Source: ntopng Version: 3.2+dfsg1-1 Severity: important Tags: patch security upstream
Hi, The following vulnerability was published for ntopng. CVE-2018-12520[0]: | An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG | involved in the generation of session IDs is not seeded at program | startup. This results in deterministic session IDs being allocated for | active user sessions. An attacker with foreknowledge of the operating | system and standard library in use by the host running the service and | the username of the user whose session they're targeting can abuse the | deterministic random number generation in order to hijack the user's | session, thus escalating their access. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-12520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12520 [1] http://seclists.org/fulldisclosure/2018/Jul/14 [2] https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
