Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 9 Feb 2014 19:34:47 -0500 (EST)
From: cve-assign@...re.org
To: fw@...eb.enyo.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: oath-toolkit PAM module OTP token invalidation issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://lists.nongnu.org/archive/html/oath-toolkit-help/2013-12/msg00000.html

> There is a test file with comments in the distribution, so I believe
> this is an actual bug with security implications

> leaving it vulnerable to replay of OTPs

> It will keep on updating the commented-out entry, whilst leaving the
> entry for secret "efgh" untouched.

> because skipped_users wasn't incremented, writes the update to the
> commented out line.

Use CVE-2013-7322.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJS+B46AAoJEKllVAevmvmsO2YIAJSIxibnCt7XB5FsnFJcBuF9
7annA5UGUk75GAEo9t4aSZ/DwbFpnEdlhLmxkOB4GZev2qtHCcue3K5q/eFxVn4M
oivsISYzL+9rt0w1uEADIsxBb47cEXckEYSOQDOsHB5nO0CXo2+iNzkrqf5Z0oCo
BhiVM2rxX14QH69L0u1NxFJELgZRixEv13VdJwLuIblkElYqASK9G+rjQeYGpQta
7PA6+7uQQILZ6NmRE/Ypd97XE6/5LREizbFBso/ww1CfTwfCDkANDdNLNaz13Io8
2ZPIt6WNJQ1ToR5E+BE7tuyIvIkrRhZNLyqX0aXXBZyYMeTDOozRuNouXx0ucr8=
=NIuV
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