diff -Nru python-vulndb-0.1.0/debian/changelog python-vulndb-0.1.1/debian/changelog --- python-vulndb-0.1.0/debian/changelog 2018-05-10 06:41:21.000000000 +0000 +++ python-vulndb-0.1.1/debian/changelog 2018-12-18 09:17:13.000000000 +0000 @@ -1,3 +1,10 @@ +python-vulndb (0.1.1-1) unstable; urgency=medium + + * New upstream version 0.1.1 + * Bump std-version to 4.2.1 + + -- Gianfranco Costamagna Tue, 18 Dec 2018 10:17:13 +0100 + python-vulndb (0.1.0-1) unstable; urgency=medium [ Raphaƫl Hertzog ] diff -Nru python-vulndb-0.1.0/debian/control python-vulndb-0.1.1/debian/control --- python-vulndb-0.1.0/debian/control 2018-05-10 06:40:05.000000000 +0000 +++ python-vulndb-0.1.1/debian/control 2018-12-18 09:17:01.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Debian Security Tools Uploaders: Gianfranco Costamagna Build-Depends: debhelper (>= 10), dh-python, python, python-setuptools -Standards-Version: 4.1.4 +Standards-Version: 4.2.1 Homepage: https://github.com/vulndb/python-sdk/ Vcs-Git: https://salsa.debian.org/pkg-security-team/python-vulndb.git Vcs-Browser: https://salsa.debian.org/pkg-security-team/python-vulndb diff -Nru python-vulndb-0.1.0/PKG-INFO python-vulndb-0.1.1/PKG-INFO --- python-vulndb-0.1.0/PKG-INFO 2018-05-04 19:05:40.000000000 +0000 +++ python-vulndb-0.1.1/PKG-INFO 2018-12-14 12:10:39.000000000 +0000 @@ -1,12 +1,11 @@ Metadata-Version: 1.1 Name: vulndb -Version: 0.1.0 +Version: 0.1.1 Summary: Provides access to the vulndb information Home-page: https://github.com/vulndb/python-sdk/ Author: Andres Riancho Author-email: self@andresriancho.com License: BSD 3-clause -Description-Content-Type: UNKNOWN Description: Python SDK to access the `vulnerability database `_ .. image:: https://circleci.com/gh/vulndb/python-sdk/tree/master.svg?style=svg diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/10.md python-vulndb-0.1.1/vulndb/db/en/fix/10.md --- python-vulndb-0.1.0/vulndb/db/en/fix/10.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/10.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,11 +1,10 @@ If files are unreferenced then they should be removed from the web root and/or the application directory. -Preventing access without -authentication may also be an option and can stop a client from being -able to view the contents of a file, however it is still likely that -the directory structure will be able to be discovered. +Preventing access without authentication may also be an option and +can stop a client from being able to view the contents of a file, +however it is still likely that the directory structure will be +able to be discovered. -Using obscure -file names is implementing security through obscurity and is not a -recommended option. \ No newline at end of file +Using obscure file names is implementing security through +obscurity and is not a recommended option. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/11.md python-vulndb-0.1.1/vulndb/db/en/fix/11.md --- python-vulndb-0.1.0/vulndb/db/en/fix/11.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/11.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,10 +1,10 @@ It is recommended that untrusted data is never used to form the contents of the response header. -Where any untrusted source is -required to be used in the response headers, it is important to ensure -that any hazardous characters (`/r`, `/n` and potentially others) are -sanitised prior to being used. +Where any untrusted source is required to be used in the response +headers, it is important to ensure that any hazardous characters +(`/r`, `/n` and potentially others) are sanitised prior to being +used. -This is especially important when -setting cookie values, redirecting, etc.. \ No newline at end of file +This is especially important when setting cookie values, +redirecting, etc.. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/13.md python-vulndb-0.1.1/vulndb/db/en/fix/13.md --- python-vulndb-0.1.0/vulndb/db/en/fix/13.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/13.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,20 +1,19 @@ It is recommended that untrusted data is never used to form a file location to be included. -To validate data, the application should -ensure that the supplied value for a file is permitted. This can be -achieved by performing whitelisting on the parameter value, by -matching it against a list of permitted files. If the supplied value -does not match any value in the whitelist, then the server should -redirect to a standard error page. +To validate data, the application should ensure that the supplied +value for a file is permitted. This can be achieved by performing +whitelisting on the parameter value, by matching it against a list +of permitted files. If the supplied value does not match any value +in the whitelist, then the server should redirect to a standard +error page. -In some scenarios, where dynamic -content is being requested, it may not be possible to perform -validation against a list of trusted resources, therefore the list -must also become dynamic (updated as the files change), or perform -filtering to remove extraneous user input (such as semicolons, periods -etc.) and only permit `a-z0-9`. +In some scenarios, where dynamic content is being requested, it may +not be possible to perform validation against a list of trusted resources, +therefore the list must also become dynamic (updated as the files change), +or perform filtering to remove extraneous user input (such as semicolons, +periods etc.) and only permit `a-z0-9`. -It is also advised that sensitive -files are not stored within the web root and that the user permissions -enforced by the directory are correct. \ No newline at end of file +It is also advised that sensitive files are not stored within the +web root and that the user permissions enforced by the directory +are correct. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/15.md python-vulndb-0.1.1/vulndb/db/en/fix/15.md --- python-vulndb-0.1.0/vulndb/db/en/fix/15.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/15.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,8 +1,7 @@ The most important remediation action is to prevent the server from accepting client supplied data as session tokens. -Additionally, the -client's session token should be changed at specific key stages of the -application flow, such as during authentication. This will ensure that -even if clients are able to set their own cookie, it will not persist -into an authenticated session. \ No newline at end of file +Additionally, the client's session token should be changed at specific +key stages of the application flow, such as during authentication. +This will ensure that even if clients are able to set their own cookie, +it will not persist into an authenticated session. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/17.md python-vulndb-0.1.1/vulndb/db/en/fix/17.md --- python-vulndb-0.1.0/vulndb/db/en/fix/17.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/17.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,63 +1 @@ -C -o -n -f -i -g -u -r -e - -y -o -u -r - -w -e -b - -s -e -r -v -e -r - -t -o - -i -n -c -l -u -d -e - -a -n - -X -- -F -r -a -m -e -- -O -p -t -i -o -n -s - -h -e -a -d -e -r -. \ No newline at end of file +Configure your web server to include an `X-Frame-Options` header. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/18.md python-vulndb-0.1.1/vulndb/db/en/fix/18.md --- python-vulndb-0.1.0/vulndb/db/en/fix/18.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/18.md 2018-12-14 12:02:55.000000000 +0000 @@ -4,8 +4,7 @@ for all inputs within that form. An example of disabling `autocomplete` within the form tag is `
`. -The -second slightly less desirable option is to disable the `autocomplete` +The second slightly less desirable option is to disable the `autocomplete` attribute for a specific `` HTML tag. While this may be the less desired solution from a security perspective, it may be preferred method for usability reasons, depending on size of the form. An diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/19.md python-vulndb-0.1.1/vulndb/db/en/fix/19.md --- python-vulndb-0.1.0/vulndb/db/en/fix/19.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/19.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,12 +1,11 @@ It is recommended that untrusted data is never used to form a command to be executed by the OS. -To validate data, the application should -ensure that the supplied value contains only the characters that are -required to perform the required action. +To validate data, the application should ensure that the supplied value +contains only the characters that are required to perform the +required action. -For example, where the form -field expects an IP address, only numbers and periods should be -accepted. Additionally, all control operators (`&`, `&&`, `|`, `||`, -`$`, `\`, `#`) should be explicitly denied and never accepted as valid -input by the server. \ No newline at end of file +For example, where the form field expects an IP address, only numbers +and periods should be accepted. Additionally, all control operators +(`&`, `&&`, `|`, `||`, `$`, `\`, `#`) should be explicitly denied +and never accepted as valid input by the server. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/20.md python-vulndb-0.1.1/vulndb/db/en/fix/20.md --- python-vulndb-0.1.0/vulndb/db/en/fix/20.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/20.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,8 +1,6 @@ To remedy XSS vulnerabilities, it is important to never use untrusted or unfiltered data within the code of a HTML page. - - Untrusted data can originate not only form the client but potentially a third party or previously uploaded file etc. Filtering of untrusted data typically involves converting special characters to their HTML @@ -10,46 +8,27 @@ references). These special characters include: - * `&` - * `<` - * `>` - * `"` - * `'` - * `/` - - - An example of HTML entity encoding is converting `<` to `<`. Although it is possible to filter untrusted input, there are five locations within an HTML page where untrusted input (even if it has been filtered) should never be placed: - 1. Directly in a script. - 2. Inside an HTML comment. - 3. In an attribute name. - 4. In a tag name. - 5. Directly in CSS. - - - Each of these locations have their own form of escaping and filtering. - - -_Because many browsers attempt to implement -XSS protection, any manual verification of this finding should be -conducted using multiple different browsers and browser versions._ \ No newline at end of file +_Because many browsers attempt to implement XSS protection, any manual +verification of this finding should be conducted using multiple different +browsers and browser versions._ \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/21.md python-vulndb-0.1.1/vulndb/db/en/fix/21.md --- python-vulndb-0.1.0/vulndb/db/en/fix/21.