[pkg-eucalyptus-maintainers] [Debian] Re: Bug#608289: Bug#608289: CVE-2010-3905
Neil Soman
neil at eucalyptus.com
Fri Dec 31 16:06:09 UTC 2010
Steffen, are you saying that this bug is present in 1.6.2 as well. If
so, my source is wrong :) I'll verify it.
Regards,
neil
On Dec 31, 2010, at 8:02 AM, "Steffen Möller" <steffen_moeller at gmx.de> wrote:
> On 12/31/2010 03:45 PM, Charles Plessy wrote:
>> tag 608289 + moreinfo
>> thanks
>>
>> Le Wed, Dec 29, 2010 at 06:35:59PM +0100, Giuseppe Iuculano a écrit :
>>> Package: eucalyptus
>>> Severity: serious
>>> Tags: security
>>>
>>> CVE-2010-3905[0]:
>>> | The password reset feature in the administrator interface for
>>> | Eucalyptus 2.0.0 and 2.0.1 does not perform authentication, which
>>> | allows remote attackers to gain privileges by sending password reset
>>> | requests for other users.
>>
>> Dear Giuseppe and Eucalyptus packagers,
>>
>> Do you know if this bug also affects Eucalyptus 1.6.2 ? If not, we can close
>> it, since Debian does not distribute 2.0.0 or 2.0.1, and since I suppose that
>> we will jump directly to 2.0.2 or later when we will upgrade the package.
>
> It also works with 1.6. I just tested it. Ouch.
>
> Many greetings
>
> Steffen
>
> _______________________________________________
> pkg-eucalyptus-maintainers mailing list
> pkg-eucalyptus-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-eucalyptus-maintainers
More information about the pkg-eucalyptus-maintainers
mailing list