Detections
Analytics
Debian DSA-3502-1 : roundup - security update
medium Nessus Plugin ID 89121
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Ralf Schlatterbeck discovered an information leak in roundup, a web-based issue tracking system. An authenticated attacker could use it to see sensitive details about other users, including their hashed password.After applying the update, which will fix the shipped templates, the site administrator should ensure the instanced versions (in /var/lib/roundup usually) are also updated, either by patching them manually or by recreating them.
More info can be found in the upstream documentation at http://www.roundup-tracker.org/docs/upgrading.html#user-data-visibilit y
Solution
Upgrade the roundup packages.For the oldstable distribution (wheezy), this problem has been fixed in version 1.4.20-1.1+deb7u1.
For the stable distribution (jessie), this problem has been fixed in version 1.4.20-1.1+deb8u1.
See Also
http://www.nessus.org/u?bd3d1940
https://packages.debian.org/source/wheezy/roundup
Plugin Details
Severity: Medium
ID: 89121
File Name: debian_DSA-3502.nasl
Version: 2.9
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 3/4/2016
Updated: 1/11/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 1.4
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS v3
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:roundup, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 3/3/2016
Reference Information
CVE: CVE-2014-6276
DSA: 3502