First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 120842
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sander Knopper <sander@knopper.tk>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
pam_mysql-0.6.2.ebuild Ebuild proposal for the 0.6.2 pam_mysql application/octet-stream Cyrius 2006-02-18 03:11 0000 775 bytes Details
pam_mysql-0.6.2.ebuild Ebuild proposal for the 0.6.2 pam_mysql application/octet-stream Cyrius 2006-02-18 03:20 0000 672 bytes Details
pam_mysql-0.7_rc1.ebuild Ebuild proposal for the 0.7RC1 pam_mysql application/octet-stream Cyrius 2006-02-18 03:32 0000 789 bytes Details
pam_mysql.tar.bz2 0.6.2 and 0.7_rc1 versions corrected application/octet-stream Cyrius 2006-02-19 09:25 0000 3.42 KB Details
pam_mysql-0.6.0-to-0.6.2.patch pam_mysql-0.6.0-to-0.6.2.patch patch W-Mark Kubacki 2006-04-26 05:58 0000 1.40 KB Details | Diff
pam_mysql-0.6_md5_openssl.patch pam_mysql-0.6_md5_openssl.patch patch W-Mark Kubacki 2006-04-26 05:59 0000 379 bytes Details | Diff
pam_mysql-0.6_md5_sasl2.patch pam_mysql-0.6_md5_sasl2.patch patch W-Mark Kubacki 2006-04-26 06:00 0000 403 bytes Details | Diff
pam_mysql-0.7_rc1.ebuild.md5.patch pam_mysql-0.7_rc1.ebuild.md5.patch patch W-Mark Kubacki 2006-05-18 03:11 0000 1.49 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 120842 depends on: 123405 Show dependency tree
Bug 120842 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-29 11:03 0000 
I'd appreciate it if someone put the latest stable release from upstream in
portage. At the time of writing this is 0.6.2, though work seems to be going on
for 0.7.

Thanks in advance!

------- Comment #1 From Cyrius 2006-02-18 03:11:47 0000 ------- 
Created an attachment (id=80075) [edit]
Ebuild proposal for the 0.6.2 pam_mysql

------- Comment #2 From Cyrius 2006-02-18 03:12:21 0000 ------- 
(From update of attachment 80075 [edit])
Pleasure to help

------- Comment #3 From Cyrius 2006-02-18 03:20:30 0000 ------- 
Created an attachment (id=80076) [edit]
Ebuild proposal for the 0.6.2 pam_mysql

Header line corrected to respect the ebuild documentation
Pleasure to help

------- Comment #4 From Cyrius 2006-02-18 03:32:17 0000 ------- 
Created an attachment (id=80078) [edit]
Ebuild proposal for the 0.7RC1 pam_mysql

Pleasure to help

------- Comment #5 From Cyrius 2006-02-18 10:12:12 0000 ------- 
I had a look on the sasl2 and openssl options.
Ok, it won't work in this state. 
The configure file search about some directories which don't exist.
I don't understand why. So if someone could help ...

------- Comment #6 From Cyrius 2006-02-19 09:25:07 0000 ------- 
Created an attachment (id=80193) [edit]
0.6.2 and 0.7_rc1 versions corrected

Hi guys,

   I hope to have corrected thoses version to take in account sasl2 and
openssl.
   In fact this module was done on the Debian distrib and never found the
necessary includes and c functions to correctly link with ssl or sasl.
   So, i hope to have corectly modified the necessary files.


   Would it be possible that someone test it please ?

Cyrius

------- Comment #7 From Cyrius 2006-02-19 10:00:09 0000 ------- 
(From update of attachment 80193 [edit])
see bug 123405

------- Comment #8 From Diego E. 'Flameeyes' Pettenò 2006-04-21 08:50:18 0000 ------- 
*** Bug 85787 has been marked as a duplicate of this bug. ***

------- Comment #9 From Diego E. 'Flameeyes' Pettenò 2006-04-21 08:57:42 0000 ------- 
*** Bug 104967 has been marked as a duplicate of this bug. ***

------- Comment #10 From Diego E. 'Flameeyes' Pettenò 2006-04-21 09:02:11 0000 ------- 
*** Bug 123405 has been marked as a duplicate of this bug. ***

------- Comment #11 From W-Mark Kubacki 2006-04-26 05:58:18 0000 ------- 
Created an attachment (id=85531) [edit]
pam_mysql-0.6.0-to-0.6.2.patch

I'd like to contribute this patch against pam_mysql-0.6.0.ebuild.

It not only is a version bump but provides a workaround against the configure
bug which prevents headers for MD5 to be found. MD5-support (crypt=3) works.

------- Comment #12 From W-Mark Kubacki 2006-04-26 05:59:49 0000 ------- 
Created an attachment (id=85532) [edit]
pam_mysql-0.6_md5_openssl.patch

------- Comment #13 From W-Mark Kubacki 2006-04-26 06:00:20 0000 ------- 
Created an attachment (id=85533) [edit]
pam_mysql-0.6_md5_sasl2.patch

------- Comment #14 From Tuan Van (RETIRED) 2006-05-09 12:08:35 0000 ------- 
quoted from http://pam-mysql.sourceforge.net/News/00005.php

Aressed security concerns:

    *

      Possible segmentation fault in the SQL logging facility, which can cause
Denial-of-Service (DoS).
    *

      Flaws in the authentication and authentication token alteration code
where incorrect treatment of the pointer returned by pam_get_item() were
spotted. They can most likely induce DoS or possibly lead to more severe
problems.

security team, please do your check.

