Bug#851710: zoneminder: CVE-2016-10140
Hi Chris, On Sun, Aug 06, 2017 at 08:40:09PM -0400, Chris Lamb wrote: > Version: 1.30.4+dfsg-1 > > Hi, > > | Information disclosure and authentication bypass vulnerability exists > | in the Apache HTTP Server configuration bundled with ZoneMinder > | v1.30.0, which allows a remote unauthenticated attacker to browse all > | directories in the web root, e.g., a remote unauthenticated attacker > | can view all CCTV images on the server. > > Fix included in 1.30.4+dfsg-1 via upstream. Thanks for the update! I think I did already update that entry, let me check. Regards, Salvatore
Bug#851710: zoneminder: CVE-2016-10140
Control: severity -1 grave On Tue, Jan 17, 2017 at 09:37:46PM +0100, Salvatore Bonaccorso wrote: > Source: zoneminder > Version: 1.30.0+dfsg-2 > Severity: important > Tags: security upstream patch > > Hi, > > the following vulnerability was published for zoneminder. > > CVE-2016-10140[0]: > | Information disclosure and authentication bypass vulnerability exists > | in the Apache HTTP Server configuration bundled with ZoneMinder > | v1.30.0, which allows a remote unauthenticated attacker to browse all > | directories in the web root, e.g., a remote unauthenticated attacker > | can view all CCTV images on the server. > > The package then installs respectively > /etc/apache2/conf-available/zoneminder.conf with the problematic > settings. After discussing with Moritz Muehlenhoff (jmm), decided to raise the severity to RC, and have the conffile fix included in stretch. Regards, Salvatore
Bug#851710: zoneminder: CVE-2016-10140
Source: zoneminder Version: 1.30.0+dfsg-2 Severity: important Tags: security upstream patch Hi, the following vulnerability was published for zoneminder. CVE-2016-10140[0]: | Information disclosure and authentication bypass vulnerability exists | in the Apache HTTP Server configuration bundled with ZoneMinder | v1.30.0, which allows a remote unauthenticated attacker to browse all | directories in the web root, e.g., a remote unauthenticated attacker | can view all CCTV images on the server. The package then installs respectively /etc/apache2/conf-available/zoneminder.conf with the problematic settings. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-10140 [1] https://github.com/ZoneMinder/ZoneMinder/pull/1697 [2] https://github.com/ZoneMinder/ZoneMinder/commit/6361f143878ce00659f64ce42593951d773e4e63 [3] https://github.com/ZoneMinder/ZoneMinder/commit/aa0a4d1f5ad2c493f2bed175991e92c466ac3dc4 Regards, Salvatore
