| Summary: | makepasswd new security issue CVE-2010-2247 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | brtians1, julien.moragny, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-32-OK | ||
| Source RPM: | makepasswd-0.5.4-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2020-01-12 18:02:35 CET
David Walser
2020-01-12 18:02:53 CET
Whiteboard:
(none) =>
MGA7TOO Assigning to Julien as the active maintainer of 'makepasswd'. Assignee:
bugsquad =>
julien.moragny Hello, so this CVE is related to the fact makepasswd generate, in default configuration, password with a length between 6 and 8 characters (48 to 64bits). You can change the length with the -l option. The patch from fedora raise the default to 16 characters (128 bits). I'm not opposed to this change but do we have an official (or unofficial) policy regarding the length of password? I'm not a security expert so I don't know if 16 characters is sufficient or if we want it to be longer. (FWIW, the same will need to be applied to pwgen) What do you think? regards Julien CC:
(none) =>
julien.moragny What Fedora did will be fine. Thanks for the prompt answer :) I just pushed 0.5.4-3 to cauldron and 0.5.4-2.1 to updates_testing. Here is a tentative advisory: ======================================= Updated makepasswd fix insecure default length of password By default, makepasswd generates password with a length between 6 to 8 characters (48 to 64bits). This update raise the default to 16 characters (128 bits). You can change the length at runtime with the -l option. References: https://bugs.mageia.org/show_bug.cgi?id=26060 https://bugzilla.redhat.com/show_bug.cgi?id=1771883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2247 Updated packages in core/updates_testing: makepasswd-0.5.4-2.1.mga7 Source RPM: makepasswd-0.5.4-2.1.mga7.src.rpm ====================================== Hello QA, can you please validate this update. when ran without argument, makepasswd should give you a password with 16 characters; the previous version will give you a password of 6 to 8 characters: BAD: [jules@localhost makepasswd]$ makepasswd iTBrduG@ GOOD: [jules@localhost makepasswd]$ makepasswd 3b)pH^mIdDW@h&^7 Thanks. Julien Assignee:
julien.moragny =>
qa-bugs
Thomas Backlund
2020-01-12 22:44:50 CET
Whiteboard:
MGA7TOO =>
(none) MGA7-32 phys hardware installed it $ makepasswd Uy6kEY7VP!u+yoYv $ makepasswd -n5 H!Kr2vuJgE$gyku! H@6$Z~9Hp=G`~oq& aC~fyg%g!5!ks8yB vf%WsCeHAkTNa9FD !Ti!z0S@7E0Z@Ybi $ makepasswd -n5 -esha256 #B%YraJc*CsYRn(m $5$vltxAQTWodI.IfMK$qBGUdWUPfapJbmbJKiEM36EY0j7kBpNUAgim5ScOPV6 by4UaQ=TS**jg@X7 $5$Yo5Y5Mvhq3gyXs9Y$.YZ9eo.JmYXCENKDjtecXhIOklz3z1AJy.cCI8B7i31 03&dVSwnLqYs5=1` $5$OioHvXpZPJLm1I.B$r.CDfkL5qLPMnwD6MFClYqC.gvZbL1xDIJcE6p/QgbA o`c9CbzOTZI=X988 $5$8xLrI0EX9P9yY708$seShGRXa31dgwP/gru54sWzNS4ErJS0vkEQFiFx1SU1 Po@u$#8Iq%jPBR_v $5$05s9twUrASdYNRU3$GONe4CNS368Lh2gVRwzY3X8OasQDF4ZATyWSTg31F4A $ makepasswd -s abcde z35KXeYj#Uv5RcRm $ makepasswd -cAaBbCcDd_ ABABB_bAacDAbaB_ Working as designed CC:
(none) =>
brtians1
Thomas Backlund
2020-01-13 17:08:25 CET
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0038.html Status:
ASSIGNED =>
RESOLVED |