From ${URL} : The following CVE assignment was done via the https://cveform.mitre.org: Radicale, a simple calendar and addressbook server, before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method. References: https://bugs.debian.org/861514 https://github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a099cee2d https://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183b https://github.com/Kozea/Radicale/blob/1.1.2/NEWS.rst CVE-2017-8342 was assigned for this issue. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2017-8342 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8342): Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracles and simple brute-force attacks when using the htpasswd authentication method.
@ Maintainer(s): Please bump to >=www-apps/radicale-1.1.2!
There's a pending PR: https://github.com/gentoo/gentoo/pull/5990
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7a16b479386b0087d551eac28b81e2facc97166d commit 7a16b479386b0087d551eac28b81e2facc97166d Author: Henning Schild <henning@hennsch.de> AuthorDate: 2018-02-24 03:16:42 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-02-24 03:21:13 +0000 www-apps/radicale: Bump to v1.1.6 Closes: https://github.com/gentoo/gentoo/pull/5990 Bug: https://bugs.gentoo.org/618176 Bug: https://bugs.gentoo.org/618724 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-apps/radicale/Manifest | 1 + .../radicale/files/radicale-1.1.6-config.patch | 34 ++++++++++ www-apps/radicale/radicale-1.1.6.ebuild | 75 ++++++++++++++++++++++ 3 files changed, 110 insertions(+)}
All done, repository is clean.
