[Secure-testing-team] Bug#876640: plinth: Insecure crypto settings used for auth-pubtkt

James Valleroy jvalleroy at mailbox.org
Sun Sep 24 05:14:17 UTC 2017 

Package: plinth
Version: 0.15.1+ds-1
Severity: grave
Tags: security upstream
Justification: user security hole


Due to issues (now fixed) in libapache2-mod-auth-pubtkt, plinth
v0.15.1 has insecure settings for key generation and signing. This may
allow someone to impersonate a plinth user and gain access to apps
that support SSO.

This issue is fixed upstream, but not released yet:
https://github.com/freedombox/Plinth/commit/f9166f8e985401e598de39bd72f0304c799bc0f0#diff-c3fddc6d3c8965915ad635b6b3de49f4


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.12.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages plinth depends on:
ii  adduser                     3.116
ii  augeas-tools                1.8.1-2
ii  avahi-daemon                0.7-3
ii  batctl                      2017.2-2
ii  firewalld                   0.4.4.5-2
ii  gettext                     0.19.8.1-4
ii  gir1.2-glib-2.0             1.54.0-2
ii  gir1.2-networkmanager-1.0   1.8.4-1
ii  init-system-helpers         1.49
ii  javascript-common           11
ii  ldap-utils                  2.4.45+dfsg-1
ii  ldapscripts                 2.0.8-1
ii  libapache2-mod-auth-pubtkt  0.11-1
ii  libjs-bootstrap             3.3.7+dfsg-2
ii  libjs-jquery                3.2.1-1
ii  libjs-modernizr             2.6.2+ds1-1
ii  libnss-ldapd                0.9.8-1
ii  libpam-ldapd                0.9.8-1
ii  network-manager             1.8.4-1
ii  nslcd                       0.9.8-1
ii  ntp                         1:4.2.8p10+dfsg-5
ii  openssl                     1.1.0f-5
ii  ppp                         2.4.7-1+4
ii  pppoe                       3.12-1.1
ii  python3                     3.5.3-3
ii  python3-apt                 1.4.0~beta3+b1
ii  python3-augeas              0.5.0-1
ii  python3-bootstrapform       3.2.1-3
ii  python3-cherrypy3           3.5.0-2
ii  python3-django              1:1.11.5-1
ii  python3-django-stronghold   0.2.7+debian-3
ii  python3-gi                  3.24.1-3
ii  python3-openssl             16.2.0-1
ii  python3-psutil              5.0.1-1+b1
ii  python3-requests            2.18.1-1
ii  python3-ruamel.yaml         0.13.4-2+b1
ii  slapd                       2.4.45+dfsg-1
ii  sudo                        1.8.21p2-1
ii  unattended-upgrades         0.97

plinth recommends no packages.

plinth suggests no packages.

-- Configuration Files:
/etc/sudoers.d/plinth [Errno 13] Permission denied: '/etc/sudoers.d/plinth'

-- no debconf information

More information about the Secure-testing-team mailing list