Debian Bug report logs - #751834
iodine: CVE-2014-4168: authentication bypass

version graph

Package: src:iodine; Maintainer for src:iodine is gregor herrmann <gregoa@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 17 Jun 2014 05:00:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version iodine/0.6.0~rc1-2

Fixed in versions iodine/0.6.0~rc1-19, iodine/0.6.0~rc1-2+deb6u1, iodine/0.6.0~rc1-12+deb7u1

Done: gregor herrmann <gregoa@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gregor herrmann <gregoa@debian.org>:
Bug#751834; Package src:iodine. (Tue, 17 Jun 2014 05:00:06 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gregor herrmann <gregoa@debian.org>. (Tue, 17 Jun 2014 05:00:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: iodine: authentication bypass
Date: Tue, 17 Jun 2014 06:57:18 +0200
Source: iodine
Version: 0.6.0~rc1-2
Severity: grave
Tags: security upstream patch fixed-upstream
Justification: user security hole

Hi Gregor,

There was a new upstream version for iodine released fixing an
authentication bypass vulnerability.

Upstream commit is at [1], but no CVE is yet assigned[2] so far.

 [1] https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850
 [2] http://www.openwall.com/lists/oss-security/2014/06/16/5

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#751834; Package src:iodine. (Tue, 17 Jun 2014 15:18:05 GMT) (full text, mbox, link).


Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. (Tue, 17 Jun 2014 15:18:05 GMT) (full text, mbox, link).


Message #10 received at 751834@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>, 751834@bugs.debian.org
Cc: Erik Ekman <yarrick@kryo.se>
Subject: Re: Bug#751834: iodine: authentication bypass
Date: Tue, 17 Jun 2014 17:13:51 +0200
[Message part 1 (text/plain, inline)]
On Tue, 17 Jun 2014 06:57:18 +0200, Salvatore Bonaccorso wrote:

(Cc'ing upstream)

> There was a new upstream version for iodine released 

Ha! The Debian security team is quicker than my daily uscan cronjob
:)

> fixing an
> authentication bypass vulnerability.
> 
> Upstream commit is at [1], but no CVE is yet assigned[2] so far.
> 
>  [1] https://github.com/yarrick/iodine/commit/b715be5cf3978fbe589b03b09c9398d0d791f850
>  [2] http://www.openwall.com/lists/oss-security/2014/06/16/5

Thanks!

I suppose we also need the fix in (old?-)stable; and it might also
make sense to upload the current 0.6 package with only this fix to
unstable with urgency high before looking into 0.7.0.

Unfortunately the patch doesn't apply cleanly (neither against
0.6.0~rc1-18 in Debian nor against the iodine-0.6 branch in upstream
git). I've tried to resolve the merge conflicts and came up with the
attached patch.

Could the two of you please take a look at it to check if it's sane?
-- Which it probably isn't since the tests fail now; or the test
suite needs more adoption as well ... *sigh*

#v+
   dh_auto_test
make[1]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1'
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/src'
OS is LINUX, arch is x86_64
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/src'
!! The check library is required for compiling and running the tests
!! Get it at http://check.sf.net
make[2]: Entering directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
CC test.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c test.c
CC base32.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c base32.c
CC base64.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c base64.c
CC read.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c read.c
CC dns.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c dns.c
CC encoding.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c encoding.c
CC login.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c login.c
CC user.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c user.c
CC fw_query.c
gcc -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D`uname | tr "a-z" "A-Z"` -I../src -I/usr/local/include -pedantic `../src/osflags cflags` -D_FORTIFY_SOURCE=2 -c fw_query.c
LD test
gcc -o test ../src/base32.o  ../src/base64.o ../src/read.o ../src/dns.o ../src/encoding.o ../src/login.o ../src/md5.o ../src/user.o ../src/fw_query.o test.o base32.o base64.o read.o dns.o encoding.o login.o user.o fw_query.o -L/usr/local/lib -lcheck `pkg-config --cflags --libs check` `../src/osflags link`
Running suite(s): iodine
96%: Checks: 61, Failures: 2, Errors: 0
user.c:69:F:User:test_users_waiting:0: Assertion 'users_waiting_on_reply() == 1' failed
user.c:96:F:User:test_find_user_by_ip:0: Assertion 'find_user_by_ip(testip) == -1' failed
Makefile:13: recipe for target 'all' failed
make[2]: *** [all] Error 1
make[2]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1/tests'
Makefile:53: recipe for target 'test' failed
make[1]: *** [test] Error 2
make[1]: Leaving directory '/tmp/buildd/iodine-0.6.0~rc1'
dh_auto_test: make -j1 test returned exit code 2
#v-

@Erik: Maybe you could also backport the fix to the iodine-0.6
branch?


