[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060802203550.GA12252@hswn.dk>
Date: Wed, 2 Aug 2006 22:35:50 +0200
From: henrik@...n.dk (Henrik Stoerner)
To: bugtraq@...urityfocus.com
Cc: hobbit-announce@...n.dk, hobbit@...n.dk
Subject: Hobbit monitor security bugfix release - 4.1.2p2
Version 4.1.2p2 of Hobbit has just been uploaded to SourceForge,
and is available at
http://sourceforge.net/project/showfiles.php?group_id=128058&package_id=140220&release_id=436594
This release fixes a security bug reported by Jason Kruse earlier
today: File access via the Hobbit "config" method failed to
restrict access to the Hobbit configuration directory. It is
therefore possible for anyone with access to the Hobbit network
daemon on port 1984 to read any file on the Hobbit server which
is readable by the user running the hobbitd daemon.
This problem affects all versions of Hobbit 4.0 and 4.1. Users are
encouraged to update their Hobbit installation, or restrict network
access to Hobbit network daemon (e.g. by implementing firewall
rules restricting access to TCP port 1984).
This version also includes all non-security patches that have been
published since the release of version 4.1.2p1 in November 2005.
Regards,
Henrik Storner
Powered by blists - more mailing lists