Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 371314 (CVE-2011-2190) - <www-servers/cherokee-1.2.99: Multiple vulnerabilities (CVE-2011-{2190,2191})
Summary: <www-servers/cherokee-1.2.99: Multiple vulnerabilities (CVE-2011-{2190,2191})
Status: RESOLVED FIXED
Alias: CVE-2011-2190
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
: 386257 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-06-12 21:14 UTC by Tim Sammut (RETIRED)
Modified: 2011-10-13 13:40 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-06-12 21:14:35 UTC 
Week password generation, CVE-2011-2190:
http://code.google.com/p/cherokee/issues/detail?id=1212

Persistent XSS and CSRF, CVE-2011-2191:
http://www.openwall.com/lists/oss-security/2011/06/03/6
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 13:25:18 UTC 
*** Bug 386257 has been marked as a duplicate of this bug. ***
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:25:45 UTC 
CVE-2011-2190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2190):
  The generate_admin_password function in Cherokee before 1.2.99 uses time and
  PID values for seeding of a random number generator, which makes it easier
  for local users to determine admin passwords via a brute-force attack.
Comment 3 MATSUU Takuto (RETIRED) gentoo-dev 2011-10-13 02:25:52 UTC 
1.2.99 in cvs.
CVE-2011-2191 is also fixed in 1.2.99
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-10-13 13:40:40 UTC 
(In reply to comment #3)
> 1.2.99 in cvs.
> CVE-2011-2191 is also fixed in 1.2.99

Great, thank you. Closing noglsa for ~arch only package.