT) (full text, mbox, link).

Message #22 received at 608289@bugs.debian.org (full text, mbox, reply):

tag 608289 - moreinfo
done 608289
thanks

Le Fri, Dec 31, 2010 at 07:59:41AM -0800, Neil Soman a écrit :
> Folks, this regression was introduced in the 2.0 series and does not
> affect Eucalyptus 1.6.2 to the best of my knowledge.

Thanks for the information, I am closing the bug accordingly.

Have a nice year 2011 !

-- 
Charles

Removed tag(s) moreinfo. Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Sat, 01 Jan 2011 15:54:12 GMT) (full text, mbox, link).

Bug closed, send any further explanations to Giuseppe Iuculano <iuculano@debian.org> Request was from Charles Plessy <plessy@debian.org> to control@bugs.debian.org. (Sat, 01 Jan 2011 15:57:05 GMT) (full text, mbox, link).

Message sent on to Giuseppe Iuculano <iuculano@debian.org>:
Bug#608289. (Sat, 01 Jan 2011 15:57:08 GMT) (full text, mbox, link).

Message #29 received at 608289-submitter@bugs.debian.org (full text, mbox, reply):

close 608289 
thanks
-- 
Charles Plessy
http://charles.plessy.org
Tsurumi, Kanagawa, Japan

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Jan 2011 07:33:52 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 14:00:07 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #608289 CVE-2010-3905

Debian Bug report logs - #608289
CVE-2010-3905