Your message dated Mon, 28 Nov 2011 01:56:31 +0000
with message-id <e1ruqsn-0001gw...@franck.debian.org>
and subject line Bug#647205: fixed in cherokee 1.0.8-5+squeeze1
has caused the Debian Bug report #647205,
regarding cherokee: Admin password generation uses time and PID, allows
attackers to brute-force it
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
647205: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=647205
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cherokee
Version: 1.2.100-1
Severity: grave
Tags: security
Justification: user security hole
CVE issue CVE-2011-2190 points out that the temporary admin password
generation function is seeded by the time and PID, which allows an
attacker to brute-force it. Yes, in production systems cherokee-admin
should be quite short-lived, but administrators can leave it running
for long periods, opening a window to this attack.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2190
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2190
An example attack has been posted to the RedHat bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2190
This bug has been filed in the upstream bugtracker:
http://code.google.com/p/cherokee/issues/detail?id=1295
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cherokee depends on:
ii libc6 2.13-21
ii libcherokee-base0 1.2.100-1
ii libcherokee-server0 1.2.100-1
ii libssl1.0.0 1.0.0e-2
ii logrotate 3.7.8-6
Versions of packages cherokee recommends:
ii cherokee-admin 1.2.100-1
ii spawn-fcgi 1.6.3-1
Versions of packages cherokee suggests:
ii cherokee-doc 1.2.100-1
ii libcherokee-mod-geoip 1.2.100-1
ii libcherokee-mod-ldap 1.2.100-1
ii libcherokee-mod-libssl 1.2.100-1
ii libcherokee-mod-mysql 1.2.100-1
ii libcherokee-mod-rrd 1.2.100-1
ii libcherokee-mod-streaming 1.2.100-1
-- Configuration Files:
/etc/cherokee/cherokee.conf changed [not included]
-- debconf-show failed
--- End Message ---
--- Begin Message ---
Source: cherokee
Source-Version: 1.0.8-5+squeeze1
We believe that the bug you reported is fixed in the latest version of
cherokee, which is due to be installed in the Debian FTP archive:
cget_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/cget_1.0.8-5+squeeze1_i386.deb
cherokee-doc_1.0.8-5+squeeze1_all.deb
to main/c/cherokee/cherokee-doc_1.0.8-5+squeeze1_all.deb
cherokee_1.0.8-5+squeeze1.debian.tar.gz
to main/c/cherokee/cherokee_1.0.8-5+squeeze1.debian.tar.gz
cherokee_1.0.8-5+squeeze1.dsc
to main/c/cherokee/cherokee_1.0.8-5+squeeze1.dsc
cherokee_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/cherokee_1.0.8-5+squeeze1_i386.deb
libcherokee-base0-dev_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-base0-dev_1.0.8-5+squeeze1_i386.deb
libcherokee-base0_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-base0_1.0.8-5+squeeze1_i386.deb
libcherokee-client0-dev_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-client0-dev_1.0.8-5+squeeze1_i386.deb
libcherokee-client0_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-client0_1.0.8-5+squeeze1_i386.deb
libcherokee-config0-dev_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-config0-dev_1.0.8-5+squeeze1_i386.deb
libcherokee-config0_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-config0_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-admin_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-admin_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-geoip_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-geoip_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-ldap_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-ldap_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-libssl_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-libssl_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-mysql_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-mysql_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-rrd_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-rrd_1.0.8-5+squeeze1_i386.deb
libcherokee-mod-streaming_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-mod-streaming_1.0.8-5+squeeze1_i386.deb
libcherokee-server0-dev_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-server0-dev_1.0.8-5+squeeze1_i386.deb
libcherokee-server0_1.0.8-5+squeeze1_i386.deb
to main/c/cherokee/libcherokee-server0_1.0.8-5+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 647...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gunnar Wolf <gw...@iiec.unam.mx> (supplier of updated cherokee package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 23 Nov 2011 12:23:56 -0600
Source: cherokee
Binary: cherokee libcherokee-base0 libcherokee-base0-dev libcherokee-client0
libcherokee-client0-dev libcherokee-config0 libcherokee-config0-dev
libcherokee-server0 libcherokee-server0-dev libcherokee-mod-admin
libcherokee-mod-mysql libcherokee-mod-ldap libcherokee-mod-libssl
libcherokee-mod-streaming libcherokee-mod-geoip libcherokee-mod-rrd cget
cherokee-doc
Architecture: source i386 all
Version: 1.0.8-5+squeeze1
Distribution: stable
Urgency: low
Maintainer: Gunnar Wolf <gw...@debian.org>
Changed-By: Gunnar Wolf <gw...@iiec.unam.mx>
Description:
cget - web page downloader
cherokee - Very fast, flexible and easy to configure web server
cherokee-doc - Very fast, flexible and easy to configure web server
libcherokee-base0 - Cherokee web server - Base libraries
libcherokee-base0-dev - Cherokee web server - base libraries' development files
libcherokee-client0 - Cherokee web server - Client libraries
libcherokee-client0-dev - Cherokee web server - Client libraries' development
files
libcherokee-config0 - Cherokee web server - Configuration libraries
libcherokee-config0-dev - Cherokee web server - Configuration libraries'
development files
libcherokee-mod-admin - Cherokee web server - Administrative plugin
libcherokee-mod-geoip - Cherokee web server - GeoIP-based IP resolution
functionality
libcherokee-mod-ldap - Cherokee web server - LDAP user validator plugin
libcherokee-mod-libssl - Cherokee web server - SSL crypto functions plugin
libcherokee-mod-mysql - Cherokee web server - MySQL user validator plugin
libcherokee-mod-rrd - Cherokee web server - RRDtool based information collector
libcherokee-mod-streaming - Cherokee web server - Media streaming functions
plugin
libcherokee-server0 - Cherokee web server - Server libraries
libcherokee-server0-dev - Cherokee web server - Server librardevelopment files
Closes: 647205
Changes:
cherokee (1.0.8-5+squeeze1) stable; urgency=low
.
* Avoid brute-forceable password in cherokee-admin (Closes: #647205)
Checksums-Sha1:
55bb6ebdfd3bd9a7ea5ec7ab779b7763ea99110c 2440 cherokee_1.0.8-5+squeeze1.dsc
d7c25c3b752c3fc8111c5144a2dfc51d65bae1f3 39703
cherokee_1.0.8-5+squeeze1.debian.tar.gz
44c2e9f034f9eaedb28f38d47d7adc5abce56f28 440902
