Ubuntu Security Notice 4030-1 - It was discovered that web2py does not properly check denied hosts before verifying passwords. An attacker could possibly use this issue to perform brute-force attacks. It was discovered that web2py allows remote attackers to obtain environment variable values. An attacker could possibly use this issue to gain administrative access. It was discovered that web2py uses a hardcoded encryption key. An attacker could possibly use this issue to execute arbitrary code. Various other issues were also addressed.
a99087702bd4f64f9a186902fa43b09a473e58c2c4153bcd31bfc5a32d36a29e
============================================================
==============
Ubuntu Security Notice USN-4030-1
June 21, 2019
web2py vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in web2py.
Software Description:
- web2py: High-level Python web development framework
Details:
It was discovered that web2py does not properly check denied hosts before
verifying passwords. An attacker could possibly use this issue to perform
brute-force attacks. (CVE-2016-10321)
It was discovered that web2py allows remote attackers to obtain
environment variable values. An attacker could possibly use this issue to
gain administrative access. (CVE-2016-3952)
It was discovered that web2py uses a hardcoded encryption key. An
attacker could possibly use this issue to execute arbitrary code.
(CVE-2016-3953, CVE-2016-3954, CVE-2016-3957)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 LTS:
python-gluon 2.12.3-1ubuntu0.1
python-web2py 2.12.3-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4030-1
CVE-2016-10321, CVE-2016-3952, CVE-2016-3953, CVE-2016-3954,
CVE-2016-3957
Package Information:
https://launchpad.net/ubuntu/+source/web2py/2.12.3-1ubuntu0.1
<https://launchpad.net/ubuntu/+source/web2py/2.12.3-1ubuntu0.1>