Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

elog: CVE-2016-6342: posting entry as arbitrary username by improper authentication

Related Vulnerabilities: CVE-2016-6342  

Source

Debian Bug report logs - #836505
elog: CVE-2016-6342: posting entry as arbitrary username by improper authentication

version graph

Package: src:elog; Maintainer for src:elog is Roger Kalt <roger.kalt@gmail.com>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 3 Sep 2016 14:54:02 UTC

Severity: grave

Tags: patch, security, upstream

Found in version elog/2.9.2+2014.05.11git44800a7-2

Fixed in versions elog/3.1.2-1-1, elog/2.9.2+2014.05.11git44800a7-2+deb8u1

Done: Roger Kalt <roger.kalt@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roger Kalt <roger.kalt@gmail.com>:
Bug#836505; Package src:elog. (Sat, 03 Sep 2016 14:54:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Roger Kalt <roger.kalt@gmail.com>. (Sat, 03 Sep 2016 14:54:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: elog: CVE-2016-6342: posting entry as arbitrary username by improper authentication
Date: Sat, 03 Sep 2016 16:51:57 +0200
Source: elog
Version: 2.9.2+2014.05.11git44800a7-2
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for elog.

CVE-2016-6342[0]:
posting entry as arbitrary username by improper authentication

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-6342

Using severity grave, since for at least stretch this should be fixed
to be in a fixed version. I OTOH do not know elog well enough to see
if the affected setup is actual a frequent one.

Could you as well schedule a fix for the stable version via a
point-release, cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Regards,
Salvatore

Added tag(s) pending. Request was from Axel Beckert <abe@debian.org> to control@bugs.debian.org. (Mon, 12 Sep 2016 00:03:03 GMT) (full text, mbox, link).

Reply sent to Roger Kalt <roger.kalt@gmail.com>:
You have taken responsibility. (Mon, 12 Sep 2016 19:51:20 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 12 Sep 2016 19:51:20 GMT) (full text, mbox, link).

Message #12 received at 836505-close@bugs.debian.org (full text, mbox, reply):

From: Roger Kalt <roger.kalt@gmail.com>
To: 836505-close@bugs.debian.org
Subject: Bug#836505: fixed in elog 3.1.2-1-1
Date: Mon, 12 Sep 2016 19:48:47 +0000
Source: elog
Source-Version: 3.1.2-1-1

