ntopng: CVE-2018-12520

Debian Bug report logs - #903154
ntopng: CVE-2018-12520

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ntopng: CVE-2018-12520

Date: Sat, 07 Jul 2018 08:32:50 +0200

Source: ntopng
Version: 3.2+dfsg1-1
Severity: important
Tags: patch security upstream

Hi,

The following vulnerability was published for ntopng.

CVE-2018-12520[0]:
| An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG
| involved in the generation of session IDs is not seeded at program
| startup. This results in deterministic session IDs being allocated for
| active user sessions. An attacker with foreknowledge of the operating
| system and standard library in use by the host running the service and
| the username of the user whose session they're targeting can abuse the
| deterministic random number generation in order to hijack the user's
| session, thus escalating their access.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-12520
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12520
[1] http://seclists.org/fulldisclosure/2018/Jul/14
[2] https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 903154-close@bugs.debian.org (full text, mbox, reply):

From: Ludovico Cavedon <cavedon@debian.org>

To: 903154-close@bugs.debian.org

Subject: Bug#903154: fixed in ntopng 3.8+dfsg1-1

Date: Tue, 22 Jan 2019 23:05:17 +0000

Source: ntopng
Source-Version: 3.8+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
ntopng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903154@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated ntopng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Jan 2019 17:46:18 -0800
Source: ntopng
Binary: ntopng ntopng-data ntopng-doc
Architecture: source all amd64
Version: 3.8+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Ludovico Cavedon <cavedon@debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description:
 ntopng     - High-Speed Web-based Traffic Analysis and Flow Collection Tool
 ntopng-data - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
 ntopng-doc - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
Closes: 887318 903154 910859 919907
Changes:
 ntopng (3.8+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version 3.8+dfsg1 (Closes: #919907, #910859, #903154,
     #887318, CVE-2018-12520).
   * Drop get-orig-source target in favor of Files-Excluded in the copyright
     file.
   * Remove third-party/lua-5.* as we build against the system one.
   * Build-Depend against liblua5.3-dev.
   * Update copyright information.
   * Refresh patches and remove internal-luajit.patch (no longer applicable).
   * Update Build-Depend against libndpi-dev >= 2.6
   * Build-depend on libmaxminddb-dev.
   * Add use-system-lua.patch to use system liblua insetad of the embedded one.
   * Bump Build-Dep on debhelper >= 10.8 to support the --doc-main-package
     option of dh_installdocs.
   * Migrate datadir from /var/tmp/ntopng to /var/lib/ntopng in postinst.
   * Use system libjs-html5shiv, libjs-jquery, and libjs-jquery-ui.
   * Make ntopng-utils-manage-config executable (needed for the web UI to be
     able to backup/restore the configuration).
   * Change systemd Restart to on-abnormal.
   * Update the list of README to install as docs.
   * Generate html documentation and register it with doc-base. Split
