-
Notifications
You must be signed in to change notification settings - Fork 884
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2016-4806, CVE-2016-4807, CVE-2016-4808 #1585
Comments
|
The wording of the CVEs implies that this is fixed in 2.14.6. I am not sure that is correct, it could be that 2.14.5 was the latest release at the time. Looks like the CVEs were allocated 2016-05-15 and version 2.14.6 was released 2016-05-10. |
|
Not sure if the following commits are significant, just looking at the changes in 2.14.6 by hand:
Unfortunately the details provided in the CVE don't allow for positive identification of the specific git commit that fixed the problem, and there are no references to the CVEs in the commits. I don't think there is a CVE for this one: |
|
This also looks like a security fix: |
|
@brianmay: re the CVE allocation question: That only means: Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. |
|
CVE-2016-4806 looks the most serious to me. Not sure what the scope of "intended user" means however. Can I please have confirmed if this has been fixed? None of the commits I have looked at after 2.14.5 look relevant. |
|
@brianmay I've fixed 4806 here: Narendra Bhati who discovered these flaws was kind enough to report them to us before making them public. The problem was that the admin app was allowing you to pack any file, now it validates that the files are in the applications folder. Note that you still needed to be logged in to the admin to exploit this. Sadly, there was also a vulnerability that made the admin vulnerable to a brute force attack which was fixed in the other commit by myself which you referred. We believe the admin application is quite safe right now, still, there's no need to use it in production. |
|
@brianmay first of all thanks for reporting these issues? I apologize for not following closely. Do you think there is any major vulnerability still open that needs to addressed? |
|
I have no idea if web2py is still vulnerable or not. At the time I was trying to get a list of commits that fix the security issues, so I could try to back port to Debian wheezy security updates. Apparently 1b42fe6 fixes a security issue, although this commit also contains a lot of unnecessary white space changes too. So hard to evaluate right now for back porting. For future reference, would be really helpful if the commit message and the relevant bug report contained a reference to the CVE being fixed. Thanks |
|
@brianmay the relevant part of that commit is here: That line and the ones following validates the files the user requested to be packed. |
|
OK. Unless objections I am going to close this. |
Hello,
several security vulnerabilities were reported for web2py and they already got CVEs assigned. I could not find any information about them in your git repository. Are you aware of them and are there any fixes available?
https://security-tracker.debian.org/tracker/source-package/web2py
The text was updated successfully, but these errors were encountered: