Debian Bug report logs -
#956650
awl: CVE-2020-11728 CVE-2020-11729
Reported by: Florian Schlichting <fsfs@debian.org>
Date: Mon, 13 Apr 2020 21:51:02 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in version awl/0.60-1
Fixed in version awl/0.61-1
Done: Florian Schlichting <fsfs@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Davical Development Team <davical-devel@lists.sourceforge.net>
:
Bug#956650
; Package src:awl
.
(Mon, 13 Apr 2020 21:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Schlichting <fsfs@debian.org>
:
New Bug report received and forwarded. Copy sent to Davical Development Team <davical-devel@lists.sourceforge.net>
.
(Mon, 13 Apr 2020 21:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: awl
Version: 0.60-1
Severity: important
Tags: security upstream
Two security vulnerabilities were found in the awl package:
CVE-2020-11728
Session::__construct() allows use of the current time as a session key
https://gitlab.com/davical-project/awl/-/issues/19
CVE-2020-11729
LSIDLogin() is insecure and can allow user impersonation
https://gitlab.com/davical-project/awl/-/issues/18
All supported Debian releases are affected.
Reply sent
to Florian Schlichting <fsfs@debian.org>
:
You have taken responsibility.
(Mon, 13 Apr 2020 22:21:18 GMT) (full text, mbox, link).
Notification sent
to Florian Schlichting <fsfs@debian.org>
:
Bug acknowledged by developer.
(Mon, 13 Apr 2020 22:21:18 GMT) (full text, mbox, link).
Message #10 received at 956650-close@bugs.debian.org (full text, mbox, reply):
Source: awl
Source-Version: 0.61-1
Done: Florian Schlichting <fsfs@debian.org>
We believe that the bug you reported is fixed in the latest version of
awl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 956650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated awl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 13 Apr 2020 21:37:06 +0200
Source: awl
Architecture: source
Version: 0.61-1
Distribution: unstable
Urgency: medium
Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
Changed-By: Florian Schlichting <fsfs@debian.org>
Closes: 952182 956650
Changes:
awl (0.61-1) unstable; urgency=medium
.
* New upstream release (closes: #952182, #956650)
+ fix CVE-2020-11728 "Session::__construct() allows use of the current
time as a session key"
+ fix CVE-2020-11729 "LSIDLogin() is insecure and can allow user
impersonation"
* Bump debhelper compat to level 12
* Update copyright years
* Add upstream metadata
* Declare compliance with Debian Policy 4.5.0
Checksums-Sha1:
cbe2fa1f7a7b314ffe687ec032dfb5cc0d8b3a3e 1949 awl_0.61-1.dsc
86d525284036c02a5c29b108dcd7108b2adeb908 124340 awl_0.61.orig.tar.xz
9d6412f0ca6796b0814d6df84d14ddde808f4f03 7020 awl_0.61-1.debian.tar.xz
a0c41fc17a7a2c42a898b9ecb9078dfbec000697 7740 awl_0.61-1_amd64.buildinfo
Checksums-Sha256:
37f1836a666d7c8858f893037d2e5201c4e034e06a3b592a45788b2ea0b00bb3 1949 awl_0.61-1.dsc
fc8b8bea609483feba7ac985b074c5341633d2b9a756ee894737ae5aec00dee3 124340 awl_0.61.orig.tar.xz
fbb635f6954dec3644fbfe0efecd20dae67b6769b554792b24b699fc9953765c 7020 awl_0.61-1.debian.tar.xz
334a8f542b450b3c5629e6d0b1fad786de298ac46c54886adf936cc9e459f9fb 7740 awl_0.61-1_amd64.buildinfo
Files:
9c7da0380668aaa8d5a56c6e4007c980 1949 php optional awl_0.61-1.dsc
b22ee3e4a09f4b68ab1ec714319b9e41 124340 php optional awl_0.61.orig.tar.xz
77e1ebdeffd94d82cc38913b0a7a4a05 7020 php optional awl_0.61-1.debian.tar.xz
6e5d7d2b0fff5e3977acf01ae77cc31f 7740 php optional awl_0.61-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl6U398ACgkQEpc7bnLc
B7VWSBAAh8+e/lQguV9hEf3xHJUs9qbORJ6+bYwjsIav2EnWSPgqZMk7UUw4MrCo
dhNPp7ENlZ83Gi32IfcA0Xd4+HOHZpadeXv+NRe/Z0H97Dvid2Y0FVtdv2W54CYA
35JQwOY/dr8e8i39UEm0Xa8dXx1w/iFRhJmfV4e8jLRe/U0jTkTs+L9fEShlEQLq
9CC4Gsc/1w5BuGgdLDYlOnaDwbfRjyq2Fpia4FLgYUgsUaNyEkB/uUOIwkgo6YLW
FckCczINfoHMVY+DgE2Rid97HbcahGdGlbuhCO3F7FcvGEeD64yq5Ig7AJyXafNk
o9yA4WQ6EtBTRNUHSSnCYyUqIMsYbqt0XjebW9eTUrj+9zZ7uSrD8M24YESoPMqr
deGmlmsEHtjARuinj+o5hrVgF2dE3Yb7lUpdhkozD6AITFKUiahpJMKrn4e3xcFU
jjfN7cA2g1uNfBYY6qIPymdWqWf3+mRU3vLihXLMLuSjBlO/KsGU8kxt0Tw/pL/K
HF+Rkh+OFH70vpWYFJWF2LRRVJwaLoGQagrB3TKcYRyKKhlUk7UZ+zQ45k/ZanWm
V3SJkb88SqAR0lH0gU78nGgpFlJeYoNu24bFCYJ5QccmnSVHnhZLds1gMcCUnGBy
LMFgbPhO4aVPkNysRs70oNM5LMKHouh40T1AN+5eB38j/1NKbjk=
=7ku8
-----END PGP SIGNATURE-----
Added tag(s) fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 14 Apr 2020 03:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 14 08:36:31 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.