[Secure-testing-team] Bug#860038: web2py: CVE-2016-10321
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 10 15:10:36 UTC 2017
Source: web2py
Version: 2.12.3-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for web2py.
CVE-2016-10321[0]:
| web2py before 2.14.6 does not properly check if a host is denied before
| verifying passwords, allowing a remote attacker to perform brute-force
| attacks.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10321
[1] https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list