Lucene search

DebianDEBIAN:DLA-2178-1:AC753

HistoryApr 17, 2020 - 11:48 p.m.

[SECURITY] [DLA 2178-1] awl security update

2020-04-1723:48:22

lists.debian.org

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.2%

JSON

Package : awl
Version : 0.55-1+deb8u1
CVE ID : CVE-2020-11728 CVE-2020-11729
Debian Bug : 956650

Following CVEs were reported against the awl source package:

CVE-2020-11728

An issue was discovered in DAViCal Andrew&#x27;s Web Libraries (AWL)
through 0.60. Session management does not use a sufficiently
hard-to-guess session key. Anyone who can guess the microsecond
time (and the incrementing session_id) can impersonate a session.

CVE-2020-11729

An issue was discovered in DAViCal Andrew&#x27;s Web Libraries (AWL)
through 0.60. Long-term session cookies, uses to provide
long-term session continuity, are not generated securely, enabling
a brute-force attack that may be successful.

For Debian 8 "Jessie", these problems have been fixed in version
0.55-1+deb8u1.

We recommend that you upgrade your awl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Best,
Utkarsh

OSVersionArchitecturePackageVersionFilename
Debian9allawl-doc< 0.57-1+deb9u1awl-doc_0.57-1+deb9u1_all.deb
Debian8allawl< 0.55-1+deb8u1awl_0.55-1+deb8u1_all.deb
Debian8allawl-doc< 0.55-1+deb8u1awl-doc_0.55-1+deb8u1_all.deb
Debian10allawl< 0.60-1+deb10u1awl_0.60-1+deb10u1_all.deb
Debian10alllibawl-php< 0.60-1+deb10u1libawl-php_0.60-1+deb10u1_all.deb
Debian9allawl< 0.57-1+deb9u1awl_0.57-1+deb9u1_all.deb
Debian9alllibawl-php< 0.57-1+deb9u1libawl-php_0.57-1+deb9u1_all.deb
Debian10allawl-doc< 0.60-1+deb10u1awl-doc_0.60-1+deb10u1_all.deb
Debian8alllibawl-php< 0.55-1+deb8u1libawl-php_0.55-1+deb8u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	all	awl-doc	< 0.57-1+deb9u1	awl-doc_0.57-1+deb9u1_all.deb
Debian	8	all	awl	< 0.55-1+deb8u1	awl_0.55-1+deb8u1_all.deb
Debian	8	all	awl-doc	< 0.55-1+deb8u1	awl-doc_0.55-1+deb8u1_all.deb
Debian	10	all	awl	< 0.60-1+deb10u1	awl_0.60-1+deb10u1_all.deb
Debian	10	all	libawl-php	< 0.60-1+deb10u1	libawl-php_0.60-1+deb10u1_all.deb
Debian	9	all	awl	< 0.57-1+deb9u1	awl_0.57-1+deb9u1_all.deb
Debian	9	all	libawl-php	< 0.57-1+deb9u1	libawl-php_0.57-1+deb9u1_all.deb
Debian	10	all	awl-doc	< 0.60-1+deb10u1	awl-doc_0.60-1+deb10u1_all.deb
Debian	8	all	libawl-php	< 0.55-1+deb8u1	libawl-php_0.55-1+deb8u1_all.deb