[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: [SECURITY] [DSA 2179-1] dtc security update
- To: Dtcdev <dtcdev@xxxxxxxxxx>, dtcannounce <dtcannounce@xxxxxxxxxx>
- Subject: Fwd: [SECURITY] [DSA 2179-1] dtc security update
- From: Thomas Goirand <thomas@xxxxxxxxxx>
- Date: Thu, 03 Mar 2011 17:25:47 +0800
- Delivered-to: gplhost.sg_dtcannounce@xxxxxxxxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha1; c=simple; d=goirand.fr; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; s=postfix; bh=C6ldyGNMLiNW+4mDZir32j +hprw=; b=gfN5+OrgoOHAVJ9LUj+WgkoftOo2nM7x3f7PvlFTUSxu3zyy7VRdGn Vkwgu743T1mDP0Qjo9qSxxCTMpFwA70V7yaqYTcanMvHlM0PKqJXd56V9k1D8nW4 6yjfh3M4677vENbduBS6lJ0ClFDtjOiUJk4XvwXBpwIsGBmuJ8res=
- Domainkey-signature: a=rsa-sha1; c=simple; d=goirand.fr; h=message-id :date:from:mime-version:to:subject:content-type :content-transfer-encoding; q=dns; s=postfix; b=upYwwhJITcf6rhcI X6pZSw7zqCtoOLyBf8B4i/ArD1cII5LKzF7uGMlCPF3yYULKBcHyyv9TlHOb5QyZ X/gCNAl5xuMgOMTTF7MHYmWZ64r75WLznc/zLM/bk3aZH7Mao6sJSmoKM/BJhc+g vUWIzEdelqp9RakQlpB1tbobY10=
- Openpgp: id=98EF9A49
- Organization: GPLHost
- Reply-to: dtcdev@xxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20101226 Icedove/3.0.11
There's few security issues that have been fixed in DTC, some of them
being quite serious (SQL injection without even needing to be
authenticated). In nearly 10 years of development, this is the first
serious security issue that we have, and it's located in some very old
code. It have been present in DTC for a very long time, so I believe all
versions of DTC are affected.
Below is the corresponding DSA (Debian Security Advisory). We strongly
recommend anyone using DTC to upgrade to the latest version in Lenny,
SID, or on GPLHost repositories.
Note that currently, the bw_per_month.php call from the bandwidth
monitor is broken by the security fix. If you wish, you can apply the
following patch to fix the regression:
Another update of DTC in GPLHost repository will be made to fix the
issue (probably version 0.32.11), but I do not plan to fix the Lenny
version for a so tiny issue (without much consequences) that is easily
fixable by hand.
Note that CentOS and FreeBSD versions haven't been fixed. If you wish to
manually apply fixes, we recommend you to apply the patch sets that you
will find in our Git repository, until the affected versions are
updated. Commits diifs are as follow:
-------- Original Message --------
Subject: [SECURITY] [DSA 2179-1] dtc security update
Resent-Date: Wed, 2 Mar 2011 20:57:35 +0000 (UTC)
Date: Wed, 02 Mar 2011 21:57:25 +0100
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Debian Security Advisory DSA-2179-1 security@xxxxxxxxxx
http://www.debian.org/security/ Florian Weimer
March 02, 2011 http://www.debian.org/security/faq
Package : dtc
Vulnerability : SQL injection
Problem type : remote
CVE ID : CVE-2011-0434 CVE-2011-0435 CVE-2011-0436 CVE-2011-0437
Debian Bug : 614302
Ansgar Burchardt discovered several vulnerabilities in DTC, a web
control panel for admin and accounting hosting services.
The bw_per_moth.php graph contains an SQL injection vulnerability.
Insufficient checks in bw_per_month.php can lead to bandwidth
usage information disclosure.
After a registration, passwords are sent in cleartext
Authenticated users could delete accounts using an obsolete
interface which was incorrectly included in the package.
This update introduces a new configuration option which controls the
presence of cleartext passwords in email messages. The default is not
to include cleartext passwords
For the oldstable distribution (lenny), this problem has been fixed in
The stable distribution (squeeze) and the the testing distribution
(wheezy) do not contain any dtc packages.
For the unstable distribution (sid), this problem has been fixed in
We recommend that you upgrade your dtc packages.
Do not reply to this mail, subscribe to dtcdev@xxxxxxxxxx instead
To unsubscribe send a mail to dtcannounce-unsubscribe@xxxxxxxxxx