Week password generation, CVE-2011-2190: http://code.google.com/p/cherokee/issues/detail?id=1212 Persistent XSS and CSRF, CVE-2011-2191: http://www.openwall.com/lists/oss-security/2011/06/03/6
*** Bug 386257 has been marked as a duplicate of this bug. ***
CVE-2011-2190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2190): The generate_admin_password function in Cherokee before 1.2.99 uses time and PID values for seeding of a random number generator, which makes it easier for local users to determine admin passwords via a brute-force attack.
1.2.99 in cvs. CVE-2011-2191 is also fixed in 1.2.99
(In reply to comment #3) > 1.2.99 in cvs. > CVE-2011-2191 is also fixed in 1.2.99 Great, thank you. Closing noglsa for ~arch only package.