Debian Bug report logs - #956650
awl: CVE-2020-11728 CVE-2020-11729

version graph

Package: src:awl; Maintainer for src:awl is Davical Development Team <davical-devel@lists.sourceforge.net>;

Reported by: Florian Schlichting <fsfs@debian.org>

Date: Mon, 13 Apr 2020 21:51:02 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Found in versions awl/0.60-1, awl/0.57-1

Fixed in versions awl/0.61-1, awl/0.60-1+deb10u1, awl/0.57-1+deb9u1

Done: Florian Schlichting <fsfs@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Davical Development Team <davical-devel@lists.sourceforge.net>:
Bug#956650; Package src:awl. (Mon, 13 Apr 2020 21:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Florian Schlichting <fsfs@debian.org>:
New Bug report received and forwarded. Copy sent to Davical Development Team <davical-devel@lists.sourceforge.net>. (Mon, 13 Apr 2020 21:51:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Schlichting <fsfs@debian.org>
To: submit@bugs.debian.org
Subject: awl: CVE-2020-11728 CVE-2020-11729
Date: Mon, 13 Apr 2020 23:47:50 +0200
Source: awl
Version: 0.60-1
Severity: important
Tags: security upstream

Two security vulnerabilities were found in the awl package:

CVE-2020-11728
Session::__construct() allows use of the current time as a session key
https://gitlab.com/davical-project/awl/-/issues/19

CVE-2020-11729
LSIDLogin() is insecure and can allow user impersonation
https://gitlab.com/davical-project/awl/-/issues/18

All supported Debian releases are affected.



Reply sent to Florian Schlichting <fsfs@debian.org>:
You have taken responsibility. (Mon, 13 Apr 2020 22:21:18 GMT) (full text, mbox, link).


Notification sent to Florian Schlichting <fsfs@debian.org>:
Bug acknowledged by developer. (Mon, 13 Apr 2020 22:21:18 GMT) (full text, mbox, link).


Message #10 received at 956650-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 956650-close@bugs.debian.org
Subject: Bug#956650: fixed in awl 0.61-1
Date: Mon, 13 Apr 2020 22:18:47 +0000
Source: awl
Source-Version: 0.61-1
Done: Florian Schlichting <fsfs@debian.org>

We believe that the bug you reported is fixed in the latest version of
awl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 956650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated awl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 13 Apr 2020 21:37:06 +0200
Source: awl
Architecture: source
Version: 0.61-1
Distribution: unstable
Urgency: medium
Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
Changed-By: Florian Schlichting <fsfs@debian.org>
Closes: 952182 956650
Changes:
 awl (0.61-1) unstable; urgency=medium
 .
   * New upstream release (closes: #952182, #956650)
     + fix CVE-2020-11728 "Session::__construct() allows use of the current
       time as a session key"
     + fix CVE-2020-11729 "LSIDLogin() is insecure and can allow user
       impersonation"
   * Bump debhelper compat to level 12
   * Update copyright years
   * Add upstream metadata
   * Declare compliance with Debian Policy 4.5.0
Checksums-Sha1:
 cbe2fa1f7a7b314ffe687ec032dfb5cc0d8b3a3e 1949 awl_0.61-1.dsc
 86d525284036c02a5c29b108dcd7108b2adeb908 124340 awl_0.61.orig.tar.xz
 9d6412f0ca6796b0814d6df84d14ddde808f4f03 7020 awl_0.61-1.debian.tar.xz
 a0c41fc17a7a2c42a898b9ecb9078dfbec000697 7740 awl_0.61-1_amd64.buildinfo
Checksums-Sha256:
 37f1836a666d7c8858f893037d2e5201c4e034e06a3b592a45788b2ea0b00bb3 1949 awl_0.61-1.dsc
 fc8b8bea609483feba7ac985b074c5341633d2b9a756ee894737ae5aec00dee3 124340 awl_0.61.orig.tar.xz
 fbb635f6954dec3644fbfe0efecd20dae67b6769b554792b24b699fc9953765c 7020 awl_0.61-1.debian.tar.xz
 334a8f542b450b3c5629e6d0b1fad786de298ac46c54886adf936cc9e459f9fb 7740 awl_0.61-1_amd64.buildinfo
Files:
 9c7da0380668aaa8d5a56c6e4007c980 1949 php optional awl_0.61-1.dsc
 b22ee3e4a09f4b68ab1ec714319b9e41 124340 php optional awl_0.61.orig.tar.xz
 77e1ebdeffd94d82cc38913b0a7a4a05 7020 php optional awl_0.61-1.debian.tar.xz
 6e5d7d2b0fff5e3977acf01ae77cc31f 7740 php optional awl_0.61-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl6U398ACgkQEpc7bnLc
B7VWSBAAh8+e/lQguV9hEf3xHJUs9qbORJ6+bYwjsIav2EnWSPgqZMk7UUw4MrCo
dhNPp7ENlZ83Gi32IfcA0Xd4+HOHZpadeXv+NRe/Z0H97Dvid2Y0FVtdv2W54CYA
35JQwOY/dr8e8i39UEm0Xa8dXx1w/iFRhJmfV4e8jLRe/U0jTkTs+L9fEShlEQLq
9CC4Gsc/1w5BuGgdLDYlOnaDwbfRjyq2Fpia4FLgYUgsUaNyEkB/uUOIwkgo6YLW
FckCczINfoHMVY+DgE2Rid97HbcahGdGlbuhCO3F7FcvGEeD64yq5Ig7AJyXafNk
o9yA4WQ6EtBTRNUHSSnCYyUqIMsYbqt0XjebW9eTUrj+9zZ7uSrD8M24YESoPMqr
deGmlmsEHtjARuinj+o5hrVgF2dE3Yb7lUpdhkozD6AITFKUiahpJMKrn4e3xcFU
jjfN7cA2g1uNfBYY6qIPymdWqWf3+mRU3vLihXLMLuSjBlO/KsGU8kxt0Tw/pL/K
HF+Rkh+OFH70vpWYFJWF2LRRVJwaLoGQagrB3TKcYRyKKhlUk7UZ+zQ45k/ZanWm
V3SJkb88SqAR0lH0gU78nGgpFlJeYoNu24bFCYJ5QccmnSVHnhZLds1gMcCUnGBy
LMFgbPhO4aVPkNysRs70oNM5LMKHouh20T1AN+5eB38j/1NKbjk=
=7ku8
-----END PGP SIGNATURE-----




