CVE-2017-11567 (https://nvd.nist.gov/vuln/detail/CVE-2017-11567): Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server before 6.9 allows remote attackers to hijack the authentication of users for requests that modify Mongoose.conf via a request to __mg_admin?save. NOTE: this issue can be leveraged to execute arbitrary code remotely. References: http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt http://seclists.org/fulldisclosure/2017/Sep/3 https://www.exploit-db.com/exploits/42614/
I don't think that mongoose-5.6 is affected. Can anyone demonstrate the exploit with it?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3eb14942b43cd240810401a6208957a0528ca8c commit b3eb14942b43cd240810401a6208957a0528ca8c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2017-11-13 17:43:38 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2017-11-13 17:50:38 +0000 package.mask: mask www-servers/mongoose for removal (bug 630976) Masked for removal in 30 days. Current versions do not include a standalone web server command, and there is an open security issue (bug #630976). A fork is available as www-servers/civetweb. Bug: https://bugs.gentoo.org/630976 profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=348d8d9e4206b730d5da181ed507612015de635e commit 348d8d9e4206b730d5da181ed507612015de635e Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2017-12-14 19:09:24 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2017-12-14 19:11:02 +0000 www-servers/mongoose: remove package (bug 630976) Bug: https://bugs.gentoo.org/630976 profiles/package.mask | 6 ------ www-servers/mongoose/Manifest | 1 - www-servers/mongoose/metadata.xml | 10 --------- www-servers/mongoose/mongoose-5.6.ebuild | 35 -------------------------------- 4 files changed, 52 deletions(-)}
@security ping, Package no longer in tree. Anything else to be done here?
Closing because was never stable and out of tree.