576132 – (CVE-2015-8368) net-analyzer/ntopng: Privilege escalation via intercepting password change request

Bug 576132 (CVE-2015-8368) - net-analyzer/ntopng: Privilege escalation via intercepting password change request

Summary: net-analyzer/ntopng: Privilege escalation via intercepting password change re...

Status:	RESOLVED FIXED

Alias:	CVE-2015-8368

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-03-01 17:30 UTC by Agostino Sarubbo
Modified:	2016-11-21 23:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-03-01 17:30:53 UTC

From ${URL} :

It was found that ntop before 2.2 allows malicious non-privileged user to escalate his privileges 
to admim via intercepting password change request and manipulating with user cookie.

Reproducer:

https://www.exploit-db.com/exploits/38836/

Upstream patch:

https://github.com/ntop/ntopng/commit/2e0620be3410f5e22c9aa47e261bc5a12be692c6


@security: please file the request for the GLSA.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 12:43:59 UTC

@maintainer, please bump to >=net-analyzer/ntopng-2.4

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-19 15:23:14 UTC

@ Maintainer(s): *ping*

Comment 3 Sławek Lis (RETIRED) gentoo-dev

2016-11-19 18:26:25 UTC

Bumped to version 2.4, please take a look on that.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-19 20:11:23 UTC

Thanks for the bump however the ebuild isn't probably working, please see bug 600246.

Comment 5 Sławek Lis (RETIRED) gentoo-dev

2016-11-21 13:17:57 UTC

Should be all right now

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-21 18:06:31 UTC

All depending bugs must be closed before we can continue here (well, cleanup is the last missing step, i.e. you have to remove <net-analyzer/ntopng-2.4 from repository).

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2016-11-21 23:11:46 UTC

Removing QA bug dependency.  Tree is clean.

@maintainer, please fix the relevant QA issues separately.  Thanks for the bump!