Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636040 (CVE-2017-7458, CVE-2017-7459) - <net-analyzer/ntopng-3.0: Multiple vulnerabilities (CVE-{7458,7459})
Summary: <net-analyzer/ntopng-3.0: Multiple vulnerabilities (CVE-{7458,7459})
Status: RESOLVED FIXED
Alias: CVE-2017-7458, CVE-2017-7459
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-31 14:22 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-16 22:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-31 14:22:38 UTC
CVE-2017-7459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7459):
  ntopng before 3.0 allows HTTP Response Splitting.

CVE-2017-7458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7458):
  The NetworkInterface::getHost function in NetworkInterface.cpp in ntopng
  before 3.0 allows remote attackers to cause a denial of service (NULL
  pointer dereference and application crash) via an empty field that should
  have contained a hostname or IP address.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-31 14:23:31 UTC
@Maintainer please let us know when tree is clean.

Thank you
Comment 2 D'juan McDonald (domhnall) 2019-07-17 03:19:04 UTC
Tree still contains version before 3.0

Keywords for net-analyzer/ntopng:
       |                               a   |       |  
       |                               m   |       |  
       |                               d x |       |  
       |                               6 8 |       |  
       |                               4 6 |   u   |  
       | a a   a     p r           s   | | |   n   |  
       | l m   r i   p i   h m s   p m f f | e u s | r
       | p d a m a p c s x p 6 3   a i b b | a s l | e
       | h 6 r 6 6 p 6 c 8 p 8 9 s r p s s | p e o | p
       | a 4 m 4 4 c 4 v 6 a k 0 h c s d d | i d t | o
-------+-----------------------------------+-------+-------
2.4    | o ~ o o o o o o ~ o o o o o o o o | 5 # 0 | gentoo
3.0-r3 | o ~ o o o o o o ~ o o o o o o o o | 6 o   | gentoo


Any update on reassignment of packages or cleanup?
Comment 3 Larry the Git Cow gentoo-dev 2019-12-28 12:08:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=befab011ab1f38e37a7b93238e9d0c7071ba725a

commit befab011ab1f38e37a7b93238e9d0c7071ba725a
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2019-12-28 12:07:57 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2019-12-28 12:08:29 +0000

    net-analyzer/ntopng: Old
    
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Bug: https://bugs.gentoo.org/636040
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-analyzer/ntopng/Manifest                       |  2 -
 net-analyzer/ntopng/files/ntopng-2.4-cxx.patch     | 42 -----------
 .../ntopng/files/ntopng-2.4-dont-build-ndpi.patch  | 16 ----
 .../ntopng/files/ntopng-2.4-mysqltool.patch        | 17 -----
 net-analyzer/ntopng/files/ntopng-3.0-gentoo.patch  | 60 ---------------
 .../ntopng/files/ntopng-3.0-mysqltool.patch        | 17 -----
 .../ntopng/files/ntopng-3.0-pointer-cmp.patch      | 11 ---
 net-analyzer/ntopng/ntopng-2.4-r1.ebuild           | 86 ----------------------
 net-analyzer/ntopng/ntopng-3.0-r4.ebuild           | 75 -------------------
 9 files changed, 326 deletions(-)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-16 22:50:54 UTC
No ebuild was stable.

Repository is clean, all done!