Candidate: CVE-2012-2760 PublicDate: 2012-07-25 19:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2760 https://github.com/bmuller/mod_auth_openid/pull/30 https://github.com/bmuller/mod_auth_openid/blob/master/ChangeLog http://www.exploit-db.com/exploits/18917 http://secunia.com/advisories/49247 http://packetstormsecurity.org/files/112991/Mod_Auth_OpenID-Session-Stealing.html http://archives.neohapsis.com/archives/fulldisclosure/2012-05/0235.html Description: mod_auth_openid before 0.7 for Apache uses world-readable permissions for /tmp/mod_auth_openid.db, which allows local users to obtain session ids. Ubuntu-Description: Notes: Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674165 Priority: low Discovered-by: Peter Ellehauge Assigned-to: CVSS: Patches_libapache2-mod-auth-openid: vendor: http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:118 upstream_libapache2-mod-auth-openid: released (0.7-0.1) hardy_libapache2-mod-auth-openid: ignored (reached end-of-life) lucid_libapache2-mod-auth-openid: ignored (reached end-of-life) natty_libapache2-mod-auth-openid: ignored (reached end-of-life) oneiric_libapache2-mod-auth-openid: ignored (reached end-of-life) precise_libapache2-mod-auth-openid: ignored (reached end-of-life) precise/esm_libapache2-mod-auth-openid: DNE (precise was needs-triage) quantal_libapache2-mod-auth-openid: not-affected (0.7-0.1) raring_libapache2-mod-auth-openid: not-affected (0.7-0.1) saucy_libapache2-mod-auth-openid: not-affected (0.7-0.1) trusty_libapache2-mod-auth-openid: not-affected (0.7-0.1) trusty/esm_libapache2-mod-auth-openid: DNE (trusty was not-affected [0.7-0.1]) utopic_libapache2-mod-auth-openid: not-affected (0.7-0.1) vivid_libapache2-mod-auth-openid: not-affected (0.7-0.1) vivid/stable-phone-overlay_libapache2-mod-auth-openid: DNE vivid/ubuntu-core_libapache2-mod-auth-openid: DNE wily_libapache2-mod-auth-openid: not-affected (0.7-0.1) xenial_libapache2-mod-auth-openid: not-affected (0.7-0.1) yakkety_libapache2-mod-auth-openid: not-affected (0.7-0.1) zesty_libapache2-mod-auth-openid: not-affected (0.7-0.1) devel_libapache2-mod-auth-openid: not-affected (0.7-0.1)