Executive Summary
Summary | |
---|---|
Title | New wml packages fix denial of service |
Informations | |||
---|---|---|---|
Name | DSA-1492 | First vendor Publication | 2008-02-10 |
Vendor | Debian | Last vendor Modification | 2008-04-27 |
Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 3.6 | Attack Range | Local |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The security update DSA 1492-1 fixed the security problem below but introduced a new problem by not removing temporary directories in the ipp backend. This update corrects this. For completeness here is the original advisory text: Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files. The old stable distribution (sarge) is not affected. For the stable distribution (etch) this problem has been fixed in version 2.0.11-1etch2. For the unstable distribution (sid) this problem has been fixed in version 2.0.11ds1-0.2. We recommend that you upgrade your wml package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1492 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20163 | |||
Oval ID: | oval:org.mitre.oval:def:20163 | ||
Title: | DSA-1492-1 wml | ||
Description: | Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to a local denial of service by overwriting files. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1492-1 CVE-2008-0665 CVE-2008-0666 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | wml |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7892 | |||
Oval ID: | oval:org.mitre.oval:def:7892 | ||
Title: | DSA-1492 wml -- insecure temporary files | ||
Description: | Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to a local denial of service by overwriting files. The old stable distribution (sarge) is not affected. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1492 CVE-2008-0665 CVE-2008-0666 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | wml |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2009-04-09 | Name : Mandriva Update for wml MDVSA-2008:076 (wml) File : nvt/gb_mandriva_MDVSA_2008_076.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-23 (wml) File : nvt/glsa_200803_23.nasl |
2008-02-15 | Name : Debian Security Advisory DSA 1492-1 (wml) File : nvt/deb_1492_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42888 | Website META Language (WML) wml_backend/p1_ipp/ipp.src ipp.$$.tmp Symlink Arb... |
42887 | Website META Language (WML) wml_backend/p3_eperl/eperl_sys.c Temp Files Symli... |
42886 | Website META Language (WML) wml_contrib/wmg.cgi /tmp/pe.tmp.$$ Symlink Arbitr... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2008-076.nasl - Type : ACT_GATHER_INFO |
2008-03-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-23.nasl - Type : ACT_GATHER_INFO |
2008-02-11 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1492.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:20 |
|