network/nikto: Fix CVE-2018-11652.

(* Security fix *) Signed-off-by: David Spencer <baildon.research@googlemail.com>
author: Brenton Earl <brent@exitstatusone.com> 2018-10-20 20:26:37 +0100
committer: Willy Sudiarto Raharjo <willysr@slackbuilds.org> 2018-10-21 06:47:01 +0700
commit: 0d93f8e9c9e07ec1fcc204fbd9564a00e20a9359 (patch)
tree: c989fdfe0a64a22c343c5f8ec206f46b5221ecb5 /network/nikto/nikto.SlackBuild
parent: d006b62d5e07c6149c828f219435332b42f8b7c8 (diff)
download: slackbuilds-0d93f8e9c9e07ec1fcc204fbd9564a00e20a9359.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/network/nikto/nikto.SlackBuild b/network/nikto/nikto.SlackBuild
index 118f4d949a..ac6cd320fe 100644
--- a/network/nikto/nikto.SlackBuild
+++ b/network/nikto/nikto.SlackBuild
@@ -25,7 +25,7 @@
 
 PRGNAM=nikto
 VERSION=${VERSION:-2.1.6}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
 
 if [ -z "$ARCH" ]; then
@@ -78,6 +78,13 @@ patch -p1 --verbose < $CWD/patches/nikto_core.plugin.diff
 # Fix path for Slackware
 patch -p1 --verbose < $CWD/patches/man_page.diff
 
+# Fix CVE-2018-11652: https://nvd.nist.gov/vuln/detail/CVE-2018-11652
+# Allows remote attackers to inject arbitrary OS commands via the
+# server field in an HTTP response header, which is directly
+# injected into a CSV report
+# PoC: https://www.exploit-db.com/exploits/44899/
+patch -p1 --verbose < $CWD/patches/CVE-2018-11652-CSV-injection.patch
+
 # Install executable
 if [ "$ARCH" = "x86_64" ]; then
   install -Dm 755 $CWD/nikto64.sh $PKG/usr/bin/nikto
author	Brenton Earl <brent@exitstatusone.com>	2018-10-20 20:26:37 +0100
committer	Willy Sudiarto Raharjo <willysr@slackbuilds.org>	2018-10-21 06:47:01 +0700
commit	0d93f8e9c9e07ec1fcc204fbd9564a00e20a9359 (patch)
tree	c989fdfe0a64a22c343c5f8ec206f46b5221ecb5 /network/nikto/nikto.SlackBuild
parent	d006b62d5e07c6149c828f219435332b42f8b7c8 (diff)
download	slackbuilds-0d93f8e9c9e07ec1fcc204fbd9564a00e20a9359.tar.gz