Debian 10261 Published by

An awl security update has been released for Debian GNU/Linux 8 LTS to fix two security issues.



DLA 2178-1: awl security update



Package : awl
Version : 0.55-1+deb8u1
CVE ID : CVE-2020-11728 CVE-2020-11729
Debian Bug : 956650

Following CVEs were reported against the awl source package:

CVE-2020-11728

An issue was discovered in DAViCal Andrew's Web Libraries (AWL)
through 0.60. Session management does not use a sufficiently
hard-to-guess session key. Anyone who can guess the microsecond
time (and the incrementing session_id) can impersonate a session.

CVE-2020-11729

An issue was discovered in DAViCal Andrew's Web Libraries (AWL)
through 0.60. Long-term session cookies, uses to provide
long-term session continuity, are not generated securely, enabling
a brute-force attack that may be successful.

For Debian 8 "Jessie", these problems have been fixed in version
0.55-1+deb8u1.

We recommend that you upgrade your awl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS