Control: severity -1 grave On Tue, Jan 17, 2017 at 09:37:46PM +0100, Salvatore Bonaccorso wrote: > Source: zoneminder > Version: 1.30.0+dfsg-2 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for zoneminder. > > CVE-2016-10140[0]: > | Information disclosure and authentication bypass vulnerability exists > | in the Apache HTTP Server configuration bundled with ZoneMinder > | v1.30.0, which allows a remote unauthenticated attacker to browse all > | directories in the web root, e.g., a remote unauthenticated attacker > | can view all CCTV images on the server. > > The package then installs respectively > /etc/apache2/conf-available/zoneminder.conf with the problematic > settings.
After discussing with Moritz Muehlenhoff (jmm), decided to raise the severity to RC, and have the conffile fix included in stretch. Regards, Salvatore
