{"securityvulns": [{"lastseen": "2018-08-31T11:09:59", "description": "Infinite loop on account names with two dashes.", "edition": 1, "cvss3": {}, "published": "2015-03-18T00:00:00", "title": "checkpw DoS", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2015-03-18T00:00:00", "id": "SECURITYVULNS:VULN:14328", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14328", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:58", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3192-1 security@debian.org\r\nhttp://www.debian.org/security/ Salvatore Bonaccorso\r\nMarch 17, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : checkpw\r\nCVE ID : CVE-2015-0885\r\nDebian Bug : 780139\r\n\r\nHiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\r\nauthentication program, has a flaw in processing account names which\r\ncontain double dashes. A remote attacker can use this flaw to cause a\r\ndenial of service (infinite loop).\r\n\r\nFor the stable distribution (wheezy), this problem has been fixed in\r\nversion 1.02-1+deb7u1.\r\n\r\nFor the upcoming stable distribution (jessie), this problem has been\r\nfixed in version 1.02-1.1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.02-1.1.\r\n\r\nWe recommend that you upgrade your checkpw packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVB8Y9AAoJEAVMuPMTQ89E+NgQAIRPOn6IUzOswKz2y56G8AB3\r\nd54n11vzW7jEf3IXJXHC1Bk9rzCHYo+Gtofqt4ULpN+CO8GhpH/U1WYAtrZp15zk\r\njZifegiWHn2dWJ0Fm6Qw0vWc2haWT7ap5AaROH6H0SBdVMw6cVWlC8cf5V68OyfY\r\ncNH8GyozThAEab1chd02sncn9V2JVAmhJO6q5h0bLokZG+TEDe6+HXEHQncoyB/l\r\nRV8T+2JTuKuk8awcBzHfDMj5pRww3MieMwJ7eMiK/C7op7w2tEcSdwFEOT+1bICt\r\nVYDMfIDt9NvLw0TWRu9ZxCCbG0jggEQ8OHEPW2rMaHsOQwBBV7DtEOvbfSZVyQQM\r\n99EPKpXQSWJS8tDa84GZUNs8lum0wNbDuTua0GfNLhls7SSjL77VCoJkBmrN4M5V\r\nBv/wEOeRlEx/lPdOOAjmMoMUBPmu9LG0/gOntcDMS7GWQueLUv42tCJyZfMzCvOE\r\nOXR1qED2zG7ji4my3bMJMeIbzRY7THEhtK1yLo/cXRcLBJkWAkgXHICMUzpJnyMV\r\n9B983Ki9JwMjZ3xYKdpQvjnwTr7wxcRKTSmp9aXkqqED/iNithDKhWKofTHuec6Y\r\n8MB5H0buN+O7oDIzo4OR+xJR+fd8zOWVCVNhM1WOYAsyON4kwXSIZnLNb1Hv0ekg\r\nbv0n2YsZ3eM9xMDYK1F7\r\n=TKWJ\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2015-03-18T00:00:00", "title": "[SECURITY] [DSA 3192-1] checkpw security update", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2015-03-18T00:00:00", "id": "SECURITYVULNS:DOC:31805", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31805", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "jvn": [{"lastseen": "2021-12-28T23:20:55", "description": "checkpw is a password authentication program. checkpw contains a denial-of-service (DoS) vulnerability due to a flaw in processing account names ([CWE-400](<http://cwe.mitre.org/data/definitions/400.html>)).\n\n ## Impact\n\nA remote attacker may be able to cause a denial-of-service (DoS).\n\n ## Solution\n\n**Update the Software** \nUpdate to the latest version according to the information provided by the developer.\n\n ## Products Affected\n\n * checkpw-1.02 and earlier\n", "cvss3": {}, "published": "2015-02-27T00:00:00", "type": "jvn", "title": "JVN#34790526: checkpw vulnerable to denial-of-service (DoS)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-02-27T00:00:00", "id": "JVN:34790526", "href": "http://jvn.jp/en/jp/JVN34790526/index.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debian": [{"lastseen": "2021-10-23T22:30:00", "description": "Package : checkpw\nVersion : 1.02-1+deb6u1\nCVE ID : CVE-2015-0885\n\nHiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\nauthentication program, has a flaw in processing account names which\ncontain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\n\nThanks to Markus Koschany who prepared the Debian package.", "cvss3": {}, "published": "2015-04-09T11:04:26", "type": "debian", "title": "[SECURITY] [DLA 191-1] checkpw security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-04-09T11:04:26", "id": "DEBIAN:DLA-191-1:AD8BF", "href": "https://lists.debian.org/debian-lts-announce/2015/04/msg00005.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-10-21T22:48:29", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3192-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMarch 17, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : checkpw\nCVE ID : CVE-2015-0885\nDebian Bug : 780139\n\nHiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\nauthentication program, has a flaw in processing account names which\ncontain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.02-1+deb7u1.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.02-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.02-1.1.\n\nWe recommend that you upgrade your checkpw packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-03-17T06:16:53", "type": "debian", "title": "[SECURITY] [DSA 3192-1] checkpw security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-03-17T06:16:53", "id": "DEBIAN:DSA-3192-1:3FE4C", "href": "https://lists.debian.org/debian-security-announce/2015/msg00077.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-18T13:08:30", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3192-1 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nMarch 17, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : checkpw\nCVE ID : CVE-2015-0885\nDebian Bug : 780139\n\nHiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\nauthentication program, has a flaw in processing account names which\ncontain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.02-1+deb7u1.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.02-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.02-1.1.\n\nWe recommend that you upgrade your checkpw packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2015-03-17T06:16:53", "type": "debian", "title": "[SECURITY] [DSA 3192-1] checkpw security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-03-17T06:16:53", "id": "DEBIAN:DSA-3192-1:66EF6", "href": "https://lists.debian.org/debian-security-announce/2015/msg00077.html", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:33", "description": "Hiroya Ito of GMO Pepabo, Inc. reported\nthat checkpw, a password authentication program, has a flaw in processing account\nnames which contain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).", "cvss3": {}, "published": "2015-03-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3192-1 (checkpw - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310703192", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703192", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3192.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3192-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703192\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-0885\");\n script_name(\"Debian Security Advisory DSA 3192-1 (checkpw - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-03-17 00:00:00 +0100 (Tue, 17 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3192.