From https://cisofy.com/security/cve/cve-2019-13033/: "Sander Bos discovered that the data upload routine in Lynis up to version 2.7.5 may leak information, which allows attackers to retrieve the license key by looking at the process listing. When defined, the license key can be leaked during the period that a data upload occurs. A local user could monitor the process list to find the license key. The key is part of the parameters provided to cURL. This happens when the --upload is used to upload data to a central system. The specific call happens in the include/data_upload script. Although the license key alone does not grant access to system information on a central server, it may be used to upload falsified data, waste system resources, or use up all upload credits. Affected versions are 2.0.0 up to 2.7.5." From: https://cisofy.com/security/cve/cve-2020-13882/: "The symlink detection routine in Lynis before 3.0.0 could be bypassed, which allows local users to manipulate the data in both the log and report. The data manipulation can be used to perform a Denial of Service, retrieve additional system information, or even achieve privilege escalation. To exploit the vulnerability, an attacker needs access to the system, and wait before another non-privileged user runs Lynis. If symlinks are not protected by the kernel (Linux: fs.protected_hardlinks or fs.protected_symlinks), a TOCTTOU race condition might grant access to the log and report file." Maintainer(s): Please bump.
*** Bug 730754 has been marked as a duplicate of this bug. ***
Hi, I had opened #730754 with a pull request to bump version of app-forensics/lynis to the latest and request to be the maintainer, but it was closed as a duplicate of this one, so I guess I will have to post it here: https://github.com/gentoo/gentoo/pull/16591
Tree is clean: commit a51e4e08b3ed6503b7b9bed9eaa57ad8c07dfb10 Author: Mike Pagano <mpagano@gentoo.org> Date: Sat Jul 11 10:55:14 2020 -0400 app-forensics/lynis: Version bump, remove old Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Mike Pagano <mpagano@gentoo.org> rename app-forensics/lynis/{lynis-2.7.5.ebuild => lynis-3.0.0.ebuild} (95%)