Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576132 (CVE-2015-8368) - net-analyzer/ntopng: Privilege escalation via intercepting password change request
Summary: net-analyzer/ntopng: Privilege escalation via intercepting password change re...
Status: RESOLVED FIXED
Alias: CVE-2015-8368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-01 17:30 UTC by Agostino Sarubbo
Modified: 2016-11-21 23:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-01 17:30:53 UTC 
From ${URL} :

It was found that ntop before 2.2 allows malicious non-privileged user to escalate his privileges 
to admim via intercepting password change request and manipulating with user cookie.

Reproducer:

https://www.exploit-db.com/exploits/38836/

Upstream patch:

https://github.com/ntop/ntopng/commit/2e0620be3410f5e22c9aa47e261bc5a12be692c6


@security: please file the request for the GLSA.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 12:43:59 UTC 
@maintainer, please bump to >=net-analyzer/ntopng-2.4
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 15:23:14 UTC 
@ Maintainer(s): *ping*
Comment 3 Sławek Lis (RETIRED) gentoo-dev 2016-11-19 18:26:25 UTC 
Bumped to version 2.4, please take a look on that.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-19 20:11:23 UTC 
Thanks for the bump however the ebuild isn't probably working, please see bug 600246.
Comment 5 Sławek Lis (RETIRED) gentoo-dev 2016-11-21 13:17:57 UTC 
Should be all right now
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 18:06:31 UTC 
All depending bugs must be closed before we can continue here (well, cleanup is the last missing step, i.e. you have to remove <net-analyzer/ntopng-2.4 from repository).
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-21 23:11:46 UTC 
Removing QA bug dependency.  Tree is clean.

@maintainer, please fix the relevant QA issues separately.  Thanks for the bump!