From ${URL} : openhpi ships with the /var/lib/openhpi/ directory set world readable and writeable. If this directory is used for storing the OPENHPI_UID_MAP or other openhpi data for exam,p[le an attacker would be able to view, modify and delete it. Even without such usage an attacker could use it to fill up the storage hosting the /var/lib/ directory if quotas are not properly set. NOTE: On Gentoo this is only world-readable instead of world-writable. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
This is fixed upstream in >=3.6.0: http://openhpi.org/Changelogs/3.6.0 @maintainer, please bump the package and cleanup the vulnerable versions.
@maintainer, ping.
@maintainer, any intention on bumping this?
@treecleaners, maintainer has expressed his intention of dropping the package. Preferably clean the package or assign to maintainer-needed.
dropped
Unstable package dropped.