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Sophie Hunger: House of Gods
[751834_authentication_bypass.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#751834; Package src:iodine. (Tue, 17 Jun 2014 17:42:10 GMT) (full text, mbox, link).


Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. (Tue, 17 Jun 2014 17:42:10 GMT) (full text, mbox, link).


Message #15 received at 751834@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: Erik Ekman <yarrick@kryo.se>
Cc: Salvatore Bonaccorso <carnil@debian.org>, 751834@bugs.debian.org
Subject: Re: Bug#751834: iodine: authentication bypass
Date: Tue, 17 Jun 2014 19:39:57 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 + upstream fixed-upstream patch pending

On Tue, 17 Jun 2014 19:20:29 +0200, Erik Ekman wrote:

> > @Erik: Maybe you could also backport the fix to the iodine-0.6
> > branch?
> I pushed an 0.6.0 with the fix here:
> https://github.com/yarrick/iodine/tree/iodine-0.6.0
> No tarball is built though.
> Fix is
> https://github.com/yarrick/iodine/commit/9e265625a1ac8aafbe2812c67de7ddbbf1793a0e

Yay \o/
Thanks alot.

Commit taken, applied as a patch to the Debian package, and the tests
pass.

> I will go on 3.5 week vacation tomorrow, so I will be mostly unreachable.
> Good luck :)

Enjoy your vacation!


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from gregor herrmann <gregoa@debian.org> to 751834-submit@bugs.debian.org. (Tue, 17 Jun 2014 17:42:10 GMT) (full text, mbox, link).


Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Tue, 17 Jun 2014 19:15:31 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 17 Jun 2014 19:15:31 GMT) (full text, mbox, link).


Message #22 received at 751834-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 751834-close@bugs.debian.org
Subject: Bug#751834: fixed in iodine 0.6.0~rc1-19
Date: Tue, 17 Jun 2014 19:03:29 +0000
Source: iodine
Source-Version: 0.6.0~rc1-19