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"checkpw on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (wheezy),\nthis problem has been fixed in version 1.02-1+deb7u1.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.02-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.02-1.1.\n\nWe recommend that you upgrade your checkpw packages.\");\n script_tag(name:\"summary\", value:\"Hiroya Ito of GMO Pepabo, Inc. reported\nthat checkpw, a password authentication program, has a flaw in processing account\nnames which contain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"checkpw\", ver:\"1.02-1+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-07-24T12:53:43", "description": "Hiroya Ito of GMO Pepabo, Inc. reported\nthat checkpw, a password authentication program, has a flaw in processing account\nnames which contain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).", "cvss3": {}, "published": "2015-03-17T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 3192-1 (checkpw - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:703192", "href": "http://plugins.openvas.org/nasl.php?oid=703192", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3192.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3192-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703192);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-0885\");\n script_name(\"Debian Security Advisory DSA 3192-1 (checkpw - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-03-17 00:00:00 +0100 (Tue, 17 Mar 2015)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3192.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"checkpw on Debian Linux\");\n script_tag(name: \"insight\", value: \"checkpw is an implementation of the\ncheckpassword interface that checks a password against a ``.password'' file in\nthe user's Maildir. The password file has read and write permissions to the user only.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (wheezy),\nthis problem has been fixed in version 1.02-1+deb7u1.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.02-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.02-1.1.\n\nWe recommend that you upgrade your checkpw packages.\");\n script_tag(name: \"summary\", value: \"Hiroya Ito of GMO Pepabo, Inc. reported\nthat checkpw, a password authentication program, has a flaw in processing account\nnames which contain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"checkpw\", ver:\"1.02-1+deb7u1\", rls_regex:\"DEB7.[0-9]\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-08-19T12:46:43", "description": "Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password authentication program, has a flaw in processing account names which contain double dashes. A remote attacker can use this flaw to cause a denial of service (infinite loop).", "cvss3": {"score": null, "vector": null}, "published": "2015-03-17T00:00:00", "type": "nessus", "title": "Debian DSA-3192-1 : checkpw - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:checkpw", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-3192.NASL", "href": "https://www.tenable.com/plugins/nessus/81836", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3192. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(81836);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0885\");\n script_bugtraq_id(72856);\n script_xref(name:\"DSA\", value:\"3192\");\n\n script_name(english:\"Debian DSA-3192-1 : checkpw - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\nauthentication program, has a flaw in processing account names which\ncontain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780139\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/checkpw\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3192\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the checkpw packages.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 1.02-1+deb7u1.\n\nFor the upcoming stable distribution (jessie), this problem has been\nfixed in version 1.02-1.1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:checkpw\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/03/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/03/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"checkpw\", reference:\"1.02-1+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:46:20", "description": "Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password authentication program, has a flaw in processing account names which contain double dashes. A remote attacker can use this flaw to cause a denial of service (infinite loop).\n\nThanks to Markus Koschany who prepared the Debian package.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2015-04-10T00:00:00", "type": "nessus", "title": "Debian DLA-191-1 : checkpw security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-0885"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:checkpw", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DLA-191.NASL", "href": "https://www.tenable.com/plugins/nessus/82669", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-191-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(82669);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-0885\");\n script_bugtraq_id(72856);\n\n script_name(english:\"Debian DLA-191-1 : checkpw security update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hiroya Ito of GMO Pepabo, Inc. reported that checkpw, a password\nauthentication program, has a flaw in processing account names which\ncontain double dashes. A remote attacker can use this flaw to cause a\ndenial of service (infinite loop).\n\nThanks to Markus Koschany who prepared the Debian package.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/04/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/checkpw\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected checkpw package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:checkpw\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"checkpw\", reference:\"1.02-1+deb6u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "debiancve": [{"lastseen": "2021-12-14T17:46:55", "description": "checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.", "cvss3": {}, "published": "2015-02-28T02:59:00", "type": "debiancve", "title": "CVE-2015-0885", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-02-28T02:59:00", "id": "DEBIANCVE:CVE-2015-0885", "href": "https://security-tracker.debian.org/tracker/CVE-2015-0885", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:55:08", "description": "checkpw 1.02 and earlier allows remote attackers to cause a denial of\nservice (infinite loop) via a -- (dash dash) in a username.", "cvss3": {}, "published": "2015-02-28T00:00:00", "type": "ubuntucve", "title": "CVE-2015-0885", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0885"], "modified": "2015-02-28T00:00:00", "id": "UB:CVE-2015-0885", "href": "https://ubuntu.com/security/CVE-2015-0885", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}
CVE-2015-0885
