Security Information / 2020 / Security Information -- DSA-4660-1 awl

Debian Security Advisory

DSA-4660-1 awl -- security update

Date Reported:

21 Apr 2020

Affected Packages:

awl

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 956650.
In Mitre's CVE dictionary: CVE-2020-11728, CVE-2020-11729.

More information:

Andrew Bartlett discovered that awl, DAViCal Andrew's Web Libraries, did not properly handle session management: this would allow a malicious user to impersonate other sessions or users.

For the oldstable distribution (stretch), these problems have been fixed in version 0.57-1+deb9u1.

For the stable distribution (buster), these problems have been fixed in version 0.60-1+deb10u1.

We recommend that you upgrade your awl packages.

For the detailed security status of awl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/awl