Debian Bug report logs - #962830
libpam-tacplus: CVE-2020-13881

version graph

Package: src:libpam-tacplus; Maintainer for src:libpam-tacplus is Jeroen Nijhof <jeroen@jeroennijhof.nl>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 14 Jun 2020 19:45:04 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version libpam-tacplus/1.3.8-2

Fixed in versions libpam-tacplus/1.3.8-2+deb10u1, libpam-tacplus/1.3.8-2+deb8u1, libpam-tacplus/1.3.8-2.1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/kravietz/pam_tacplus/issues/149

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeroen Nijhof <jeroen@jeroennijhof.nl>:
Bug#962830; Package src:libpam-tacplus. (Sun, 14 Jun 2020 19:45:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Jeroen Nijhof <jeroen@jeroennijhof.nl>. (Sun, 14 Jun 2020 19:45:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libpam-tacplus: CVE-2020-13881
Date: Sun, 14 Jun 2020 21:42:15 +0200
Source: libpam-tacplus
Version: 1.3.8-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/kravietz/pam_tacplus/issues/149

Hi,

The following vulnerability was published for libpam-tacplus.

CVE-2020-13881[0]:
| In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared
| secret gets logged via syslog if the DEBUG loglevel and journald are
| used.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-13881
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13881
[1] https://github.com/kravietz/pam_tacplus/issues/149

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 18 Jun 2020 17:21:11 GMT) (full text, mbox, link).

Severity set to 'grave' from 'important' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 02 Jan 2021 12:12:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen Nijhof <jeroen@jeroennijhof.nl>:
Bug#962830; Package src:libpam-tacplus. (Sun, 09 May 2021 19:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Andreas Beckmann <anbe@debian.org>:
Extra info received and forwarded to list. Copy sent to Jeroen Nijhof <jeroen@jeroennijhof.nl>. (Sun, 09 May 2021 19:21:04 GMT) (full text, mbox, link).

Message #14 received at 962830@bugs.debian.org (full text, mbox, reply):

From: Andreas Beckmann <anbe@debian.org>
To: Debian Bug Tracking System <962830@bugs.debian.org>
Subject: Re: libpam-tacplus: CVE-2020-13881
Date: Sun, 09 May 2021 21:18:28 +0200
Followup-For: Bug #962830

So far this was only fixed in jessie-lts, causing a version ordering
violation on upgrades:

 libpam-tacplus | 1.3.8-2        | jessie          | source
 libpam-tacplus | 1.3.8-2        | stretch         | source
 libpam-tacplus | 1.3.8-2        | buster          | source
 libpam-tacplus | 1.3.8-2        | sid             | source
 libpam-tacplus | 1.3.8-2+deb8u1 | jessie-security | source


Andreas

Marked as fixed in versions libpam-tacplus/1.3.8-2+deb8u1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Sun, 09 May 2021 19:30:06 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 03 Aug 2021 09:21:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 03 Aug 2021 09:21:03 GMT) (full text, mbox, link).

Message #21 received at 962830-done@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 962830-done@bugs.debian.org
Subject: [ftpmaster@ftp-master.debian.org: Accepted libpam-tacplus 1.3.8-2.1 (source) into unstable]
Date: Tue, 3 Aug 2021 11:18:00 +0200
Source: libpam-tacplus
Source-Version: 1.3.8-2.1

----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 02 Aug 2021 22:40:40 +0530
Source: libpam-tacplus
Architecture: source
Version: 1.3.8-2.1
Distribution: unstable
Urgency: medium
Maintainer: Jeroen Nijhof <jeroen@jeroennijhof.nl>
Changed-By: Utkarsh Gupta <utkarsh@debian.org>
Changes:
 libpam-tacplus (1.3.8-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload by the LTS team.
   * CVE-2020-13881: Prevent shared secrets (such as
     private server keys) from being added in plaintext
     to the system log.
Checksums-Sha1:
 ab49c62ce9ff00329cdfbf542aefa7af110c96ad 1836 libpam-tacplus_1.3.8-2.1.dsc
 bff7d3e0ed5b556d758470245e0af3e0c87cf1a3 549095 libpam-tacplus_1.3.8.orig.tar.gz
 d6218c61df5f47615795b961401e3b037070f11b 3068 libpam-tacplus_1.3.8-2.1.debian.tar.xz
 be240a06683614458faa95eca4394b57831a5b3d 5710 libpam-tacplus_1.3.8-2.1_source.buildinfo
Checksums-Sha256:
 9fca100e6bf4dffdfb6f33643ac346680e344b7c42fa380438016aaed6fe7409 1836 libpam-tacplus_1.3.8-2.1.dsc
 ff31643e8f0b23febbe42ecf28686de7b69e5b19eab96a268f5a8762889c56e0 549095 libpam-tacplus_1.3.8.orig.tar.gz
 b25f01472042fa624aa43a684ca3d0b94f6ce86673109801e4fa7a08d0526b42 3068 libpam-tacplus_1.3.8-2.1.debian.tar.xz
 1ad012dd7ab017d27a687c26ce1a30b2db008ec340aae041159d8e07851642e7 5710 libpam-tacplus_1.3.8-2.1_source.buildinfo
Files:
 9ed1be213762c8b5a843dc1bd4c12e41 1836 admin extra libpam-tacplus_1.3.8-2.1.dsc
 20692ba5adee83a7e24ef613318165d3 549095 admin extra libpam-tacplus_1.3.8.orig.tar.gz
 6529cb4d9410a0e3d64292a90804997c 3068 admin extra libpam-tacplus_1.3.8-2.1.debian.tar.xz
 c4861b5fca7e2cd5a27a8c42a7bc4d0e 5710 admin extra libpam-tacplus_1.3.8-2.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmEIJ9kTHHV0a2Fyc2hA
ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlqFED/9xSpfWleb7OG8BR4m4jmcPvR7f3PO3
tAoibbfxlbnS/78b/BN3xi9sjsQ7/+Mkpayh7PShswXkjZUGrwzqyny+I+4YWHWU
B+V0n+CSV0oSH4QXFigYmOERYjlvtIDF9PLM3G8HE8NKkrWBmT6kSvH2uT99D9qw
FBnU5QuUBYJm3rSD63I50AWgXUisrNCTvbot4Mh/lM2bJJ/5O79vYGLt5w0MgAs0
/QPJF9ZzaSasiNusZ9gqmsIwVKhU4WcX4ti4J45V2qxJ+POr+AQIEFbrZcYbVkDY
b9aqF8JpUo68i3S0pGBjAloSMW0zaOHH2poxGcz+9QJ81LRTQjona+trhEpMIZKA
rPqU+1/4q/3NK8qVdF4Rm2qVeK6UD5vvrQHMmPBrWCV1j66UrtBhesCWrrvwIMjC
p3DkSXCuKDFUdyLUQGAFgD9FCEkHTS6ZL76RAdLca1IHky8uOnki0siwS6/eKMmV
AK9dusIN7Fg/ccJyrI1NZqOe+1+zJeII+bQ2ctWldVtb7M6B0TLK2NMS8eZrKoBg
MME/WwjQbk7iBJUgku5gRVZDnjIyjr+wPT0EYW6qcIQmHdbubcY5FRR3nee3oQzY
U4Saq3uz5YQC3XzwuWlZKPUtUFjBJOu3uSbqCE7rTukw+OeLDn+ko1ZqqCL0nPaR
JxnceEGyV5Wa4w==
=zBfM
-----END PGP SIGNATURE-----


----- End forwarded message -----

Marked as fixed in versions libpam-tacplus/1.3.8-2+deb10u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 04 Aug 2021 13:27:02 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 13 Sep 2021 07:27:49 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Oct 8 03:11:28 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.