Debian Bug report logs -
#816190
ntopng: CVE-2015-8368
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 28 Feb 2016 15:21:01 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions ntopng/2.0+dfsg1-1, ntopng/1.2.1+dfsg1-1.1
Fixed in version ntopng/2.2+dfsg1-1
Done: Ludovico Cavedon <cavedon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovico Cavedon <cavedon@debian.org>:
Bug#816190; Package src:ntopng.
(Sun, 28 Feb 2016 15:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ludovico Cavedon <cavedon@debian.org>.
(Sun, 28 Feb 2016 15:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: ntopng
Version: 2.0+dfsg1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for ntopng.
CVE-2015-8368[0]:
| ntopng (aka ntop) before 2.2 allows remote authenticated users to
| change the login context and gain privileges via the user cookie and
| username parameter to admin/password_reset.lua.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8368
[1] https://www.exploit-db.com/exploits/38836/
[2] https://github.com/ntop/ntopng/commit/2e0620be3410f5e22c9aa47e261bc5a12be692c6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions ntopng/1.2.1+dfsg1-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 28 Feb 2016 15:24:06 GMT) (full text, mbox, link).
Reply sent
to Ludovico Cavedon <cavedon@debian.org>:
You have taken responsibility.
(Sun, 13 Mar 2016 03:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 13 Mar 2016 03:51:08 GMT) (full text, mbox, link).
Message #12 received at 816190-close@bugs.debian.org (full text, mbox, reply):
Source: ntopng
Source-Version: 2.2+dfsg1-1
We believe that the bug you reported is fixed in the latest version of
ntopng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 816190@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated ntopng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Mar 2016 18:50:05 -0800
Source: ntopng
Binary: ntopng ntopng-dbg ntopng-data
Architecture: source all amd64
Version: 2.2+dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Ludovico Cavedon <cavedon@debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description:
ntopng - High-Speed Web-based Traffic Analysis and Flow Collection Tool
ntopng-data - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
ntopng-dbg - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
Closes: 816190
Changes:
ntopng (2.2+dfsg1-1) unstable; urgency=high
.
* Imported Upstream version 2.2+dfsg1, including fix for CVE-2015-8368
(Closes: #816190).
* get-orig-source: do not fail if EWAHBoolArray is missing.
* Refresh patches.
* Add Build-Depends on libmysqlclient-dev.
* Add Build-Depends on libndpi >= 1.7.1~.
* Update copyright.
* Add no-detectxsslib.patch to prevent use of non-GPL-compatible detectxsslib.
* Add lintian-override for some missing-source false positives.
* Remove unused handlebars-1.0.0.0.beta.6.js without source from orig tarball.
* Use https for Vcs links.
* Update copyright.
Checksums-Sha1:
ed0b88e774c9341843ef164dbccf20eb6eb2e533 2233 ntopng_2.2+dfsg1-1.dsc
d4a5f445b77cb1f7ec7b37f02b48d12469a82841 6427958 ntopng_2.2+dfsg1.orig.tar.gz
dd8b53798d819cea797fdf68916f3448a1340dbf 25612 ntopng_2.2+dfsg1-1.debian.tar.xz
e20505288e6ed5fc3109e7aeb147aee649805b40 1213508 ntopng-data_2.2+dfsg1-1_all.deb
7a1b51b5fa51e6ed5fb27577470b0ff0f989fe1f 1375320 ntopng-dbg_2.2+dfsg1-1_amd64.deb
7905d2222d8a18f7af844212f184113dc48ad1bb 205730 ntopng_2.2+dfsg1-1_amd64.deb
Checksums-Sha256:
9a7ce946501da6fb2394014970a81f942d91d2f4c1b82b176c9fff601660ea97 2233 ntopng_2.2+dfsg1-1.dsc
99db084f289a4d9fdafdb4afe3e64039d129b95023bf385c7fac6892ed100440 6427958 ntopng_2.2+dfsg1.orig.tar.gz
03561f938daae933637e331edf47c2a305bd02e64c713b51508723d38dd97c4e 25612 ntopng_2.2+dfsg1-1.debian.tar.xz
97d69cb0ca18441e505f383f0845a3ff8fa6c7ab5bdd19a6f50769ee6e624205 1213508 ntopng-data_2.2+dfsg1-1_all.deb
522c274bcd45def517fc397ba116cf66cbfc36f4cbb2261caf4a4299eecd71e5 1375320 ntopng-dbg_2.2+dfsg1-1_amd64.deb
f2a09528c39f908e280856644f91be26ee4cc2578f55ae3baefc62964339c19b 205730 ntopng_2.2+dfsg1-1_amd64.deb
Files:
0699410fbfb0d4e62f00d380cb7d561b 2233 net extra ntopng_2.2+dfsg1-1.dsc
33e60bb0ecfce2e9d4dacbe2e1eb4d6c 6427958 net extra ntopng_2.2+dfsg1.orig.tar.gz
55ef0c7f89516e4b081d0b809f768ae7 25612 net extra ntopng_2.2+dfsg1-1.debian.tar.xz
9bb7829a78031046562879b1122e1992 1213508 net extra ntopng-data_2.2+dfsg1-1_all.deb
f6dbdb4fb80398732b0c47f2936947cd 1375320 debug extra ntopng-dbg_2.2+dfsg1-1_amd64.deb
31db0bc513d0bfd71a83b10049d5c14a 205730 net extra ntopng_2.2+dfsg1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJW5NciAAoJEBPAtWZ6OLCwGloP/ijUgm/YUnLWUiOaJCZzlCmf
Cz553pKWjJuLq28ym2MXr5YyKIgxgpowVw1qOtkMvQAifpSYrb4LPN/6ypWctiiq
T7MQsYp5fzMxb1g26ZA4Hpm8r5Q/TLIZvseV64HORWPCbEcsFiOCBHkkeH/aMblR
dZ8d4Wc7ThC08qaoShoCU0yGXkpOPN6tJE7IlxqNvw9GW+I4dlmJzXEt7ZMPNRjE
1yU91lhaY+td4RbYTgY8QQSXNBinfzLChh7A0wpgJpn5aVK0d3KCfYgHD0WRip4J
X0sOgyCaA/Z/QImXF2RKRpWc/9NBMM2HdD2tzI2j/otlmYRaQ2CnYFsNXhWg6DUN
9uqAjoWEyTDfPZepjGi0vZMQjQx+4EDKNYq8W+gKtl+FvoJDtoZBFpWo4jqwe1mg
7gIn2Y0Iz8vr/cMBiUUYvw2iOdY/VtHelBWwSP253mxeOZvaj6euHY2oaeM0ZS/R
gTI+rA6YfnzUzzCrsL2Byjy+9BJk8Fd5YFgXOo+8hENNHH8OH4J5kmWYbRGOHvv6
vGHTvf/OVitdWPQrYXfy5izpqaL991o+kTqv8Ca8rS4EMo2KKlltPjdlt9XtpSxo
vbPVpstOfa287WgFXgZPfj8SOQdpvB3gyhjwDAAcyRjToyIhcISHCijPT0+eQuHR
/b7vStk7dXZ5EeolMRif
=4BMK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 Dec 2016 11:31:34 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Don Armstrong <don@debian.org>
to control@bugs.debian.org.
(Wed, 07 Dec 2016 01:46:31 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:54:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:04:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon