Debian Package Tracker

general

source: ntopng (main)
version: 3.8+dfsg1-2.1
maintainer: Ludovico Cavedon (DMD)
arch: all any
std-ver: 4.3.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.2.1+dfsg1-1.1
oldstable: 2.4+dfsg1-3
stable: 3.8+dfsg1-2.1
testing: 3.8+dfsg1-2.1
unstable: 3.8+dfsg1-2.1

versioned links

1.2.1+dfsg1-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.4+dfsg1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8+dfsg1-2.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

ntopng (4 bugs: 0, 3, 1, 0)
ntopng-data
ntopng-doc

action needed

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2018-09-11 Last update: 2019-10-22 08:49

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit d299b1f2869a1793ad1109d9b06a818792ca5a44
Author: Faidon Liambotis <paravoid@debian.org>
Date:   Thu Aug 29 15:17:19 2019 +0300

    Remove spurious dependency on libgeoip-dev
    
    Remove the spurious dependency on libgeoip-dev, as nothing in the source
    uses that anymore. Upstream has migrated to GeoIP2 and the B-D on
    libmaxminddb-dev was already introduced with f478423e.
    
    While at it, also remove Suggests for geoip-database-contrib, as that
    package does not exist anymore.

Created: 2019-08-29 Last update: 2019-10-16 20:37

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2019-09-04 Last update: 2019-09-04 00:44

6 ignored security issues in jessie low

There are 6 open security issues in jessie.

6 issues skipped by the security teams:

CVE-2018-12520: An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
CVE-2015-8368: ntopng (aka ntop) before 2.2 allows remote authenticated users to change the login context and gain privileges via the user cookie and username parameter to admin/password_reset.lua.
CVE-2017-7416: ntopng before 3.0 allows XSS because GET and POST parameters are improperly validated.
CVE-2017-7459: ntopng before 3.0 allows HTTP Response Splitting.
CVE-2017-7458: The NetworkInterface::getHost function in NetworkInterface.cpp in ntopng before 3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty field that should have contained a hostname or IP address.
CVE-2017-5473: Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 allows remote attackers to hijack the authentication of arbitrary users, as demonstrated by admin/add_user.lua, admin/change_user_prefs.lua, admin/delete_user.lua, and admin/password_reset.lua.

Please fix them.

Created: 2015-12-02 Last update: 2019-10-21 00:30

4 ignored security issues in stretch low

There are 4 open security issues in stretch.

4 issues skipped by the security teams:

CVE-2018-12520: An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.
CVE-2017-7416: ntopng before 3.0 allows XSS because GET and POST parameters are improperly validated.
CVE-2017-7459: ntopng before 3.0 allows HTTP Response Splitting.
CVE-2017-7458: The NetworkInterface::getHost function in NetworkInterface.cpp in ntopng before 3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty field that should have contained a hostname or IP address.

Please fix them.

Created: 2017-07-01 Last update: 2019-10-21 00:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.4.1 instead of 4.3.0).

Created: 2019-07-08 Last update: 2019-09-29 23:39

news

[rss feed]

[2019-02-06] ntopng 3.8+dfsg1-2.1 MIGRATED to testing (Debian testing watch)
[2019-02-04] Accepted ntopng 3.8+dfsg1-2.1 (source) into unstable (Peter Michael Green)
[2019-01-26] Accepted ntopng 3.8+dfsg1-2 (source all amd64) into unstable, unstable (Ludovico Cavedon)
[2019-01-22] Accepted ntopng 3.8+dfsg1-1 (source all amd64) into unstable, unstable (Ludovico Cavedon)
[2017-12-27] Accepted ntopng 3.2+dfsg1-1 (source all amd64) into unstable (Ludovico Cavedon)
[2017-10-21] ntopng 2.4+dfsg1-4 MIGRATED to testing (Debian testing watch)
[2017-09-03] Accepted ntopng 2.4+dfsg1-4 (source all amd64) into unstable (Ludovico Cavedon)
[2017-08-21] ntopng REMOVED from testing (Debian testing watch)
[2017-02-06] ntopng 2.4+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2017-02-04] Accepted ntopng 2.4+dfsg1-3 (source all amd64) into unstable (Ludovico Cavedon)
[2017-01-04] ntopng 2.4+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2016-12-24] Accepted ntopng 2.4+dfsg1-2 (source all amd64) into unstable (Ludovico Cavedon)
[2016-12-23] ntopng 2.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2016-12-11] Accepted ntopng 2.4+dfsg1-1 (source all amd64) into unstable (Ludovico Cavedon)
[2016-04-08] ntopng 2.2+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2016-04-03] Accepted ntopng 2.2+dfsg1-2 (source all amd64) into unstable (Ludovico Cavedon)
[2016-03-19] ntopng 2.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2016-03-13] Accepted ntopng 2.2+dfsg1-1 (source all amd64) into unstable (Ludovico Cavedon)
[2015-10-03] ntopng 2.0+dfsg1-1 MIGRATED to testing (Britney)
[2015-09-20] Accepted ntopng 2.0+dfsg1-1 (source all amd64) into unstable (Ludovico Cavedon)
[2015-07-19] ntopng 1.2.1+dfsg1-2 MIGRATED to testing (Britney)
[2015-07-14] Accepted ntopng 1.2.1+dfsg1-2 (source all amd64) into unstable (Ludovico Cavedon)
[2015-07-10] ntopng REMOVED from testing (Britney)
[2014-10-19] ntopng 1.2.1+dfsg1-1.1 MIGRATED to testing (Britney)
[2014-10-16] Accepted ntopng 1.2.1+dfsg1-1.1 (source all) into unstable (Andreas Metzler)
[2014-09-19] ntopng 1.2.1+dfsg1-1 MIGRATED to testing (Britney)
[2014-09-13] Accepted ntopng 1.2.1+dfsg1-1 (source amd64 all) into unstable (Ludovico Cavedon)
[2014-08-25] ntopng 1.2.0+dfsg1-1 MIGRATED to testing (Britney)
[2014-08-19] Accepted ntopng 1.2.0+dfsg1-1 (source amd64 all) into unstable (Ludovico Cavedon)
[2014-08-02] ntopng 1.1+dfsg2-2 MIGRATED to testing (Britney)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 3)
buildd: logs, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
screenshots

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.8+dfsg1-2.1build3
2 bugs