From ${URL} : Stephen Roettger from the Google Security Team reported to us that the shellinabox package allows HTTP fallback, even when configured for HTTPS, via the "/plain" URL. This fallback is quite easy to be overlooked and it gives the opportunity for a DNS rebinding attacks against systems that use the service and have default credentials for a certain time window. I've opened an issue on what appears to be the only maintained fork of shellinabox at this time: https://github.com/shellinabox/shellinabox/issues/355 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
A patch is out to fix the problem: https://github.com/shellinabox/shellinabox/commit/4aa0eb97e4c90490a9c84a0d8bd57cd22572c37a It seems to be working as the aforementioned issue has been closed. Waiting for the author to create a new release (2.19 most likely) so that I can bump the package on the Gentoo end accordingly.
v2.19 is out! https://github.com/shellinabox/shellinabox/commit/1a8010f2c94a62e7398c4fa130dfe9e099dc55cd commit 8b0e683 (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Mon Dec 7 11:35:52 2015 +0000 www-misc/shellinabox: Version bump. Fixes security bug 567316. Package-Manager: portage-2.2.20.1 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> create mode 100644 www-misc/shellinabox/shellinabox-2.19.ebuild Arch teams, Please stabilise: www-misc/shellinabox-2.19 Target arches: amd64 ppc ppc64 x86 Thank you.
amd64 stable
Stable for PPC64.
Stable for ppc.
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
commit c919156 (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Thu Dec 31 17:38:02 2015 +0000 www-misc/shellinabox: Remove vulnerable version. Fixes security bug 567316. Package-Manager: portage-2.2.20.1 Signed-off-by: Patrice Clement <monsieurp@gentoo.org> delete mode 100644 www-misc/shellinabox/shellinabox-2.18.ebuild