Bug#851710: marked as done (zoneminder: CVE-2016-10140)

[Debian Bug Tracking System]

Your message dated Sun, 06 Aug 2017 20:40:09 -0400
with message-id 
<1502066409.4042469.1065047896.1dfcf...@webmail.messagingengine.com>
and subject line Re: zoneminder: CVE-2016-10140
has caused the Debian Bug report #851710,
regarding zoneminder: CVE-2016-10140
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
851710: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851710
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: zoneminder
Version: 1.30.0+dfsg-2
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for zoneminder.

CVE-2016-10140[0]:
| Information disclosure and authentication bypass vulnerability exists
| in the Apache HTTP Server configuration bundled with ZoneMinder
| v1.30.0, which allows a remote unauthenticated attacker to browse all
| directories in the web root, e.g., a remote unauthenticated attacker
| can view all CCTV images on the server.

The package then installs respectively
/etc/apache2/conf-available/zoneminder.conf with the problematic
settings.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10140
[1] https://github.com/ZoneMinder/ZoneMinder/pull/1697
[2] 
https://github.com/ZoneMinder/ZoneMinder/commit/6361f143878ce00659f64ce42593951d773e4e63
[3] 
https://github.com/ZoneMinder/ZoneMinder/commit/aa0a4d1f5ad2c493f2bed175991e92c466ac3dc4

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 1.30.4+dfsg-1

Hi,

| Information disclosure and authentication bypass vulnerability exists
| in the Apache HTTP Server configuration bundled with ZoneMinder
| v1.30.0, which allows a remote unauthenticated attacker to browse all
| directories in the web root, e.g., a remote unauthenticated attacker
| can view all CCTV images on the server.

Fix included in 1.30.4+dfsg-1 via upstream.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb, Debian Project Leader
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

--- End Message ---