Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 1D122A568A for ; Mon, 10 Mar 2014 00:58:55 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 7DF6D14A2E1; Mon, 10 Mar 2014 00:58:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 7A9DF14A2E0 for ; Mon, 10 Mar 2014 00:58:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9gFrLtzKjfzv for ; Mon, 10 Mar 2014 00:58:52 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id ED0EC14A2CF for ; Mon, 10 Mar 2014 00:58:51 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id E790696; Mon, 10 Mar 2014 00:58:51 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Mon, 10 Mar 2014 00:58:51 +0000 From: "Fredrik Pettai" Subject: CVS commit: pkgsrc/security/oath-toolkit To: pkgsrc-changes@NetBSD.org Reply-To: pettai@netbsd.org X-Mailer: log_accum Message-Id: <20140310005851.E790696@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: pettai Date: Mon Mar 10 00:58:51 UTC 2014 Modified Files: pkgsrc/security/oath-toolkit: Makefile distinfo Log Message: Version 2.4.1 (released 2014-02-12) * liboath: Fix usersfile bug that caused it to update the wrong line. When an usersfile contain multiple lines for the same user but with an unparseable token type (e.g., HOTP vs TOTP), the code would update the wrong line of the file. Since the then updated line could be a commented out line, this can lead to the same OTP being accepted multiple times which is a security vulnerability. CVE-2013-7322 CVs: ---------------------------------------------------------------------- To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 pkgsrc/security/oath-toolkit/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/oath-toolkit/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.