     documentation into ntopng-doc package.
   * Update Vcs headers to point to salsa.debian.org.
   * Remove httpdocs/geoip/README as recommended by lintian.
   * Bump Standards-Version to 4.3.0.
Checksums-Sha1:
 769b9e2c1bc0aaee1c9d4f2864a5de709e5e49ca 2321 ntopng_3.8+dfsg1-1.dsc
 c03fd8520421042e78213aaa33c5f4066a4c615f 30984974 ntopng_3.8+dfsg1.orig.tar.gz
 1fa1c4e4919191a21a19fd0711c1ff60f46eec2f 27660 ntopng_3.8+dfsg1-1.debian.tar.xz
 cf57816dd05f0e3c3e29ccc451602204dbd6c48f 1867480 ntopng-data_3.8+dfsg1-1_all.deb
 34f252b3f5dd2c5c8af26a7b4b55344c68467b81 3818508 ntopng-dbgsym_3.8+dfsg1-1_amd64.deb
 99a7d4623692df5a6ca810f1c48350cb1396b09d 25123440 ntopng-doc_3.8+dfsg1-1_all.deb
 a6885a5112c2f046d871a7770f24187f096c78ed 12435 ntopng_3.8+dfsg1-1_amd64.buildinfo
 147e0cf21b675e252fcdc6591dd1f5afd8f20a04 352664 ntopng_3.8+dfsg1-1_amd64.deb
Checksums-Sha256:
 b1944b3ae5aea0c66adfa16e85e3152c99fdec2a295cdb34f174fea455f0c053 2321 ntopng_3.8+dfsg1-1.dsc
 400be6391b4b97a2dfee2b6f5a879adce3b2527c913ff9e17d3fe77a7c02e00f 30984974 ntopng_3.8+dfsg1.orig.tar.gz
 695e0f6d4aa927e0b56e94cad549b22e9690118553b0652f151acc20e4d14472 27660 ntopng_3.8+dfsg1-1.debian.tar.xz
 be08ea27ff93b8e8a94b9c15a7b8fff85d615eafaf9250c3fd17575e8ebdc001 1867480 ntopng-data_3.8+dfsg1-1_all.deb
 8a9c287088b395259fe8e5024e65db5081d16f1c461116d8e668058d00755eac 3818508 ntopng-dbgsym_3.8+dfsg1-1_amd64.deb
 40f9361af506456ac4c8b6bd3f4e6956affd859d08f4c10b2f529ad81c090c66 25123440 ntopng-doc_3.8+dfsg1-1_all.deb
 0e191ca9f06b5c08027e02ab4e5659546cceae9cd6a0799c3fe529fabc428422 12435 ntopng_3.8+dfsg1-1_amd64.buildinfo
 112797ab7e055a20ac45e6c847d86d340bdaa39de4a66e3d6c939f9ff89c5928 352664 ntopng_3.8+dfsg1-1_amd64.deb
Files:
 801cb145d48b83ba6bfce9d8faedee78 2321 net optional ntopng_3.8+dfsg1-1.dsc
 ed6096fb3a72e3d0db20fcae67a10a94 30984974 net optional ntopng_3.8+dfsg1.orig.tar.gz
 0e008691c6e68d6b851a77f0b820972c 27660 net optional ntopng_3.8+dfsg1-1.debian.tar.xz
 f34a05b1a50bed550212c6a36490e905 1867480 net optional ntopng-data_3.8+dfsg1-1_all.deb
 5594ce0341797914fb593b8da32d2d24 3818508 debug optional ntopng-dbgsym_3.8+dfsg1-1_amd64.deb
 6972cd27efb2d574179a4b59cb381e82 25123440 doc optional ntopng-doc_3.8+dfsg1-1_all.deb
 638254a35d48b7d61e6bc8b0dddf0ed8 12435 net optional ntopng_3.8+dfsg1-1_amd64.buildinfo
 118cef0a0981d35516bab57a7e7edde4 352664 net optional ntopng_3.8+dfsg1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExi9RJLiVCtv386tME8C1Zno4sLAFAlxGeWoACgkQE8C1Zno4
sLCCKw/+Mnpao4A+peizAK4WsRK77MYhOLYmXYuibP9m8hYaK3akSEFlnSqkMLqz
Szc8e/fpgQIGQ/52Guo8KssTImGK7X31NHPU8o2cYulta/gUI/Qd3vN022HMYC/G
wVC+oz0szzoJwUX6gxc82dZL4aP57fdDOVQs+AXUEYkyElJjahFvz+HRw2RKmZvo
UkKyKR1KI9rC74hZezJOa1iHLZ8WdIXwkoehPjDEth6uFhFQfwad2qUp6ZogKDNT
2n8b/Kui/Qvuo6jygqoDik1zbClBOFFu/hNfGUrUTYGdx/eBTquZUkN+aCi2iMfK
n/v6oGqkH8PimZrhXf2Wr3rof0EUywzc3jqzaXrgskgd/utIy/HTqwF1qPPzyjzQ
3Zy0tY+NBglxkjEp6vF/PMbKLfiFQ2wuG7JowUlcdUpRQRtwE7M8eUTeAMNq36Sy
S/rvOLThabHevwB3rz1jkWMUyClm10VljyNi+KiM8cTjpA34Ajo2L03QuVZlXHbC
fGd/s/Q80PoTn1/oqGji1rroruSrmI9qn9QlyWzYop8+DxllY3R+5QOALimTI/Rs
4iyjDztYmdWjoX8EcX71Cvt0s+6dTywPv3rBCTQbOZPxgxdXpm/qdRMzwoEJ2Hbm
O8j05DftZuYwmaR+psrpXwBVliq/LiUdiUq/ct1vVZ3fvKAylDo=
=9wvX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.