We believe that the bug you reported is fixed in the latest version of
iodine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 751834@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated iodine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Jun 2014 20:50:54 +0200
Source: iodine
Binary: iodine
Architecture: source amd64
Version: 0.6.0~rc1-19
Distribution: unstable
Urgency: high
Maintainer: gregor herrmann <gregoa@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
 iodine     - tool for tunneling IPv4 data through a DNS server
Closes: 751834
Changes:
 iodine (0.6.0~rc1-19) unstable; urgency=high
 .
   * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's
     iodine-0.6.0 branch.
 .
     This fixes a security problem where the client could bypass the password
     check by continuing after getting an error from the server and guessing
     the network parameters and the server would still accept the rest of the
     setup and also network traffic. The patch adds checks for normal and raw
     mode that user has authenticated before allowing any other communication.
 .
     Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for
     backporting the fix super fast.
     (Closes: #751834)
 .
     Set urgency=high.
 .
   * Declare compliance with Debian Policy 3.9.5.
Checksums-Sha1:
 52e503284bedb3970c61b50cc3dd32551b2749dc 2064 iodine_0.6.0~rc1-19.dsc
 fa9a67df80775ba8236132c22818dcd867c8fda7 24328 iodine_0.6.0~rc1-19.debian.tar.xz
 3ed28f69a03fe468f61fb24ee67e8e0d6ecc6dc6 86512 iodine_0.6.0~rc1-19_amd64.deb
Checksums-Sha256:
 3682c0477523ae1e5cc2fc74ac57ce22af661d8b3c1070b890aade7d50c14d98 2064 iodine_0.6.0~rc1-19.dsc
 9a91089cbb8d8dcc7b70dbfa995d8f1fcdd36da641d9cec85da6662059d84723 24328 iodine_0.6.0~rc1-19.debian.tar.xz
 f7ea219c154d3d0cc916c1643eaa719a4e17f70741ad9c776139544b5f497200 86512 iodine_0.6.0~rc1-19_amd64.deb
Files:
 d3c27abe85ac8c21b34ec29606465595 86512 net extra iodine_0.6.0~rc1-19_amd64.deb
 400033f8968708f5c6e7aa01fb3704d3 2064 net extra iodine_0.6.0~rc1-19.dsc
 7951cf486be2fdb24dbfc958e73a4160 24328 net extra iodine_0.6.0~rc1-19.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJrBAEBCgBVBQJToI5SThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBqW7D/0QCgwAk5NyjNfgSZT/5gpO6Jtq+TNg66GiGHBl7NOy3Ijz
e6GRe7IHqsv2yZT7nmxoxOEq3DASXtU0Gr/a4WxUituhjMwPKyopToVxnzZzE0Rj
h5E0TIFSOSWornBcIiiOJL6G4DfXNiCdwM2NyrS8ipkbUNoNsMMkZZxVlJf1Qj+0
w1iPOOZfgqHJrwnNxVrVgzEJGquyL88cXCC+0Lrayjd0eR7SPKtaUwK5mPN1gKKI
cl8otdr4vvydRiw/3PozyfvgoZXcFn1tD/CksifCtfRh+zLa174ZctdZ9Ta9WQ1a
DKcouGSGI3ftJeKovO3Gh+jbCnaR+n3XKxMr/ZEdUwvtmG4ZgolFjb+n+MsuvYKD
OuiAI4UBStlYtNqy3WKJY74lSj9/jStQEseygBnv3ENHy9tpatwvgzGwQ/tCgKL5
7pH3AyEIYwQitlfpbDFtYGoUdo9C5JFr0Ae9giwUuavuJyWF0BLLK49EDjXbg08a
XqBbRzYCsE9tJeMDKMfw2PDSMLhd6AvsXu7P2inPFnyxm3pKHqUg4LI3ES4MQv5C
ANNzHZZ2B306a74hj4rs9rONY16qt9RjoVNpfDWAh1xT6lpbQ60HM1XeBtcuMOV2
vPTnZdFwmW40XarBarvKA/9lnz6UOePl5OwUiFRlkon+73YW9OytICJMELSGcg==
=07A3
-----END PGP SIGNATURE-----




Changed Bug title to 'iodine: CVE-2014-4168: authentication bypass' from 'iodine: authentication bypass' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Jun 2014 04:36:05 GMT) (full text, mbox, link).


Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Sat, 21 Jun 2014 13:51:09 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 21 Jun 2014 13:51:09 GMT) (full text, mbox, link).


