lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060802203550.GA12252@hswn.dk>
Date: Wed, 2 Aug 2006 22:35:50 +0200
From: henrik@...n.dk (Henrik Stoerner)
To: bugtraq@...urityfocus.com
Cc: hobbit-announce@...n.dk, hobbit@...n.dk
Subject: Hobbit monitor security bugfix release - 4.1.2p2

Version 4.1.2p2 of Hobbit has just been uploaded to SourceForge,
and is available at
http://sourceforge.net/project/showfiles.php?group_id=128058&package_id=140220&release_id=436594

This release fixes a security bug reported by Jason Kruse earlier
today: File access via the Hobbit "config" method failed to
restrict access to the Hobbit configuration directory. It is 
therefore possible for anyone with access to the Hobbit network
daemon on port 1984 to read any file on the Hobbit server which 
is readable by the user running the hobbitd daemon.

This problem affects all versions of Hobbit 4.0 and 4.1. Users are
encouraged to update their Hobbit installation, or restrict network
access to Hobbit network daemon (e.g. by implementing firewall
rules restricting access to TCP port 1984).

This version also includes all non-security patches that have been
published since the release of version 4.1.2p1 in November 2005.


Regards,
Henrik Storner

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