We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 836505@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger Kalt <roger.kalt@gmail.com> (supplier of updated elog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 06 Sep 2016 20:00:00 +0100
Source: elog
Binary: elog
Architecture: source amd64
Version: 3.1.2-1-1
Distribution: unstable
Urgency: low
Maintainer: Roger Kalt <roger.kalt@gmail.com>
Changed-By: Roger Kalt <roger.kalt@gmail.com>
Description:
 elog       - Logbook system to manage notes through a Web interface
Closes: 816209 836505
Changes:
 elog (3.1.2-1-1) unstable; urgency=low
 .
   * new upstream version grabbed, (Closes: #836505, CVE-2016-6342)
   * update debian/rules
     - allow reproducible builds (Closes: #816209)
     - enable all hardening build flags
   * update debian/source/lintian-overrides for contrib/elogsubmit.js
     insane-line-length-in-source-file, removed unused overrides
   * update Standards-Version to 3.9.8 (debian/control)
Checksums-Sha1:
 593d14f9d481f18397531af266918af06fec7f52 1676 elog_3.1.2-1-1.dsc
 e22f0eebc632b5b4e129311d36174ec18b47d703 1494648 elog_3.1.2-1.orig.tar.gz
 b84635f6368b3975557fe2404728f11cdfbeeee1 18380 elog_3.1.2-1-1.debian.tar.xz
 4e668189fcdd12e81559c1a8069d91e841dc5526 1468352 elog_3.1.2-1-1_amd64.deb
Checksums-Sha256:
 c8b1c4968a975b67ea2a68bea4918860d4ff5e3adf2f10d6705737c2deb118e3 1676 elog_3.1.2-1-1.dsc
 5de1057b4071d76a17a90c3a8044d3b4c3e6d973904518f8dac0cc3b7a2ffeaa 1494648 elog_3.1.2-1.orig.tar.gz
 f87422a637cf27b2dce3f0c2a7fc14cad776ef70827d044eb439d438a1bd6b3e 18380 elog_3.1.2-1-1.debian.tar.xz
 8ca9ce2ec6988e00dc82af05c8a36f4091d12a7a2bdfdce84e54edfbce84cd37 1468352 elog_3.1.2-1-1_amd64.deb
Files:
 d83286e34736ef7dc131d7227bbcc874 1676 web optional elog_3.1.2-1-1.dsc
 dde6a95b2e322a1a4eca3b0bfc7b59f6 1494648 web optional elog_3.1.2-1.orig.tar.gz
 31caf44c22392a6b190d978935220762 18380 web optional elog_3.1.2-1-1.debian.tar.xz
 deec07c7d81a5def85a976a709d2b154 1468352 web optional elog_3.1.2-1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJX1v3PAAoJEGvmY8daNcl1oEoQAKaTmCf2HNTui77MWR9bpyXA
f1we38vHCbpuaI/DFES1etB2luKIMItcljozZiVqvnYb0c8jQvZSVYonSDrKZhxQ
YKxt2XqaI4n+BeSIZOC6/PC+mcD4voKpXQR0O6vPQxLgacDcSOSJwH7fryv52LEA
kHDuSa09ZiXxPxjaUE0oWg4Pdm3Rf1YnsMu4q0fAhSBMssns7AjvLetyZTkzD7v0
IsY7MnA8gop2HCG1pSz6eK5Es3Hf8uV50n/7RMeSkf4C0uHCL0pUz+Kgliz7XX/t
OO4yA8K4PJqXcxv1785OLomP6JoZ+Gp+UxMpZDmJc6cDJYMkf/dK/KsCkIcm+KJt
7l66FOQsR/+aVXLwXx+p2IU/CdQ0+inidPY/tN2UdXyVdxJvmU+cvzQqHMSGTTJ+
koU6cPOOGsZt+3Tflk5aDRGMNTLmvrqW1rLREPfpf9EOra6eNyHw/4LzIkQN/aaJ
K6znogmkXZJqu2JwqQoMTiUdroShVvwkKvnBBhduEQnDq/Q+DngW1YfcXZAzSSfE
l8nzeYXoJH0010eQU/JlKn+7UGRXxHDaM4jnZ/OzcKtZgYIDitzwDpD787+wN2bz
s0WKmu8Qiu1xmgPCClq4lCpjAaC4JGFufL2ewX4D6wriBQAojKlCNplc6ocQwEyc
ovKc2FQahD/WwlQ0cBjF
=C2Bu
-----END PGP SIGNATURE-----

Reply sent to Roger Kalt <roger.kalt@gmail.com>:
You have taken responsibility. (Mon, 03 Oct 2016 22:06:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 03 Oct 2016 22:06:05 GMT) (full text, mbox, link).

Message #17 received at 836505-close@bugs.debian.org (full text, mbox, reply):

From: Roger Kalt <roger.kalt@gmail.com>
To: 836505-close@bugs.debian.org
Subject: Bug#836505: fixed in elog 2.9.2+2014.05.11git44800a7-2+deb8u1
Date: Mon, 03 Oct 2016 22:03:36 +0000
Source: elog
Source-Version: 2.9.2+2014.05.11git44800a7-2+deb8u1

We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 836505@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roger Kalt <roger.kalt@gmail.com> (supplier of updated elog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 17 Sep 2016 20:22:36 +0200
Source: elog
Binary: elog
Architecture: source amd64
Version: 2.9.2+2014.05.11git44800a7-2+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Roger Kalt <roger.kalt@gmail.com>
Changed-By: Roger Kalt <roger.kalt@gmail.com>
Description:
 elog       - Logbook system to manage notes through a Web interface
Closes: 836505
Changes:
 elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium
 .
   * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
     arbitrary username (Closes: #836505, CVE-2016-6342)
Checksums-Sha1:
 157b7e960df3e269bee4eb925aeadd70fd0e3d5f 1855 elog_2.9.2+2014.05.11git44800a7-2+deb8u1.dsc
 c330b954e4bc5f6181c3a7f707b9f8acd402cf44 20160 elog_2.9.2+2014.05.11git44800a7-2+deb8u1.debian.tar.xz
 12b3cfe5a0b7b1e338250a83425135fae28f4686 1299088 elog_2.9.2+2014.05.11git44800a7-2+deb8u1_amd64.deb
Checksums-Sha256:
 91962ae6acf8321e0b3b52cff0def990b3aec4983fa5e59d9cfb8b911a4dbf84 1855 elog_2.9.2+2014.05.11git44800a7-2+deb8u1.dsc
 698fb4e2513acb71a2721b52cd174368ebb29f87a7d4d2d4a77a70566c041ea5 20160 elog_2.9.2+2014.05.11git44800a7-2+deb8u1.debian.tar.xz
 8dc1b4543a9224815de08a9fa3f90910baed4ed5223dfe62f440cd9eafd37d66 1299088 elog_2.9.2+2014.05.11git44800a7-2+deb8u1_amd64.deb
Files:
 af64171ed8008b57ea7be91df84dbd46 1855 web optional elog_2.9.2+2014.05.11git44800a7-2+deb8u1.dsc
 847fee445bfd1074dd1b36151eda8ef0 20160 web optional elog_2.9.2+2014.05.11git44800a7-2+deb8u1.debian.tar.xz
 f96cc48d04aee014d55b3f34dad15fe7 1299088 web optional elog_2.9.2+2014.05.11git44800a7-2+deb8u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX8YyxAAoJEC/5zVlhJha1U10QAI8Bff6btCIhKA4EjZv+qk1n
TsNr5xELN9IrjYh5S+A1y3iKgkWpNWqLyYzF0L9t4DIpS5M6oT/sMEeP2sHrVdtU
1euPssZEBLxZu1qOY49j+Km8e9EBxsTf+2kV5wqkUX6pIgDpUqJjLxcTu8S6aTtm
7ypQ680uH9DMsxwNWNn+/n9ldPkdK9siCvYUJRN3KAAiMI8/yIHlLVOdXFEixIbs
1Pe34vqZEliKEAbKq8Mfxtd4unP6AEmHJyZLVhj6gHD380L4sk00ePEHZmjkQB8M
G9w41tU16AS+1DGM5kEHxOqiD4ZOIonno97akfUFSxGVVVo4ePnegoe5OghFxiJl
eLw5+O74qcrddYdiq4UmkisKhqx0AXRuxQveDifNc9nJ7ED3KmnmMUIbHf+ziFAs
OfLH4mPs3qp11MqT4fVM+CTrRM57eCc981uOC82LAi7DN3wmal5ywtj70Z4vtFO+
lozna9k7f8qNSZeZfKMsr/oGwEK50OnGxRov+Ccf2CgZtUEzs6U/9+kVczaifY8j
dM87Ul8+rlUhpzA3qMVDH+KOT85K/RLy9t58M7fjFP/5oV3iJSFFmOegYYjyCgli
RPRGFf4ZteC/mio9N6kzaQWArUfrPSGEuEp+3K483icRD1ZZm2w556dCQIAcRPXs
0RmjhVY1yy5ScXSBIWQI
=hZCW
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 05 Dec 2016 07:38:54 GMT) (full text, mbox, link).

Bug unarchived. Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Wed, 07 Dec 2016 01:54:56 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 27 Jan 2017 07:41:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:07:49 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started