Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | testing/php7-oauth: move to community | Andy Postnikov | 2017-06-03 | 1 | -0/+33 |
| | |||||
* | community/zstd: upgrade to 1.2.0 | André Klitzing | 2017-06-03 | 1 | -2/+2 |
| | |||||
* | community/duo_unix: security upgrade to 1.9.21 (DUO-PSA-2017-002) | Paul Morgan | 2017-06-03 | 2 | -6/+13 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Duo Product Security Advisory ============================= Advisory ID: DUO-PSA-2017-002 Publication Date: 2017-05-31 Revision Date: 2017-05-31 Status: Confirmed, Fixed Document Revision: 1 Overview -------- Duo Security has identified an issue in duo_unix, which, under certain uncommon configurations, could enable attackers to bypass second-factor user authentication. Duo has no evidence that this vulnerability has actively been exploited and we believe this specific configuration is extraordinarily uncommon. This issue was resolved in version 1.9.21 of duo_unix. Customers using an affected configuration should update to the latest version as soon as possible (see "Solution" section below). Description ----------- Prior to version 1.9.21, duo_unix (which includes both login_duo and pam_duo), supported setting an HTTP proxy configuration through the standard 'http_proxy' environment variable. Under some uncommon configurations (examples listed below), however, it is possible for an untrusted user to set a value for the 'http_proxy' variable prior to initiating a Duo authentication attempt. If an invalid proxy host (e.g. '0.0.0.0') is selected, then login_duo/pam_duo will ultimately fail to connect to Duo's API, and as a result, trigger the configured "failmode" behavior. If "failmode" is set to "safe" (which is the default), then this could result in a bypass of second-factor authentication. Duo has identified two specific configuration scenarios in which an untrusted user may be able to control the value of the 'http_proxy' environment variable. 1. login_duo with nonstandard sshd "AcceptEnv" configurations: OpenSSH can permit clients to forward environment variables to servers. By default, OpenSSH server distributions generally allow only a whitelisted set of variables (which does not include 'http_proxy') to be forwarded in this way. It is possible, however, for an administrator to configure a less-restrictive policy using the AcceptEnv keyword in sshd_config. If a server has been configured with a non-default AcceptEnv policy that permits clients to send an 'http_proxy' environment variable, and is using login_duo to add Duo 2FA to ssh logins, then this configuration could result in a bypass of Duo 2FA. This scenario only applies to login_duo; when used with OpenSSH, pam_duo is unaffected by this issue. 2. pam_duo with local authentication (e.g. su / sudo): While pam_duo is not affected by this issue when used with OpenSSH, when pam_duo is being used to perform 2FA in other contexts - particularly, to authenticate system-local actions performed by untrusted users - it may be possible for untrusted users to control the value of the 'http_proxy' environment variable prior to initiating an authentication attempt. In particular, Duo has confirmed that configurations which use pam_duo to add Duo 2FA to the "su" and "sudo" commands are impacted by this issue. Version 1.9.21 of duo_unix has been released to resolve this issue. It removes support for configuring an HTTP Proxy via an environment variable. Impact ------ Attackers may be able to bypass second-factor authentication on impacted configurations which accept attacker-controlled environment variables. Affected Product(s) ------------------- All versions of duo_unix prior to 1.9.21 are impacted when used in one of the following configuration scenarios: * login_duo is performing 2FA for SSH logins, and sshd has been configured with a permissive (non-default) AcceptEnv policy * pam_duo is performing 2FA for scenarios other than SSH logins Workaround ---------- Customers using login_duo in an affected configuration may work around this issue by ensuring that their AcceptEnv configuration for sshd (e.g. in /etc/ssh/sshd_config) does not permit clients to send an 'http_proxy' variable. Customers using pam_duo in an affected configuration must upgrade to the latest version of duo_unix. Solution -------- Customers should upgrade to the latest version of the duo_unix client as discussed above. Clone the latest version from: * https://github.com/duosecurity/duo_unix For more information on upgrading duo_unix, see https://duo.com/docs/duounix Vulnerability Metrics --------------------- Vulnerability Class: CWE-454: External Initialization of Trusted Variables or Data Stores https://cwe.mitre.org/data/definitions/454.html Remotely Exploitable: [No] Authentication Required: [Partial] Severity: [High] CVSSv2 Overall Score: 5.0 CVSSv2 Group Scores: Base: 6.0, Temporal: 5.0 CVSSv2 Vector: AV:L/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C References ---------- * CWE-454: External Initialization of Trusted Variables or Data Stores - https://cwe.mitre.org/data/definitions/454.html * Duo Unix Reference - https://duo.com/docs/duounix Timeline -------- 2017-05-19 * Duo privately receives report of a security vulnerability in Duo Unix * Duo acknowledges receipt of report and begins investigation 2017-05-22 * Duo confirms vulnerability exists in related case to original report 2017-05-30 * Duo completes development and testing of fixes 2017-05-31 * Advisory released to all Duo customers using duo_unix Credits/Contact --------------- Technical questions regarding this issue should be sent to support@duosecurity.com and reference "DUO-PSA-2017-002" in the subject, or to your Customer Success Manager, if appropriate. Duo Security would like to thank Fred Emmott for reporting this issue. | ||||
* | community/x2goserver: moved from testing | Francesco Colista | 2017-06-02 | 5 | -0/+100 |
| | |||||
* | community/tesseract-ocr: upgrade to 3.05.01 | Francesco Colista | 2017-06-02 | 1 | -5/+3 |
| | |||||
* | community/gns3-gui: bump pkgrel | Francesco Colista | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/gns-server: added dependencies for aiohttp1 | Francesco Colista | 2017-06-02 | 2 | -6/+8 |
| | | | | | | | In Alpine repo we have aiohttp 2.x only, but this is incompatible with GNS3. Bug sent to upstream https://github.com/GNS3/gns3-server/issues/1054 In the meanwhile, we created a py3-aiohttp1 package to make GNS3 work again | ||||
* | community/py3-aiohttp1-cors: new aport. Needed to make GNS3 works again | Francesco Colista | 2017-06-02 | 1 | -0/+31 |
| | |||||
* | community/py3-aiohttp1: new aport. Needed to make GNS3 works again | Francesco Colista | 2017-06-02 | 2 | -0/+46 |
| | |||||
* | community/tvheadend: rebuild against x265-2.4 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/xpra: rebuild against x265-2.4 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/libreoffice: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/diff-pdf: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/evince: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/inkscape: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/xpdf: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/atril: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/pdfgrep: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/claws-mail: rebuild against poppler-0.54.0 | Leonardo Arena | 2017-06-02 | 1 | -1/+1 |
| | |||||
* | community/virtualbox-guest-modules-hardened: Update to 5.1.22 | Ben Allen | 2017-06-02 | 1 | -2/+2 |
| | |||||
* | community/virtualbox-guest-additions: Update to 5.1.22 | Ben Allen | 2017-06-02 | 1 | -2/+2 |
| | |||||
* | community/perl-par-packer: update to 1.037 / add check() | Stuart Cardall | 2017-06-02 | 1 | -4/+7 |
| | |||||
* | community/py3-aiohttp: upgrade to 2.1.0 | Fabian Affolter | 2017-06-02 | 1 | -2/+2 |
| | |||||
* | community/py-snmp: upgrade to 4.3.6 | Fabian Affolter | 2017-06-02 | 1 | -2/+2 |
| | |||||
* | community/py-sqlalchemy: upgrade to 1.1.10 | Fabian Affolter | 2017-06-02 | 1 | -3/+3 |
| | |||||
* | community/cabal: build without profiling enabled | Mitch Tishmack | 2017-06-02 | 1 | -7/+2 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | Saves on build time for things we won't ever use building profiled library support for libraries and the executable, also saves a skosh on size. Ref difference betwen r0->r1: $ apk info cabal cabal-1.24.0.2-r1 description: The Haskell Cabal cabal-1.24.0.2-r1 webpage: http://haskell.org cabal-1.24.0.2-r1 installed size: 18051072 cabal-1.24.0.2-r0 description: The Haskell Cabal cabal-1.24.0.2-r0 webpage: http://haskell.org cabal-1.24.0.2-r0 installed size: 18993152 | ||||
* | community/cabal: Update APKBUILD with more stable dependencies | Mitch Tishmack | 2017-06-02 | 1 | -45/+56 |
| | | | | | | | | | | | Instead of using the regular .cabal uri's, which can be changed to allow old packages to build against newer ghc's or to fix issues with old package authors not updating their .cabal files, use the specific revision of the cabal files we used for bootstrapping cabal itself. Also add -$pkgver-$pkgrel to .cabal files from hackage, in the prepare() function move them to package.cabal so that bootstrap.sh works. | ||||
* | community/cabal: moved from testing | Mitch Tishmack | 2017-06-02 | 4 | -0/+164 |
| | |||||
* | community/nodejs-current: upgrade to 8.0.0 | Ole-Martin Bratteng | 2017-06-02 | 1 | -2/+2 |
| | |||||
* | community/py-isort: upgrade to 4.2.8 | Fabian Affolter | 2017-06-02 | 1 | -5/+3 |
| | |||||
* | community/pytest: upgrade to 3.1.1 | Fabian Affolter | 2017-06-02 | 1 | -5/+3 |
| | |||||
* | community/php5: fix php-fpm init.d script | Natanael Copa | 2017-06-01 | 2 | -13/+3 |
| | | | | ref #7353 | ||||
* | community/youtube-dl: upgrade to 2017.05.29 | Timo Teräs | 2017-06-01 | 1 | -2/+2 |
| | |||||
* | community/py3-multidict: upgrade to 2.1.6 | Francesco Colista | 2017-05-31 | 1 | -2/+2 |
| | |||||
* | community/certbot: upgrade to 0.14.2 | Francesco Colista | 2017-05-31 | 1 | -2/+2 |
| | |||||
* | community/py-raven: upgrade to 6.1.0 | Francesco Colista | 2017-05-31 | 1 | -2/+2 |
| | |||||
* | community/perl-mojolicious: upgrade to 7.32 | Francesco Colista | 2017-05-31 | 1 | -2/+2 |
| | |||||
* | community/libplist: upgrade to 2.0.0 | Natanael Copa | 2017-05-30 | 1 | -4/+2 |
| | |||||
* | community/openjdk8: increase buffer size for getmntent_r | Natanael Copa | 2017-05-30 | 2 | -1/+92 |
| | | | | | | | | | | | | Java will only use 1024 byte buffer for parsing mounts. Unlike glibc will musl return error when this is not big enough instead of truncating it. We solve it by allocating a much bigger buffer. ref #9073 We also build without precompiled headers, which does not work eith PIE. | ||||
* | community/gns3-gui: upgrade to 2.0.2 | Francesco Colista | 2017-05-30 | 1 | -2/+2 |
| | |||||
* | community/gns3-server: upgrade to 2.0.2 | Francesco Colista | 2017-05-30 | 1 | -2/+2 |
| | |||||
* | testing/you-get: upgrade to 0.4.750 and move from testing | Ivan Tham | 2017-05-30 | 1 | -0/+31 |
| | |||||
* | community/virtualbox-guest-modules-hardened: rebuild against kernel 4.9.30-r0 | Natanael Copa | 2017-05-29 | 1 | -1/+1 |
| | |||||
* | community/atheme-iris: move from main | William Pitcock | 2017-05-27 | 5 | -0/+110 |
| | |||||
* | community/speedometer: move from main, upgrade to 2.8 | William Pitcock | 2017-05-27 | 1 | -0/+32 |
| | |||||
* | community/python2-tkinter: fix parent APKBUILD path | William Pitcock | 2017-05-27 | 1 | -1/+1 |
| | |||||
* | community/python2-tkinter: move from main | William Pitcock | 2017-05-27 | 1 | -0/+103 |
| | |||||
* | community/jruby: upgrade to 9.1.10.0 | Jakub Jirutka | 2017-05-26 | 1 | -2/+2 |
| | |||||
* | community/chromium: update to 58.0.3029.110 | khanku | 2017-05-26 | 7 | -84/+93 |
| | |||||
* | community/cppcheck: upgrade to 1.79 | André Klitzing | 2017-05-25 | 1 | -3/+2 |
| |