Source: web2py Version: 2.12.3-1 Severity: grave Tags: security upstream Hi,
the following vulnerabilities were published for web2py. CVE-2016-3952[0]: | web2py before 2.14.1, when using the standalone version, allows remote | attackers to obtain environment variable values via a direct request | to examples/template_examples/beautify. NOTE: this issue can be | leveraged by remote attackers to gain administrative access. CVE-2016-3953[1]: | The sample web application in web2py before 2.14.2 might allow remote | attackers to execute arbitrary code via vectors involving use of a | hardcoded encryption key when calling the session.connect function. CVE-2016-3954[2]: | web2py before 2.14.2 allows remote attackers to obtain the | session_cookie_key value via a direct request to | examples/simple_examples/status. NOTE: this issue can be leveraged by | remote attackers to execute arbitrary code using CVE-2016-3957. CVE-2016-3957[3]: | The secure_load function in gluon/utils.py in web2py before 2.14.2 | uses pickle.loads to deserialize session information stored in | cookies, which might allow remote attackers to execute arbitrary code | by leveraging knowledge of encryption_key. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-3952 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3952 [1] https://security-tracker.debian.org/tracker/CVE-2016-3953 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3953 [2] https://security-tracker.debian.org/tracker/CVE-2016-3954 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3954 [3] https://security-tracker.debian.org/tracker/CVE-2016-3957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3957 Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team