Debian Security Advisory
DSA-2281-1 opie -- several vulnerabilities
- Date Reported:
- 21 Jul 2011
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 631344, Bug 631345, Bug 584932.
In Mitre's CVE dictionary: CVE-2011-2489, CVE-2011-2490, CVE-2010-1938.
- More information:
Sebastian Krahmer discovered that opie, a system that makes it simple to use One-Time passwords in applications, is prone to a privilege escalation (CVE-2011-2490) and an off-by-one error, which can lead to the execution of arbitrary code (CVE-2011-2489). Adam Zabrocki and Maksymilian Arciemowicz also discovered another off-by-one error (CVE-2010-1938), which only affects the lenny version as the fix was already included in squeeze.
For the oldstable distribution (lenny), these problems have been fixed in version 2.32-10.2+lenny2.
For the stable distribution (squeeze), these problems have been fixed in version 2.32.dfsg.1-0.2+squeeze1
The testing distribution (wheezy) and the unstable distribution (sid) do not contain opie.
We recommend that you upgrade your opie packages.