oss-sec mailing list archives

Re: Re: Yubiserver package ships with pre-filled identities

From: Nanakos Chrysostomos <nanakos () wired-net gr>
Date: Tue, 31 Jan 2012 08:32:42 +0200


On 31 Ιαν 2012, at 4:22, Kurt Seifried <kseifried () redhat com> wrote:

On 01/30/2012 03:14 PM, Nanakos Chrysostomos wrote:

Is this account documented/the impact documented?


What do you mean?


Is this issue clearly documented, e.g. do the docs say "WARNING: A
DEFAULT ACCOUNT IS ENABLED. THIS IS NOT SAFE. IT MUST BE REMOVED PRIOR
TO PRODUCTION USE" and so on.

No it's not. In the meantime I have fixed both upstream versionsprovided through my site and a new package version has been sponsoredin Debian that eliminates the problem. Is anything else that has to bedone?


Thanks?
Chris.

Steve: thoughts/comments?

--
Kurt Seifried Red Hat Security Response Team (SRT)

Current thread:

Re: Yubiserver package ships with pre-filled identities Jonathan Wiltshire (Jan 30)
- Re: Re: Yubiserver package ships with pre-filled identities Kurt Seifried (Jan 30)
  - Re: Re: Yubiserver package ships with pre-filled identities Nanakos Chrysostomos (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Kurt Seifried (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Nanakos Chrysostomos (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Kurt Seifried (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Nanakos Chrysostomos (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Gian Piero Carrubba (Jan 30)
    - Re: Re: Yubiserver package ships with pre-filled identities Steven M. Christey (Jan 31)
- Re: Yubiserver package ships with pre-filled identities Nanakos V. Chrysostomos (Jan 30)