CVE-2015-4082

NameCVE-2015-4082
Descriptionattic before 0.15 does not confirm unencrypted backups with the user, which allows remote attackers with read and write privileges for the encrypted repository to obtain potentially sensitive information by changing the manifest type byte of the repository to "unencrypted / without key file".
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs787435

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
attic (PTS)jessie0.13-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
atticsource(unstable)0.16-1medium787435

Notes

[jessie] - attic <no-dsa> (Minor issue)
https://github.com/jborg/attic/issues/271
https://github.com/jborg/attic/commit/78f9ad1faba7193ca7f0acccbc13b1ff6ebf9072
http://www.openwall.com/lists/oss-security/2015/05/25/3

Search for package or bug name: Reporting problems