Bugtraq mailing list archives
[ GLSA 201101-07 ] Prewikka: password disclosure
From: Stefan Behte <craig () gentoo org>
Date: Sun, 16 Jan 2011 12:12:17 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Prewikka: password disclosure Date: January 16, 2011 Bugs: #270056 ID: 201101-07 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Due to a world-readable file, a local attacker can obtain the SQL database password used by Prewikka. Background ========== Prewikka is a graphical front-end analysis console for the Prelude Hybrid IDS Framework. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/prewikka < 0.9.14-r2 >= 0.9.14-r2 Description =========== The permissions of the prewikka.conf file are set world readable. Impact ====== A local attacker could obtain the SQL database password used by Prewikka. Workaround ========== There is no known workaround at this time. Resolution ========== All Prewikka users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/prewikka-0.9.14-r2" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since May 18, 2009 . It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2010-2058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2058 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 201101-07 ] Prewikka: password disclosure Stefan Behte (Jan 17)