cherokee_1.0.8-5+squeeze1_i386.deb
a14aaca8537c2768dc7f9e01a1330b6ae9e8027c 268160
libcherokee-base0_1.0.8-5+squeeze1_i386.deb
cdc079e18087d10e4d09cb7cc83f39afc08039cf 312118
libcherokee-base0-dev_1.0.8-5+squeeze1_i386.deb
0e5684f993626ef14e11d94b71f8678078849651 150618
libcherokee-client0_1.0.8-5+squeeze1_i386.deb
70e7b13116520920463b633aa16a041daf82c4e3 148916
libcherokee-client0-dev_1.0.8-5+squeeze1_i386.deb
ee7750d163daef398a6729871b11df454495dfdd 734766
libcherokee-config0_1.0.8-5+squeeze1_i386.deb
76e30c3cd486adccdf3901bad604eca386c918ae 146628
libcherokee-config0-dev_1.0.8-5+squeeze1_i386.deb
cdf7bd8ad6e8096a4ca272351249730f8e98978d 396594
libcherokee-server0_1.0.8-5+squeeze1_i386.deb
ae613f42cd2079b95e3786c870e86141c00f52ea 357682
libcherokee-server0-dev_1.0.8-5+squeeze1_i386.deb
d466724ae0e1e63f96922b5e4c6fa0ad9548a807 154130
libcherokee-mod-admin_1.0.8-5+squeeze1_i386.deb
fa8f7e1ac3d10536d8fa3162b6ae5281809d6fe9 146750
libcherokee-mod-mysql_1.0.8-5+squeeze1_i386.deb
4c254fbafeafafdb8fd12221611c6aecfa80488c 146558
libcherokee-mod-ldap_1.0.8-5+squeeze1_i386.deb
64886737e2d5bffd99f7ce1c10ae2ac8693ce0ac 151088
libcherokee-mod-libssl_1.0.8-5+squeeze1_i386.deb
343b5dbc0bf4627321e83e3d8b7ddd1dc953b84e 147668
libcherokee-mod-streaming_1.0.8-5+squeeze1_i386.deb
4e7613980ee0615315abd32c1fa91489d2f6bcf8 145176
libcherokee-mod-geoip_1.0.8-5+squeeze1_i386.deb
fe4655c9437f3082c2fe427a2ee5cf816de0d5fd 149746
libcherokee-mod-rrd_1.0.8-5+squeeze1_i386.deb
7b0b9fe32af3d996e14b61ddc3f30a22dbf73eb4 148446 cget_1.0.8-5+squeeze1_i386.deb
76943dabca134a9007b265511d19a2f3848acc94 2916838
cherokee-doc_1.0.8-5+squeeze1_all.deb
Checksums-Sha256:
e743159c2a1d0d6773d4c837fdb927d4f3f4a2059f2fdf5f15799b950992182f 2440
cherokee_1.0.8-5+squeeze1.dsc
ae62d7b4a224c16036fdb932c01d18bf218cd4bc3a1cdaa6780be1bcd3863652 39703
cherokee_1.0.8-5+squeeze1.debian.tar.gz
ba39a317cd6599aa715cdc55181087ad5252d69296b432d4de4746ff175814a1 440902
cherokee_1.0.8-5+squeeze1_i386.deb
70104ea01b2710f8f6bd88ee4ed4118391e66f9730fbddba51191844bfb167c9 268160
libcherokee-base0_1.0.8-5+squeeze1_i386.deb
4d6139bdf4561f93f8c8b3944e3791b8e24cbfe068b632372043fd6a957c6fa6 312118
libcherokee-base0-dev_1.0.8-5+squeeze1_i386.deb
15d16214000c669ca361438cf9e383be577cb3dab876a59a8b3cf08fb4663877 150618
libcherokee-client0_1.0.8-5+squeeze1_i386.deb
0ea79cbdc0bc2979b802000e4b57c32f4584dc1fd4644f7d98614ad9567b6909 148916
libcherokee-client0-dev_1.0.8-5+squeeze1_i386.deb
e722cbdb4a6872768765523dad194831a6e41061cefd99b05e96aed6a1027a04 734766
libcherokee-config0_1.0.8-5+squeeze1_i386.deb
de12a37e943f4d401ecaf82670df349d887e30e7a5f127db5393ca32edc274ac 146628
libcherokee-config0-dev_1.0.8-5+squeeze1_i386.deb
99d12f633ab1645eace360bae159e4bf25ac902bc4e3e4cbfb10c0b75d4b579b 396594
libcherokee-server0_1.0.8-5+squeeze1_i386.deb
cad577a0b5a1222a8037999536fd4cde6083bfd1d31d565e432d25818b50d689 357682
libcherokee-server0-dev_1.0.8-5+squeeze1_i386.deb
737450194d41d14398303d64ddc8d27b99c6cf23bd3e3f0b6eef136ef57d25a4 154130
libcherokee-mod-admin_1.0.8-5+squeeze1_i386.deb
32075d518695c84d512c25dc08e870105f9014d4b4b6cbeea40561e86a13ad71 146750
libcherokee-mod-mysql_1.0.8-5+squeeze1_i386.deb
c3b92749d23a130fc8183a4639e8e346ecc4ff5fb609d9cfecf773681d739459 146558
libcherokee-mod-ldap_1.0.8-5+squeeze1_i386.deb
e64c4b60b315bcf4caa9147f6543a087be2dd440392798a64d19a8486b805ee3 151088
libcherokee-mod-libssl_1.0.8-5+squeeze1_i386.deb
