On Mon, Oct 31, 2011 at 10:28:36AM -0600, Gunnar Wolf wrote: > Package: cherokee > Version: 1.2.100-1 > Severity: grave > Tags: security > Justification: user security hole > > CVE issue CVE-2011-2190 points out that the temporary admin password > generation function is seeded by the time and PID, which allows an > attacker to brute-force it. Yes, in production systems cherokee-admin > should be quite short-lived, but administrators can leave it running > for long periods, opening a window to this attack. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190 > > An example attack has been posted to the RedHat bugzilla: > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190 > > This bug has been filed in the upstream bugtracker: > > http://code.google.com/p/cherokee/issues/detail?id=1295
Hi Gunnar, this doesn't warrant a DSA, but it would be appreciated if you fix this through a point update: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
