Package: cherokee Version: 1.2.100-1 Severity: grave Tags: security Justification: user security hole
CVE issue CVE-2011-2190 points out that the temporary admin password generation function is seeded by the time and PID, which allows an attacker to brute-force it. Yes, in production systems cherokee-admin should be quite short-lived, but administrators can leave it running for long periods, opening a window to this attack. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190 An example attack has been posted to the RedHat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190 This bug has been filed in the upstream bugtracker: http://code.google.com/p/cherokee/issues/detail?id=1295 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cherokee depends on: ii libc6 2.13-21 ii libcherokee-base0 1.2.100-1 ii libcherokee-server0 1.2.100-1 ii libssl1.0.0 1.0.0e-2 ii logrotate 3.7.8-6 Versions of packages cherokee recommends: ii cherokee-admin 1.2.100-1 ii spawn-fcgi 1.6.3-1 Versions of packages cherokee suggests: ii cherokee-doc 1.2.100-1 ii libcherokee-mod-geoip 1.2.100-1 ii libcherokee-mod-ldap 1.2.100-1 ii libcherokee-mod-libssl 1.2.100-1 ii libcherokee-mod-mysql 1.2.100-1 ii libcherokee-mod-rrd 1.2.100-1 ii libcherokee-mod-streaming 1.2.100-1 -- Configuration Files: /etc/cherokee/cherokee.conf changed [not included] -- debconf-show failed -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
