Date: Tue, 31 Jan 2012 08:32:42 +0200 From: Nanakos Chrysostomos <nanakos@...ed-net.gr> To: Kurt Seifried <kseifried@...hat.com> Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, Jonathan Wiltshire <jmw@...ian.org>, Gian Piero Carrubba <gpiero@...rf.it>, "team@...urity.debian.org" <team@...urity.debian.org> Subject: Re: Re: Yubiserver package ships with pre-filled identities On 31 Ιαν 2012, at 4:22, Kurt Seifried <kseifried@...hat.com> wrote: > On 01/30/2012 03:14 PM, Nanakos Chrysostomos wrote: > >>> Is this account documented/the impact documented? >>> >> >> What do you mean? > > Is this issue clearly documented, e.g. do the docs say "WARNING: A > DEFAULT ACCOUNT IS ENABLED. THIS IS NOT SAFE. IT MUST BE REMOVED PRIOR > TO PRODUCTION USE" and so on. > No it's not. In the meantime I have fixed both upstream versions provided through my site and a new package version has been sponsored in Debian that eliminates the problem. Is anything else that has to be done? Thanks? Chris. > Steve: thoughts/comments? > > -- > Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