Message #29 received at 751834-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 751834-close@bugs.debian.org
Subject: Bug#751834: fixed in iodine 0.6.0~rc1-2+deb6u1
Date: Sat, 21 Jun 2014 13:48:24 +0000
Source: iodine
Source-Version: 0.6.0~rc1-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
iodine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 751834@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated iodine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 21 Jun 2014 15:31:04 +0200
Source: iodine
Binary: iodine
Architecture: source amd64
Version: 0.6.0~rc1-2+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: gregor herrmann <gregoa@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 iodine     - tool for tunneling IPv4 data through a DNS server
Closes: 751834
Changes: 
 iodine (0.6.0~rc1-2+deb6u1) squeeze-lts; urgency=high
 .
   * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's
     iodine-0.6.0 branch.
 .
     This fixes a security problem where the client could bypass the password
     check by continuing after getting an error from the server and guessing
     the network parameters and the server would still accept the rest of the
     setup and also network traffic. The patch adds checks for normal and raw
     mode that user has authenticated before allowing any other communication.
 .
     Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for
     backporting the fix super fast.
     (Closes: #751834 - CVE-2014-4168)
 .
     Set urgency=high.
Checksums-Sha1: 
 3a25f71009fa497aac42c8391ca8fe3ba36810e9 2027 iodine_0.6.0~rc1-2+deb6u1.dsc
 0bda271c95a6a787bd743ac924987a01f7b6a3da 22944 iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz
 c146335ae7d7c777d71b297cac9e5f56af875743 101862 iodine_0.6.0~rc1-2+deb6u1_amd64.deb
Checksums-Sha256: 
 8b6de30787e0c915e911eff7c874c8a34406025d5fa05a4daad2dead346d2dd8 2027 iodine_0.6.0~rc1-2+deb6u1.dsc
 254369787a66b034926a3301e633e427f948f5cfa093a3336017adc2a2a730a8 22944 iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz
 8bceda8ed8a001d954eb8c1d29d60a298aeb5efa3995ea031273c88ea9b6d1c1 101862 iodine_0.6.0~rc1-2+deb6u1_amd64.deb
Files: 
 1f75c49544ce4ec3075d3edd0d24f8fd 2027 net extra iodine_0.6.0~rc1-2+deb6u1.dsc
 36e1384c41321083b6f01b2b01fb6d9c 22944 net extra iodine_0.6.0~rc1-2+deb6u1.debian.tar.gz
 12380f3052698334617a166011b33fb8 101862 net extra iodine_0.6.0~rc1-2+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJrBAEBCgBVBQJTpYlaThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBqBCD/wJ/XZlsyS/E9MpEc1JzbxSEKgscmuAgcbwv8L7CPGYOvoG
Au5BQ9wyYbvx6EsKAL++leiWN0H90YnRK8BdpQgrSJQOJOF/fgPUDlXsh+fxEt4J
AtqErbi4yiRX08SF6ipETnLXF8EPT3RELJ/jDyUtaaKHmrskFLRTVM1qHPzmPBPS
xUkHidmEefrWiFY8GkoT8nqiQzQN0O6dGRUAvFP0p1KqbOqMCcnm47xEXiwr3/HM
xdCpj9z5m7qdcHAG1QrsOsQl5bjDfvTuchFPzN1QF+AnRisKC6TJpL8M9uINcpCz
/lnsNfUXCCW/Zjnyl3sVTdvFo89aFjazedD4rWYSpf1fmenSeRRuf021VFPDQOZ2
hQuD50lgfLG4IAEiobb+Hmuhrcw4H3lFZQiLZOa3qr9KnkbI5YGDxIxm1Iwi85aY
fLv+Vi/kvcXvTkkWPqHgUKLQZHn/RXxMD26Nl0VhmjIAUGs8bom81mYxGsh5aS9B
DVGquIk7RXvW6bPi87AOSl0JhKRmi3GSUUvJFgoN+RJYE3J4XeVJU1blxUMiTSQ9
aijTa+SDS1agNkhjQOArZSihjHHjcG/ICWFDUB1iUWu/YMgGOaKnhAAcIcdESCH5
SA320ixdfSRic8TsPhAZgNEbCZSLxcafBRMIJvNGJZjurGZ164FJh6M4VAhOyQ==
=XNKu
-----END PGP SIGNATURE-----




Reply sent to gregor herrmann <gregoa@debian.org>:
You have taken responsibility. (Sat, 21 Jun 2014 18:33:18 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 21 Jun 2014 18:33:18 GMT) (full text, mbox, link).


Message #34 received at 751834-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>
To: 751834-close@bugs.debian.org
Subject: Bug#751834: fixed in iodine 0.6.0~rc1-12+deb7u1
Date: Sat, 21 Jun 2014 18:32:04 +0000
Source: iodine
Source-Version: 0.6.0~rc1-12+deb7u1

