Debian DSA-1518-1 : backup-manager - programming error

low Nessus Plugin ID 31589

Synopsis

The remote Debian host is missing a security-related update.

Description

Micha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.

Solution

Upgrade the backup-manager package.

For the old stable distribution (sarge), this problem has been fixed in version 0.5.7-1sarge2.

For the stable distribution (etch), this problem has been fixed in version 0.7.5-4.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439392

https://www.debian.org/security/2008/dsa-1518

Plugin Details

Severity: Low

ID: 31589

File Name: debian_DSA-1518.nasl

Version: 1.17

Type: local

Agent: unix

Published: 3/17/2008

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Low

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:backup-manager, cpe:/o:debian:debian_linux:3.1, cpe:/o:debian:debian_linux:4.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 3/15/2008

Reference Information

CVE: CVE-2007-4656

CWE: 200, 255, 310

DSA: 1518