Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

web2py: CVE-2016-4806 CVE-2016-4807 CVE-2016-4808

Related Vulnerabilities: CVE-2016-4806   CVE-2016-4807   CVE-2016-4808  

Source

Debian Bug report logs - #856127
web2py: CVE-2016-4806 CVE-2016-4807 CVE-2016-4808

version graph

Package: web2py; Maintainer for web2py is José L. Redrejo Rodríguez <jredrejo@debian.org>;

Reported by: Thorsten Alteholz <debian@alteholz.de>

Date: Sat, 25 Feb 2017 12:57:02 UTC

Severity: important

Tags: security, upstream

Fixed in version 2.12.3-1+rm

Done: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, José L. Redrejo Rodríguez <jredrejo@debian.org>:
Bug#856127; Package web2py. (Sat, 25 Feb 2017 12:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Thorsten Alteholz <debian@alteholz.de>:
New Bug report received and forwarded. Copy sent to José L. Redrejo Rodríguez <jredrejo@debian.org>. (Sat, 25 Feb 2017 12:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>
To: submit@bugs.debian.org
Subject: web2py: CVE-2016-4806 CVE-2016-4807 CVE-2016-4808
Date: Sat, 25 Feb 2017 13:53:01 +0100 (CET)
Package: web2py
Severity: important
Tags: security

Hi,

the following vulnerabilities were published for web2py.

CVE-2016-4806[0]:
| Web2py versions 2.14.5 and below was affected by Local File Inclusion
| vulnerability, which allows a malicious intended user to read/access
| web server sensitive files.

CVE-2016-4807[1]:
| Web2py versions 2.14.5 and below was affected by Reflected XSS
| vulnerability, which allows an attacker to perform an XSS attack on
| logged in user (admin).

CVE-2016-4808[2]:
| Web2py versions 2.14.5 and below was affected by CSRF (Cross Site
| Request Forgery) vulnerability, which allows an attacker to trick a
| logged in user to perform some unwanted actions i.e An attacker can
| trick an victim to disable the installed application just by sending a
| URL to victim.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-4806
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4806
[1] https://security-tracker.debian.org/tracker/CVE-2016-4807
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4807
[2] https://security-tracker.debian.org/tracker/CVE-2016-4808
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4808
Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 25 Feb 2017 15:27:09 GMT) (full text, mbox, link).

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Wed, 21 Mar 2018 17:24:25 GMT) (full text, mbox, link).

Notification sent to Thorsten Alteholz <debian@alteholz.de>:
Bug acknowledged by developer. (Wed, 21 Mar 2018 17:24:25 GMT) (full text, mbox, link).

Message #12 received at 856127-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 842303-done@bugs.debian.org,847578-done@bugs.debian.org,856127-done@bugs.debian.org,860038-done@bugs.debian.org,891220-done@bugs.debian.org,
Cc: web2py@packages.debian.org
Subject: Bug#892866: Removed package(s) from unstable
Date: Wed, 21 Mar 2018 17:21:03 +0000
Version: 2.12.3-1+rm

Dear submitter,

as the package web2py has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/892866

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 19 Apr 2018 07:28:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:42:55 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started