We believe that the bug you reported is fixed in the latest version of
iodine, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 751834@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated iodine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Jun 2014 21:27:48 +0200
Source: iodine
Binary: iodine
Architecture: source amd64
Version: 0.6.0~rc1-12+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: gregor herrmann <gregoa@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 iodine     - tool for tunneling IPv4 data through a DNS server
Closes: 751834
Changes: 
 iodine (0.6.0~rc1-12+deb7u1) wheezy-security; urgency=high
 .
   * Add patch 0001-Fix-authentication-bypass-bug.patch from upstream's
     iodine-0.6.0 branch.
 .
     This fixes a security problem where the client could bypass the password
     check by continuing after getting an error from the server and guessing
     the network parameters and the server would still accept the rest of the
     setup and also network traffic. The patch adds checks for normal and raw
     mode that user has authenticated before allowing any other communication.
 .
     Thanks to Salvatore Bonaccorso for the bug report, and Erik Ekman for
     backporting the fix super fast.
     (Closes: #751834)
 .
     Set urgency=high.
Checksums-Sha1: 
 d486c694b46c3a5649cef671d71a23b5409c6aed 2061 iodine_0.6.0~rc1-12+deb7u1.dsc
 4fa9a248b8a84df8a727a5d749e669e58136edca 89827 iodine_0.6.0~rc1.orig.tar.gz
 bb3f93234e68d9817be9ab625b347e84c33c4a53 27040 iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz
 10a99e633ffd13976a348a2bea64952dd0bba752 108094 iodine_0.6.0~rc1-12+deb7u1_amd64.deb
Checksums-Sha256: 
 d7fd95f50d3a7624916efee576ee9b7ac065658e01c21f84e0e7e51e4d074c60 2061 iodine_0.6.0~rc1-12+deb7u1.dsc
 dacf950198b68fd1dae09fe980080155b0c75718f581c08e069eee0c1b6c5e60 89827 iodine_0.6.0~rc1.orig.tar.gz
 2da3e327499ff0058e80a482485af84e419ce68648f1e07b6aa150db7e0c3225 27040 iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz
 984a57ab9ce0b879238bdd61bd393786e5d169ecafd0169d71996194cee791f6 108094 iodine_0.6.0~rc1-12+deb7u1_amd64.deb
Files: 
 d52034363286b295ebb368d221d880f8 2061 net extra iodine_0.6.0~rc1-12+deb7u1.dsc
 a15bb4faba020d217016fde6e231074a 89827 net extra iodine_0.6.0~rc1.orig.tar.gz
 17b9b004e2dfff1ed6e8b0347364ad5d 27040 net extra iodine_0.6.0~rc1-12+deb7u1.debian.tar.gz
 bf2f4f576f623e636ab29c276464f87d 108094 net extra iodine_0.6.0~rc1-12+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJrBAEBCgBVBQJToJcaThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBosyEACZjvTdjV9Z7Sp1IUP5oVPlCIEhjWt3nYXPGX8dEzuwi2nA
kO3O6Ou4h7H/L7vxur1MN1NXEYxuWZdyl/ZJYne/gDoL9Pk3YscnR/AbSnRNIkI2
Mh67TepCaNk2QvIzh4nWQWwDCWJMNHm+wbIXDh5zFD1OCVXx8Pd7vWXoMkNESeX+
7+UuKwiLRsygHp3vi0z6L7o6aANFSrrx13ld2/ONbW7HPXDs8kLV8MUddQLtzrGS
jVuqaAS5sfnbCnANk6jmO4c7lTRiGJwSH1vL2SElb03u1RJykM6Tz2RP/UYkJSLN
M5PwxteuK5pFYrQj4NkYm4gjccdQq6pgCMXqa5cTUaRX1TeNbvGYrWLJhH8MTz3+
tn7Ixj2JJuDDtqP+b7+87Ltas8JIYjUkA4pzCrNc3vNMq5Q6RPQDkV/XguDY84V0
9fPsO1gadJKRbxmsLM0geodtLtzCYHeYMipeFOGMIpWCgKZtjeRK7IEKWkBICw5n
9cEGoD1n0PGekLsOE961mq74Xf1LLBL08BRDBRWtNesfV0nUTim9W+rMHZEO2cz/
+hrwY3d5ZIpX5XKq277hNCv220kdWpLy22C+1JferdLQOJTadzUD5UIB9yb/RlEm
RrF11qgxIh2zGTb/6iTOPl0HjQDv0A5OsSnHZkoDeFKx76ZD4SMTxUIasv4DjA==
=a5k7
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 25 Jul 2014 07:28:07 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:56:13 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.