------- Comment #15 From Diego E. 'Flameeyes' Pettenò 2006-05-09 12:20:06 0000 ------- 
If this is a security concern I'm for masking and asking for a new maintainer
on g-dev until someone steps up, and deleted when the case.

------- Comment #16 From Sune Kloppenborg Jeppesen 2006-05-09 13:47:05 0000 ------- 
Reassgining to security.

------- Comment #17 From Sune Kloppenborg Jeppesen 2006-05-09 14:02:32 0000 ------- 
Maintainer mail sent to -dev.

------- Comment #18 From Francesco R. (RETIRED) 2006-05-10 03:03:02 0000 ------- 
pam-mysql 0.7RC1 added to the tree, the package now belong to the "mysql" herd,
still need to look in depth at the patches "pam_mysql-0.6_md5_openssl.patch"
and "pam_mysql-0.6_md5_sasl2.patch", these, temporary have _not_ been applyed.

rgds, Francesco Riosa

P.S. I'm using 0.7RC1 from a pair of weeks on amd64

------- Comment #19 From Stefan Cornelius (RETIRED) 2006-05-10 03:21:14 0000 ------- 
vivo, is this ready to be stable?

------- Comment #20 From Francesco R. (RETIRED) 2006-05-10 06:52:27 0000 ------- 
two additional use flag need to be added, "openssl" an "sasl", but need the
usual little modifications to the ebuild and further testing, so better do that
in a "-r1".

As is the package is minimally tested, only amd64, basically I do use it as
auth system on a mail-server where sasl+mysql was not an option.

However it compile and run, so yes it's ready for arch's tester and
stabilization.

------- Comment #21 From Mark Loeser 2006-05-17 17:32:52 0000 ------- 
x86 done

------- Comment #22 From W-Mark Kubacki 2006-05-18 03:11:57 0000 ------- 
Created an attachment (id=86990) [edit]
pam_mysql-0.7_rc1.ebuild.md5.patch

Please see the attached patch which addresses the configure bug which prevents
headers for MD5 to be found.

The patch is to be applied on the current ebuild.

I've already published a complete ebuild here: http://svn.ossdl.de/all/ossdl/

------- Comment #23 From Thomas Cort (RETIRED) 2006-05-18 19:37:24 0000 ------- 
alpha done.

I noticed 0.5 is stable on ppc, but 0.7_rc1 is still ~ppc. Maybe they should be
added to CC to stabilize 0.7_rc1 too?

------- Comment #24 From Stefan Cornelius (RETIRED) 2006-05-18 23:30:06 0000 ------- 
ppc please test and stable, thanks. Also thanks to tcort for the headsup

------- Comment #25 From Cyrius 2006-05-19 02:03:41 0000 ------- 
Hello all,

   I'm clearly disapointed and discouraged. I've already done this in the
123405 bugg. 
   Then i don't understand you. Why do you not directly keep those attachments
from 123405 and correct them here ????

   I mean using sed like you want and others ?
   Could you explain your position ?
   That's great to re discover what i've already test and done. 


Cyrius

------- Comment #26 From Tobias Scherbaum 2006-05-19 11:56:47 0000 ------- 
ppc stable

------- Comment #27 From Raphael Marichez 2006-05-30 05:34:00 0000 ------- 
[glsa voting]

OK, i shoot first.

i would vote no glsa.

------- Comment #28 From Wolf Giesen (RETIRED) 2006-05-30 05:38:56 0000 ------- 
Phew. Gut feeling says "no" since I don't really see a big impact. On the other
hand, it's still valid and we don't give anything away by doing a GLSA. So why
not, in doubt count me as "yes".

------- Comment #29 From Dax 2006-05-30 06:07:08 0000 ------- 
I agree with frilled, why not,
vote yes glsa
rgds
daxomatic

------- Comment #30 From Thierry Carrez (RETIRED) 2006-05-30 09:22:42 0000 ------- 
Voting yes

------- Comment #31 From Raphael Marichez 2006-06-08 03:35:14 0000 ------- 
sec-devs, please vote and decide on this B2-maybe. One "yes" would be
sufficient.

------- Comment #32 From Sune Kloppenborg Jeppesen 2006-06-11 12:23:53 0000 ------- 
I vote YES.

------- Comment #33 From Wolf Giesen (RETIRED) 2006-06-12 21:11:08 0000 ------- 
Can we have someone from auditing take a deeper look at what's described as "or
possibly lead to more severe problems"
(http://pam-mysql.sourceforge.net/News/), or does somebody know?

------- Comment #34 From Sune Kloppenborg Jeppesen 2006-06-15 09:14:51 0000 ------- 
Thx everyone.

GLSA 200606-18
First Last Prev Next    No search results available      Search page      Enter new bug