Package: plinth Version: 0.15.1+ds-1 Severity: grave Tags: security upstream Justification: user security hole
Due to issues (now fixed) in libapache2-mod-auth-pubtkt, plinth v0.15.1 has insecure settings for key generation and signing. This may allow someone to impersonate a plinth user and gain access to apps that support SSO. This issue is fixed upstream, but not released yet: https://github.com/freedombox/Plinth/commit/f9166f8e985401e598de39bd72f0304c799bc0f0#diff-c3fddc6d3c8965915ad635b6b3de49f4 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.12.0-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages plinth depends on: ii adduser 3.116 ii augeas-tools 1.8.1-2 ii avahi-daemon 0.7-3 ii batctl 2017.2-2 ii firewalld 0.4.4.5-2 ii gettext 0.19.8.1-4 ii gir1.2-glib-2.0 1.54.0-2 ii gir1.2-networkmanager-1.0 1.8.4-1 ii init-system-helpers 1.49 ii javascript-common 11 ii ldap-utils 2.4.45+dfsg-1 ii ldapscripts 2.0.8-1 ii libapache2-mod-auth-pubtkt 0.11-1 ii libjs-bootstrap 3.3.7+dfsg-2 ii libjs-jquery 3.2.1-1 ii libjs-modernizr 2.6.2+ds1-1 ii libnss-ldapd 0.9.8-1 ii libpam-ldapd 0.9.8-1 ii network-manager 1.8.4-1 ii nslcd 0.9.8-1 ii ntp 1:4.2.8p10+dfsg-5 ii openssl 1.1.0f-5 ii ppp 2.4.7-1+4 ii pppoe 3.12-1.1 ii python3 3.5.3-3 ii python3-apt 1.4.0~beta3+b1 ii python3-augeas 0.5.0-1 ii python3-bootstrapform 3.2.1-3 ii python3-cherrypy3 3.5.0-2 ii python3-django 1:1.11.5-1 ii python3-django-stronghold 0.2.7+debian-3 ii python3-gi 3.24.1-3 ii python3-openssl 16.2.0-1 ii python3-psutil 5.0.1-1+b1 ii python3-requests 2.18.1-1 ii python3-ruamel.yaml 0.13.4-2+b1 ii slapd 2.4.45+dfsg-1 ii sudo 1.8.21p2-1 ii unattended-upgrades 0.97 plinth recommends no packages. plinth suggests no packages. -- Configuration Files: /etc/sudoers.d/plinth [Errno 13] Permission denied: '/etc/sudoers.d/plinth' -- no debconf information