Bug#963161: lynis: CVE-2019-13033
Control: severity -1 minor Hi Marc, On Mon, Jun 22, 2020 at 04:33:42PM +0900, Marc Dequènes (duck) wrote: > Quack, > > On 2020-06-20 03:34, Salvatore Bonaccorso wrote: > > > CVE-2019-13033[0]: > > | In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by > > | looking at the process list when a data upload is being performed. > > | This license can be used to upload data to a central Lynis server. > > | Although no data can be extracted by knowing the license key, it may > > | be possible to upload the data of additional scans. > > It should be possible to enable the license system on the packaged version > but it makes no sense to do so since you would end-up quitting on all the > extra tests that are not opensourced (only in the enterprise version). The > central server also is not packaged for this reason. That is to say I > believe this bug can completely be ignored. Thanks for this usefull comment indeed! So yes I agree we probably can just ignore the issue, and mark it as resolved once as well fixed sourcwise with a 3.0.0 or later upload, but do not need to handle it explicitly otherwise. I have already marked the CVE now in the security-tracker as unimportant. Thank you! Regards, Salvatore
Bug#963161: lynis: CVE-2019-13033
Quack, On 2020-06-20 03:34, Salvatore Bonaccorso wrote: CVE-2019-13033[0]: | In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by | looking at the process list when a data upload is being performed. | This license can be used to upload data to a central Lynis server. | Although no data can be extracted by knowing the license key, it may | be possible to upload the data of additional scans. It should be possible to enable the license system on the packaged version but it makes no sense to do so since you would end-up quitting on all the extra tests that are not opensourced (only in the enterprise version). The central server also is not packaged for this reason. That is to say I believe this bug can completely be ignored. Regards. \_o< -- Marc Dequènes
Bug#963161: lynis: CVE-2019-13033
Source: lynis Version: 2.7.5-1 Severity: important Tags: security upstream Control: found -1 2.6.2-1 Control: found -1 2.4.0-1 Hi, The following vulnerability was published for lynis. CVE-2019-13033[0]: | In CISOfy Lynis 2.x through 2.7.5, the license key can be obtained by | looking at the process list when a data upload is being performed. | This license can be used to upload data to a central Lynis server. | Although no data can be extracted by knowing the license key, it may | be possible to upload the data of additional scans. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13033 [1] https://cisofy.com/security/cve/cve-2019-13033/ [2] https://github.com/CISOfy/lynis/commit/3b9eda53cc20e851c4456618f027bc9ea794ad30 Please adjust the affected versions in the BTS as needed. Affected versions should be from 2.0.0 to 2.7.5. Regards, Salvatore