Source: web2py Version: 2.12.3-1 Severity: important Tags: patch security upstream
Hi, the following vulnerability was published for web2py. CVE-2016-10321[0]: | web2py before 2.14.6 does not properly check if a host is denied before | verifying passwords, allowing a remote attacker to perform brute-force | attacks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10321 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10321 [1] https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426 Please adjust the affected versions in the BTS as needed. Regards, Salvatore