Fedora has issued an advisory today (January 12): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HLHAXN3XRR7RJ73SJTBSW3GZT4GLHI33/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to Julien as the active maintainer of 'makepasswd'.
Assignee: bugsquad => julien.moragny
Hello, so this CVE is related to the fact makepasswd generate, in default configuration, password with a length between 6 and 8 characters (48 to 64bits). You can change the length with the -l option. The patch from fedora raise the default to 16 characters (128 bits). I'm not opposed to this change but do we have an official (or unofficial) policy regarding the length of password? I'm not a security expert so I don't know if 16 characters is sufficient or if we want it to be longer. (FWIW, the same will need to be applied to pwgen) What do you think? regards Julien
CC: (none) => julien.moragnyStatus: NEW => ASSIGNED
What Fedora did will be fine.
Thanks for the prompt answer :) I just pushed 0.5.4-3 to cauldron and 0.5.4-2.1 to updates_testing. Here is a tentative advisory: ======================================= Updated makepasswd fix insecure default length of password By default, makepasswd generates password with a length between 6 to 8 characters (48 to 64bits). This update raise the default to 16 characters (128 bits). You can change the length at runtime with the -l option. References: https://bugs.mageia.org/show_bug.cgi?id=26060 https://bugzilla.redhat.com/show_bug.cgi?id=1771883 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2247 Updated packages in core/updates_testing: makepasswd-0.5.4-2.1.mga7 Source RPM: makepasswd-0.5.4-2.1.mga7.src.rpm ======================================
Hello QA, can you please validate this update. when ran without argument, makepasswd should give you a password with 16 characters; the previous version will give you a password of 6 to 8 characters: BAD: [jules@localhost makepasswd]$ makepasswd iTBrduG@ GOOD: [jules@localhost makepasswd]$ makepasswd 3b)pH^mIdDW@h&^7 Thanks. Julien
Assignee: julien.moragny => qa-bugs
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7CC: (none) => tmb
MGA7-32 phys hardware installed it $ makepasswd Uy6kEY7VP!u+yoYv $ makepasswd -n5 H!Kr2vuJgE$gyku! H@6$Z~9Hp=G`~oq& aC~fyg%g!5!ks8yB vf%WsCeHAkTNa9FD !Ti!z0S@7E0Z@Ybi $ makepasswd -n5 -esha256 #B%YraJc*CsYRn(m $5$vltxAQTWodI.IfMK$qBGUdWUPfapJbmbJKiEM36EY0j7kBpNUAgim5ScOPV6 by4UaQ=TS**jg@X7 $5$Yo5Y5Mvhq3gyXs9Y$.YZ9eo.JmYXCENKDjtecXhIOklz3z1AJy.cCI8B7i31 03&dVSwnLqYs5=1` $5$OioHvXpZPJLm1I.B$r.CDfkL5qLPMnwD6MFClYqC.gvZbL1xDIJcE6p/QgbA o`c9CbzOTZI=X988 $5$8xLrI0EX9P9yY708$seShGRXa31dgwP/gru54sWzNS4ErJS0vkEQFiFx1SU1 Po@u$#8Iq%jPBR_v $5$05s9twUrASdYNRU3$GONe4CNS368Lh2gVRwzY3X8OasQDF4ZATyWSTg31F4A $ makepasswd -s abcde z35KXeYj#Uv5RcRm $ makepasswd -cAaBbCcDd_ ABABB_bAacDAbaB_ Working as designed
CC: (none) => brtians1Whiteboard: (none) => MGA7-32-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0038.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED