Radicale Multiple Vulnerabilities Fixed in 1.1


Description   (#Several vulnerabilities have been identified in Radicale:#- CVE-2015-8747: information disclosure due to a local file inclusion. This vulnerability stems from a bad sanitizing of "../" and "//" characters#- CVE-2015-8748: unauthorized data access due to a malformed regex pattern over URI.##The radicale packages provided by Debian Squeeze 6, Wheezy 7 and Jessie 8 are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 22, 23FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7, 8
     
Solution   Fixed py27-radicale, py32-radicale, py33-radicale and py34-radicale packages for FreeBSD are available.
     
CVE   CVE-2015-8748
CVE-2015-8747
     
References   - Seclists : CVE request for radicale
http://seclists.org/oss-sec/2016/q1/28
- Debian Security Tracker : radicale
https://security-tracker.debian.org/tracker/CVE-2015-8747
https://security-tracker.debian.org/tracker/CVE-2015-8748
- FEDORA-2016-f048c43393 : Fedora 23 Update: radicale-1.1.1-1.fc23
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175738.html
- FEDORA-2016-cf9e2429b5 : Fedora 22 Update: radicale-1.1.1-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175776.html
- DLA 403-1 : radicale security update
https://lists.debian.org/debian-lts-announce/2016/01/msg00028.html
- DSA 3462-1 : radicale security update https://lists.debian.org/debian-security-announce/2016/msg00031.html
- VuXML : radicale -- multiple vulnerabilities
http://www.vuxml.org/freebsd/ff824eea-c69c-11e5-96d6-14dae9d210b8.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Directory traversal
3.2.0
Misc : Local File Inclusion - suspicious /etc/passwd found in URL
3.5.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-01-06 

 Target Type 
Server 

 Possible exploit 
Remote