Added tag(s) fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 14 Apr 2020 03:30:03 GMT) (full text, mbox, link).


Marked as found in versions awl/0.57-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 15 Apr 2020 20:03:11 GMT) (full text, mbox, link).


Reply sent to Florian Schlichting <fsfs@debian.org>:
You have taken responsibility. (Sat, 25 Apr 2020 10:51:02 GMT) (full text, mbox, link).


Notification sent to Florian Schlichting <fsfs@debian.org>:
Bug acknowledged by developer. (Sat, 25 Apr 2020 10:51:02 GMT) (full text, mbox, link).


Message #19 received at 956650-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 956650-close@bugs.debian.org
Subject: Bug#956650: fixed in awl 0.60-1+deb10u1
Date: Sat, 25 Apr 2020 10:47:08 +0000
Source: awl
Source-Version: 0.60-1+deb10u1
Done: Florian Schlichting <fsfs@debian.org>

We believe that the bug you reported is fixed in the latest version of
awl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 956650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated awl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Apr 2020 12:26:29 +0200
Source: awl
Binary: awl-doc libawl-php
Architecture: source all
Version: 0.60-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
Changed-By: Florian Schlichting <fsfs@debian.org>
Description:
 awl-doc    - Andrew's Web Libraries - API documentation
 libawl-php - Andrew's Web Libraries - PHP Utility Libraries
Closes: 956650
Changes:
 awl (0.60-1+deb10u1) buster-security; urgency=high
 .
   * Fix two security vulnerablilites (closes: #956650)
     + CVE-2020-11728 "Session::__construct() allows use of the current time as
       a session key"
     + CVE-2020-11729 "LSIDLogin() is insecure and can allow user
       impersonation"
Checksums-Sha1:
 8ba00df6284e3c50874d5cfd35c7bc84bdffb2e4 1974 awl_0.60-1+deb10u1.dsc
 8f44f07b26608abeaaf1f299665d1b0343bf1927 124772 awl_0.60.orig.tar.xz
 6ff9ea57f7b0a6bbdc6218a49e093d7fbfaf7e19 9688 awl_0.60-1+deb10u1.debian.tar.xz
 f1fbc3237d55a0e5d0030fdc51d650cffba0b1b6 311696 awl-doc_0.60-1+deb10u1_all.deb
 6e3bc7977fffc904152a7289bc70f7ae3d477b78 7522 awl_0.60-1+deb10u1_amd64.buildinfo
 b10fb1312bb328098afb6b8378f181588097aa8f 97892 libawl-php_0.60-1+deb10u1_all.deb
Checksums-Sha256:
 cda3e6e95bd70b60dfca805da54f22a9f53b1617eec876c33d3eb227fa1ceb32 1974 awl_0.60-1+deb10u1.dsc
