Debian Security Advisory

DSA-2281-1 opie -- several vulnerabilities

Date Reported:
21 Jul 2011
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 631344, Bug 631345, Bug 584932.
In Mitre's CVE dictionary: CVE-2011-2489, CVE-2011-2490, CVE-2010-1938.
More information:

Sebastian Krahmer discovered that opie, a system that makes it simple to use One-Time passwords in applications, is prone to a privilege escalation (CVE-2011-2490) and an off-by-one error, which can lead to the execution of arbitrary code (CVE-2011-2489). Adam Zabrocki and Maksymilian Arciemowicz also discovered another off-by-one error (CVE-2010-1938), which only affects the lenny version as the fix was already included in squeeze.

For the oldstable distribution (lenny), these problems have been fixed in version 2.32-10.2+lenny2.

For the stable distribution (squeeze), these problems have been fixed in version 2.32.dfsg.1-0.2+squeeze1

The testing distribution (wheezy) and the unstable distribution (sid) do not contain opie.

We recommend that you upgrade your opie packages.