Executive Summary
| Summary | |
|---|---|
| Title | New trac-git package fixes regression |
| Informations | |||
|---|---|---|---|
| Name | DSA-1990 | First vendor Publication | 2010-02-03 |
| Vendor | Debian | Last vendor Modification | 2010-02-04 |
| Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The trac-git package released in DSA-1990-1 had a wrong dependency that could not be satisfied in Debian stable. This update corrects this problem. For reference, the original advisory text is provided below. Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. The old stable distribution (etch) does not contain a trac-git package. For the stable distribution (lenny), this problem has been fixed in version 0.0.20080710-3+lenny2. For the unstable distribution (sid) and the testing distribution (squeeze), this problem has been fixed in version 0.0.20090320-1. |
Original Source
| Url : http://www.debian.org/security/2010/dsa-1990 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13335 | |||
| Oval ID: | oval:org.mitre.oval:def:13335 | ||
| Title: | DSA-1990-1 trac-git -- shell command injection | ||
| Description: | Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. The old stable distribution does not contain a trac-git package. For the stable distribution, this problem has been fixed in version 0.0.20080710-3+lenny1. For the unstable distribution and the testing distribution , this problem has been fixed in version 0.0.20090320-1. We recommend that you upgrade your trac-git package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1990-1 CVE-2010-0394 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | trac-git |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:13368 | |||
| Oval ID: | oval:org.mitre.oval:def:13368 | ||
| Title: | DSA-1990-2 trac-git -- shell command injection | ||
| Description: | The trac-git package released in DSA-1990-1 had a wrong dependency that could not be satisfied in Debian stable. This update corrects this problem. For reference, the original advisory text is provided below. Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. The old stable distribution does not contain a trac-git package. For the stable distribution, this problem has been fixed in version 0.0.20080710-3+lenny2. For the unstable distribution and the testing distribution, this problem has been fixed in version 0.0.20090320-1. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1990-2 CVE-2010-0394 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | trac-git |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:7189 | |||
| Oval ID: | oval:org.mitre.oval:def:7189 | ||
| Title: | DSA-1990 trac-git -- shell command injection | ||
| Description: | Stefan Goebel discovered that the Debian version of trac-git, the Git add-on for the Trac issue tracking system, contains a flaw which enables attackers to execute code on the web server running trac-git by sending crafted HTTP queries. The old stable distribution does not contain a trac-git package. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1990 CVE-2010-0394 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | trac-git |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 62147 | trac-git PyGIT.py HTTP Request Arbitrary Shell Command Injection |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1990.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:13 |
|