 18fd4c47d45422ae8f4b84d194a28fb70fa1d4b0c9fc59dc800cf60130a745e3 124772 awl_0.60.orig.tar.xz
 aae77bdc712ce20decf97a96f863c5c51e1cbd660d7a7cb4b17b01e46047b719 9688 awl_0.60-1+deb10u1.debian.tar.xz
 18b415eaee0969b2364660c5c3c0f902b6091f938012541941c8136244cdbb2a 311696 awl-doc_0.60-1+deb10u1_all.deb
 50f480907d1907fd29e3b441d22cd730ef578d3c1ba51a28d1473b52aec66abf 7522 awl_0.60-1+deb10u1_amd64.buildinfo
 e37979d4a74833507fa8d26fc68a316a099f05e06724ce07ae47ab38e4690c33 97892 libawl-php_0.60-1+deb10u1_all.deb
Files:
 0dfe355ec642f50ada054e30e0b625e4 1974 php optional awl_0.60-1+deb10u1.dsc
 4fd2eaf25a7570f167f8f4eb970b496d 124772 php optional awl_0.60.orig.tar.xz
 19f247eaeb55d4ec310cd1956ef25e3b 9688 php optional awl_0.60-1+deb10u1.debian.tar.xz
 32a343f97295004719d810a4b62eccb7 311696 doc optional awl-doc_0.60-1+deb10u1_all.deb
 6e463a5cb53ff00f2d8e5836d4319ce3 7522 php optional awl_0.60-1+deb10u1_amd64.buildinfo
 e1568fa25ea11c030b7f8e803a9b46ab 97892 php optional libawl-php_0.60-1+deb10u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl6dQJ8ACgkQEpc7bnLc
B7UwZg//QD0nIslnlMFwez8Jp1cECr2X471eNiLzic3KvQVK+AF2OQi2xvbnP8xW
/c/7nml6AostcSWf72bREhiHISBF2BiruciYbk5J3HQ8CKNfPHfl+Dn/r+XoD2Ic
XkxgSyg/TLvJU7tSJf8uJUGwO/ZVEvQs8N5RByoZl1Mkjm5N7NVvpe7KBQHfQfsM
ZXh9f+V/K/kckgyiWSHzHP0gALuz0EYFxVuL0Aea3aHSgtFORV/6scVD1/5hbwQK
qE+F18R6Yk8h1SkND4AjwLJNmy+0VWtLtek/dj1hof1P8Zn7fTkXXQ0oCktn9rxK
E7560BDIfII/algU2pldA9uhMnI0S58iLYOxyjnaahR6Og7qeM4oHEWoEUgd7YBZ
vk+wCYbbftY4C8NWPMS0WGoQ7dQbcvAnZrI01ruWoQdL1D6UQbUejfgGzwZWJ8xd
lRYapHmMs/US6TwsVX0T2E6u7CX8fk4vRc/1uONKu+7zCiAZ48NzvtJlfkDL1fDF
BrYo4tVRGQ/PMT9QUJAqpaSKo5rI1/cn8kVFydiPyuksBR485N273uAzgsd4I1Pq
KnEhjxAMicrjqJtheVfudqCbeSZia3PabKFkuO10JZsxmr2modv0StLpnoEi5quQ
RgR2fWprOWblR0sx4M9MctR4us1d/pROaCSonL1FvMcUaLcxkxs=
=vbPI
-----END PGP SIGNATURE-----




Reply sent to Florian Schlichting <fsfs@debian.org>:
You have taken responsibility. (Sat, 25 Apr 2020 10:51:04 GMT) (full text, mbox, link).


Notification sent to Florian Schlichting <fsfs@debian.org>:
Bug acknowledged by developer. (Sat, 25 Apr 2020 10:51:04 GMT) (full text, mbox, link).


Message #24 received at 956650-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 956650-close@bugs.debian.org
Subject: Bug#956650: fixed in awl 0.57-1+deb9u1
Date: Sat, 25 Apr 2020 10:47:43 +0000
Source: awl
Source-Version: 0.57-1+deb9u1
Done: Florian Schlichting <fsfs@debian.org>

