web2py: CVE-2016-3952 CVE-2016-3953 CVE-2016-3954 CVE-2016-3957

Debian Bug report logs - #891220
web2py: CVE-2016-3952 CVE-2016-3953 CVE-2016-3954 CVE-2016-3957

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: web2py: CVE-2016-3952 CVE-2016-3953 CVE-2016-3954 CVE-2016-3957

Date: Fri, 23 Feb 2018 15:08:03 +0100

Source: web2py
Version: 2.12.3-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerabilities were published for web2py.

CVE-2016-3952[0]:
| web2py before 2.14.1, when using the standalone version, allows remote
| attackers to obtain environment variable values via a direct request
| to examples/template_examples/beautify.  NOTE: this issue can be
| leveraged by remote attackers to gain administrative access.

CVE-2016-3953[1]:
| The sample web application in web2py before 2.14.2 might allow remote
| attackers to execute arbitrary code via vectors involving use of a
| hardcoded encryption key when calling the session.connect function.

CVE-2016-3954[2]:
| web2py before 2.14.2 allows remote attackers to obtain the
| session_cookie_key value via a direct request to
| examples/simple_examples/status.  NOTE: this issue can be leveraged by
| remote attackers to execute arbitrary code using CVE-2016-3957.

CVE-2016-3957[3]:
| The secure_load function in gluon/utils.py in web2py before 2.14.2
| uses pickle.loads to deserialize session information stored in
| cookies, which might allow remote attackers to execute arbitrary code
| by leveraging knowledge of encryption_key.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3952
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3952
[1] https://security-tracker.debian.org/tracker/CVE-2016-3953
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3953
[2] https://security-tracker.debian.org/tracker/CVE-2016-3954
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3954
[3] https://security-tracker.debian.org/tracker/CVE-2016-3957
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3957

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 891220-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 842303-done@bugs.debian.org,847578-done@bugs.debian.org,856127-done@bugs.debian.org,860038-done@bugs.debian.org,891220-done@bugs.debian.org,

Cc: web2py@packages.debian.org

Subject: Bug#892866: Removed package(s) from unstable

Date: Wed, 21 Mar 2018 17:21:03 +0000

Version: 2.12.3-1+rm

Dear submitter,

as the package web2py has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/892866

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.