lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 31 Aug 2008 04:13:37 +0300 From: Pınar Yanardağ <pinar@...dus.org.tr> To: pardus-security@...dus.org.tr Cc: full-disclosure@...ts.grok.org.uk Subject: [PLSA 2008-33] [UPDATED] Opensc: Security Bypass ------------------------------------------------------------------------ Pardus Linux Security Advisory 2008-33 security@...dus.org.tr ------------------------------------------------------------------------ Date: 2008-08-31 Severity: 2 Type: Remote ------------------------------------------------------------------------ Summary ======= [UPDATE]: Last security update with OpenSC 0.11.5 had a small glitch due to a strict check, so this version fixes that issue. A security issue has been reported in OpenSC, which can be exploited by malicious people to bypass certain security restrictions. Description =========== The security issue is caused due to the application improperly setting the ADMIN file control information to "00" while initializing smart cards having a Siemens CardOS M4 operating system. This can be exploited to change a user PIN code without having the PIN or PUK if the smart card was initialized with OpenSC. Affected packages: Pardus 2008: opensc, all before 0.11.6-7-2 Resolution ========== There are update(s) for opensc. You can update them via Package Manager or with a single command from console: pisi up opensc References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=8066 * http://permalink.gmane.org/gmane.comp.security.oss.general/863 * http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2235 * http://secunia.com/advisories/31330 ------------------------------------------------------------------------ -- Pınar Yanardağ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists