DSA-1994-1 ajaxterm -- weak session IDs

Debian Security Advisory

DSA-1994-1 ajaxterm -- weak session IDs

Date Reported:

11 Feb 2010

Affected Packages:

ajaxterm

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2009-1629.

More information:

It was discovered that Ajaxterm, a web-based terminal, generates weak and predictable session IDs, which might be used to hijack a session or cause a denial of service attack on a system that uses Ajaxterm.

For the oldstable distribution (etch), the problem has been fixed in version 0.9-2+etch4.

For the stable distribution (lenny), the problem has been fixed in version 0.10-2+lenny1.

For the unstable distribution (sid), the problem has been fixed in version 0.10-5.

We recommend that you upgrade your ajaxterm package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.9-2+etch4.dsc

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.9-2+etch4.diff.gz

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.9.orig.tar.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.9-2+etch4_all.deb

Debian GNU/Linux 5.0 (lenny)

Source:

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.10-2+lenny1.diff.gz

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.10.orig.tar.gz

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.10-2+lenny1.dsc

Architecture-independent component:

http://security.debian.org/pool/updates/main/a/ajaxterm/ajaxterm_0.10-2+lenny1_all.deb

MD5 checksums of the listed files are available in the original advisory.