We believe that the bug you reported is fixed in the latest version of
awl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 956650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Schlichting <fsfs@debian.org> (supplier of updated awl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 14 Apr 2020 12:26:29 +0200
Source: awl
Binary: libawl-php awl-doc
Architecture: source all
Version: 0.57-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
Changed-By: Florian Schlichting <fsfs@debian.org>
Description:
 awl-doc    - Andrew's Web Libraries - API documentation
 libawl-php - Andrew's Web Libraries - PHP Utility Libraries
Closes: 956650
Changes:
 awl (0.57-1+deb9u1) stretch-security; urgency=high
 .
   * Fix two security vulnerablilites (closes: #956650)
     + CVE-2020-11728 "Session::__construct() allows use of the current time as
       a session key"
     + CVE-2020-11729 "LSIDLogin() is insecure and can allow user
       impersonation"
Checksums-Sha1:
 66a6c7e2aa7c3269e160237ff25557b18a64eb76 1967 awl_0.57-1+deb9u1.dsc
 da26f4933a4e734a153a5e789c0bb69d6ad6a986 101236 awl_0.57.orig.tar.xz
 22469fe2ecb96089e032df9f1af07860c9c2b991 9508 awl_0.57-1+deb9u1.debian.tar.xz
 7e520434ed7757e42cafcb9e7e26a5b82a9ccfa3 252686 awl-doc_0.57-1+deb9u1_all.deb
 34f6d816bd786a5b2f81ae03ee3f14f9f9b8131c 8083 awl_0.57-1+deb9u1_amd64.buildinfo
 5bde4787e0176b600fb9436ef736bc77908196f4 97468 libawl-php_0.57-1+deb9u1_all.deb
Checksums-Sha256:
 61852a8e4799fd827e1a35ca83072c2f14cb7362d2ebcb72ce14762b943ae310 1967 awl_0.57-1+deb9u1.dsc
 af9400a5c792eae170f4f14214f065482e2c3817833825cbd48e5a19f86daafc 101236 awl_0.57.orig.tar.xz
 16038a4b49a5950b60e1a4d57b801cc5928b353bc98314074c78182b79b89dce 9508 awl_0.57-1+deb9u1.debian.tar.xz
 a5f712d9d3f236e3e1dfebce63c66dedb12375b06eee480438268dba9c802130 252686 awl-doc_0.57-1+deb9u1_all.deb
 6458599c20d0208f09605e1fd4560d46511b2ff258364532fcb3b076750c23a0 8083 awl_0.57-1+deb9u1_amd64.buildinfo
 ca4f77a1098c52bfdfa4ff00692d83b99bb5d30641fe509479316383c28941bf 97468 libawl-php_0.57-1+deb9u1_all.deb
Files:
 87b684fe5041a73b2de7b3c088d4a9ba 1967 php extra awl_0.57-1+deb9u1.dsc
 7d0a403288d04aac487a643da18b4914 101236 php extra awl_0.57.orig.tar.xz
 595f3f6eb97dc82bbf9c26aa5edb8a25 9508 php extra awl_0.57-1+deb9u1.debian.tar.xz
 65729754d2230f81ff8915dbe0b19d58 252686 doc extra awl-doc_0.57-1+deb9u1_all.deb
 b208f6facfb75af719c2a9e7ebbd9b7b 8083 php extra awl_0.57-1+deb9u1_amd64.buildinfo
 82c70eb8cd84a5194f20118f9010a17e 97468 php extra libawl-php_0.57-1+deb9u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEMLI8i05qOwnqprZSEpc7bnLcB7UFAl6dQVUACgkQEpc7bnLc
B7VtVg//aA2NWsepZctOk9rATERaxyffGhRdZjDBZDp1D9Ono4ztpbr+Wri/fVET
TWjkD1r8vJgCXhYGfyn1nPzlUoPpefQlufFrvmb8CNGs5zAH9Qcy8cr2MEuiQYe2
K4stS3BmtkRkSdEASappaw7NgyljUDb+GUf3m2x7+LOxHrd8dPEgOqcdBq/3Z92M
yyTw59EeEtnDYyfbrvUpWMGxBYV64v0aiOYvll3NRS/L2OkKLdyBWr38/piL7l9b
Im2Z0zJAQhhejg0sHshjLaCUBXrcUYCnOMCKmKOsUKgbEPgy8/F7HphsdeohPIsZ
PN9gvo4x7CL1HuuwMA6iMMBCbdVBu/uCX6Wz0SzY2qyi4INZzDhmHZSSI+wjrcqA
EpCCVg/W4ljQqQX52z+Nls/X1QRcPMGFoSDTd29ilArI3V+yB/o5tbYN8xM0O7M6
sIqZAfiDq+hXCPPLA0W4/bkfaZg995I2iVGeWtC+6LNdeiT/GNB8at+URi0WCFQ7
J9FVfE6RYGdtDBt/RklAlMbf3o8eAQAzDZBB5BixLJKgg+lqcA08AKuQY0wKxwFs
S316w9SnLHJ+qsZ7/kyN7zrfNAD/4FoRGNANMqLBG4GAKZatnO9cUpfb00ZDTivF
atFSjGqVL924tVy6eYe3c0lU4JGBUilCtBh18ckcrwJTjIVWWws=
=a9BB
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 May 2020 07:28:35 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 23:43:26 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.