5304f1509c5da5ecefbeb6ef9222e4bfd57f0f71ccfcad860351e444afcfeaae 147668
libcherokee-mod-streaming_1.0.8-5+squeeze1_i386.deb
d1715bd9c76ea663b7e6d8db1fcc44789aafbb6a7b4a83011568695174b07391 145176
libcherokee-mod-geoip_1.0.8-5+squeeze1_i386.deb
fb112112eef72ea1c354266be718a66f0c26587efcc4ec2913cae15e0604432a 149746
libcherokee-mod-rrd_1.0.8-5+squeeze1_i386.deb
70f4842fc1a89dde32d849974abc66ac6f85dab540f2ad008116bad6cc535585 148446
cget_1.0.8-5+squeeze1_i386.deb
7d93c280b2741f75c27255a9f34be060b3dee77ca239532b5632c0f78159a6d5 2916838
cherokee-doc_1.0.8-5+squeeze1_all.deb
Files:
1270d6dff4818f2f4f26081148cc3e46 2440 httpd optional
cherokee_1.0.8-5+squeeze1.dsc
abd2bf62821c016d4b1f586910fe744e 39703 httpd optional
cherokee_1.0.8-5+squeeze1.debian.tar.gz
131c1f6baa9f90c303bcaf56a2bb5a93 440902 httpd optional
cherokee_1.0.8-5+squeeze1_i386.deb
5133d0cec38005c69573dce0fefc0b07 268160 httpd optional
libcherokee-base0_1.0.8-5+squeeze1_i386.deb
e9a0fb033d675d92549e53f358e8916c 312118 libdevel optional
libcherokee-base0-dev_1.0.8-5+squeeze1_i386.deb
8d93ab5aa902ddea27155b8ae0d65c29 150618 httpd optional
libcherokee-client0_1.0.8-5+squeeze1_i386.deb
a5a898121757c3fae9a58b90b17bebbc 148916 libdevel optional
libcherokee-client0-dev_1.0.8-5+squeeze1_i386.deb
aa1b1efe4e948580c5c2906c2e1336c7 734766 httpd optional
libcherokee-config0_1.0.8-5+squeeze1_i386.deb
c91754520d23cebde15eb9c9e7a66bf4 146628 libdevel optional
libcherokee-config0-dev_1.0.8-5+squeeze1_i386.deb
72eb9e4fe78f8e540a20b459dfb28fef 396594 httpd optional
libcherokee-server0_1.0.8-5+squeeze1_i386.deb
c9149f8842b1b61dfa0b96f67765f0d1 357682 libdevel optional
libcherokee-server0-dev_1.0.8-5+squeeze1_i386.deb
6e0a49973d7ab6b649a369255205a8fb 154130 httpd optional
libcherokee-mod-admin_1.0.8-5+squeeze1_i386.deb
82aae606504b53e03683d21c2abb27f9 146750 httpd optional
libcherokee-mod-mysql_1.0.8-5+squeeze1_i386.deb
3e9d17d85288ea700a40b59d3fdcdeab 146558 httpd optional
libcherokee-mod-ldap_1.0.8-5+squeeze1_i386.deb
2e70869dc0e0d5ad7a663b964879f0ad 151088 httpd optional
libcherokee-mod-libssl_1.0.8-5+squeeze1_i386.deb
c5fcc4a1e4d49cb8423c90f71e6bbc29 147668 httpd optional
libcherokee-mod-streaming_1.0.8-5+squeeze1_i386.deb
5f7dacebc9f93e076ce1a6521918da4c 145176 httpd optional
libcherokee-mod-geoip_1.0.8-5+squeeze1_i386.deb
6e627aaa2dc30e8aa08544abd0071ecf 149746 httpd optional
libcherokee-mod-rrd_1.0.8-5+squeeze1_i386.deb
37ec750cbbd82642a68da52a0d45d87e 148446 web optional
cget_1.0.8-5+squeeze1_i386.deb
b77bb334ca019dfbae0603831af7f000 2916838 doc optional
cherokee-doc_1.0.8-5+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJOzT0yAAoJEGc6A+TB25IfvOkQALIxojxxTuqGAJVwMHBA/Qjt
m7wyBp9CT6Ngoeh3KKMLs3LcYO3h6jopyOhPFsQUzivMRg7gV95QW8tfOKqGrCnv
zYQbC5Q4jERzbQDV7ajarL54CUO/d6CwSf8mJ5FDHNV7vK09rKV4T7IFc5H0nbVL
t7LelufkyzFb0LdiuKM1WdLRMnRLvVuxDktmhgci0ojFxlM6mNafdUJbwV3Qp4ax
/woCV3n97VRfquLmh+ghti6IBXxJvOZbV4uv6hutasypbGS2O1jgMnQt8tce9a9I
wH/mQ+PufmJeVoyxpBCs8XOjThlNC/JyIoK1UuV90mZbLKsSrn1JX6hiVrjCnEX6
NztCOAZM/nBtkcLLed/x/RwL23ZiR0HkMIpWp1btidQh2pOHwrKoboeeCIx+G3jG
h2EG84iTs/uO0IcEflQYTc1iDoPt66pOhBkns/twtQ6LZDzmKL0p1xuIWfm4ZfTZ
fhkn5a7ZtzywLlOVAbogiLKyqMAXb3bkUOtmTadOfMpQgBI66vG0tm2gI2c6P/nj
Qe7NU9K+CMtkpj76eiS+lf1+H++lf718/VPFYb58esmCFBtxvClDHJV5krdSotgW
eQFEXxbB+nmekdvZEP3c7bGP07Y3HSUoYXiK5mT3q9aoRXuzbgAm1FsUf2U847WZ
W7ivowXKT2hdBJMnu1se
=d8n0
-----END PGP SIGNATURE-----
--- End Message ---
