Bug#904200: RM: acccheck -- ROM; Insecure, unmaintained, better alternatives

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#904200: RM: acccheck -- ROM; Insecure, unmaintained, better alternatives

Raphael Hertzog-3
Package: ftp.debian.org
Severity: normal

Please remove the acccheck package. It is affected by multiple security
vulnerabilities that are unlikely to be fixed by upstream as this was a
script written and shared a long time ago, upstream is not actively
maintaining it.

The feature set of this package is also redundant with other better tools:
metasploit, hydra, medusa, ncrack and patator

FWIW the package has been dropped from Debian Testing due to #901572
and Kali followed suite, it has been dropped from their meta-package too.

Thank you in advance.

PS: I first tried to patch the security vulnerability but when I looked at
the code more closely, it's literaly riddled with shell injection
vulnerabilities and it would be time-consuming to fix them all.

PS: I'm requesting this as a member of the pkg-security packaging team
even though I'm not listed in Uploaders of the package. I have put Marcos
Fouces in copy of the bug.

Reply | Threaded
Open this post in threaded view
|

Bug#904200: RM: acccheck -- ROM; Insecure, unmaintained, better alternatives

Marcos Fouces-2
Hello

I am agree with this. Some days ago -when this bugs were published- I
contacted upstream but i get no answer.

Greetings,

Marcos


On 21/07/18 15:02, Raphaƫl Hertzog wrote:

> Package: ftp.debian.org
> Severity: normal
>
> Please remove the acccheck package. It is affected by multiple security
> vulnerabilities that are unlikely to be fixed by upstream as this was a
> script written and shared a long time ago, upstream is not actively
> maintaining it.
>
> The feature set of this package is also redundant with other better tools:
> metasploit, hydra, medusa, ncrack and patator
>
> FWIW the package has been dropped from Debian Testing due to #901572
> and Kali followed suite, it has been dropped from their meta-package too.
>
> Thank you in advance.
>
> PS: I first tried to patch the security vulnerability but when I looked at
> the code more closely, it's literaly riddled with shell injection
> vulnerabilities and it would be time-consuming to fix them all.
>
> PS: I'm requesting this as a member of the pkg-security packaging team
> even though I'm not listed in Uploaders of the package. I have put Marcos
> Fouces in copy of the bug.
>