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/21.md 2018-12-14 12:02:55.000000000 +0000 @@ -6,11 +6,9 @@ files back to the virtual root. Make sure that only the files that are actually in use reside under the virtual root. -Preventing access -without authentication may also be an option and stop a client being -able to view the contents of a file, however it is still likely that -the filenames will be able to be discovered. +Preventing access without authentication may also be an option and +stop a client being able to view the contents of a file, however it +is still likely that the filenames will be able to be discovered. -Using obscure filenames -is only implementing security through obscurity and is not a -recommended option. \ No newline at end of file +Using obscure filenames is only implementing security through +obscurity and is not a recommended option. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/22.md python-vulndb-0.1.1/vulndb/db/en/fix/22.md --- python-vulndb-0.1.0/vulndb/db/en/fix/22.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/22.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,7 +1,6 @@ Identifying the context in which the affected page displays a Private IP address is necessary. -If the page is publicly accessible and -displays the Private IP of the affected server (or supporting -infrastructure), then measures should be put in place to ensure that -the IP address is removed from any response. \ No newline at end of file +If the page is publicly accessible and displays the Private IP of the +affected server (or supporting infrastructure), then measures should +be put in place to ensure that the IP address is removed from any response. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/23.md python-vulndb-0.1.1/vulndb/db/en/fix/23.md --- python-vulndb-0.1.0/vulndb/db/en/fix/23.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/23.md 2018-12-14 12:02:55.000000000 +0000 @@ -3,11 +3,10 @@ server. The steps to disable the `PUT` method will differ depending on the type of server being used (IIS, Apache, etc.). -For cases where -the `PUT` method is required to meet application functionality, such -as REST style web services, strict limitations should be implemented -to ensure that only secure (SSL/TLS enabled) and authorised clients -are permitted to use the `PUT` method. +For cases where the `PUT` method is required to meet application +functionality, such as REST style web services, strict limitations +should be implemented to ensure that only secure (SSL/TLS enabled) +and authorised clients are permitted to use the `PUT` method. -Additionally, the server's -file system permissions should also enforce strict limitations. \ No newline at end of file +Additionally, the server's file system permissions should also +enforce strict limitations. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/25.md python-vulndb-0.1.1/vulndb/db/en/fix/25.md --- python-vulndb-0.1.0/vulndb/db/en/fix/25.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/25.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,10 +1,10 @@ The HTTP `TRACE` method is normally not required within production sites and should therefore be disabled. -Depending on the function -being performed by the web application, the risk level can start low -and increase as more functionality is implemented. +Depending on the function being performed by the web application, +the risk level can start low and increase as more functionality +is implemented. -The remediation is -typically a very simple configuration change and in most cases will -not have any negative impact on the server or application. \ No newline at end of file +The remediation is typically a very simple configuration change +and in most cases will not have any negative impact on the server +or application. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/28.md python-vulndb-0.1.1/vulndb/db/en/fix/28.md --- python-vulndb-0.1.0/vulndb/db/en/fix/28.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/28.md 2018-12-14 12:02:55.000000000 +0000 @@ -2,8 +2,8 @@ validity, as it is possible that the regular expression has matched a similar number with no relation to a real SSN. -If the response does -contain a valid SSN, then all efforts should be taken to remove or -further protect this information. This can be achieved by removing the -SSN altogether or by masking the number so that only the last few -digits are present within the response (eg. _**********123_). \ No newline at end of file +If the response does contain a valid SSN, then all efforts should be +taken to remove or further protect this information. This can be +achieved by removing the SSN altogether or by masking the number +so that only the last few digits are present within the response +(eg. _**********123_). \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/2.md python-vulndb-0.1.1/vulndb/db/en/fix/2.md --- python-vulndb-0.1.0/vulndb/db/en/fix/2.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/2.md 2018-12-14 12:02:55.000000000 +0000 @@ -6,18 +6,30 @@ perform the required action. For example, where a username is required, then no non-alphanumeric characters should be accepted. -If -this is not possible, special characters should be escaped so they are +If this is not possible, special characters should be escaped so they are treated accordingly. The following characters should be escaped with a -`\`: +back-slash: -* `&` * `!` * `|` * `=` * `<` * `>` * `,` * `+` * `-` * `"` * -`'` * `;` +* `&` +* `!` +* `|` +* `=` +* `<` +* `>` +* `,` +* `+` +* `-` +* `"` +* `'` +* `;` Additional character filtering must be applied to: -* `(` * -`)` * `\` * `/` * `*` * `NULL` +* `(` +* `)` +* `\` +* `/` +* `*` +* `NULL` -These characters require ASCII -escaping. \ No newline at end of file +These characters require ASCII escaping. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/4.md python-vulndb-0.1.1/vulndb/db/en/fix/4.md --- python-vulndb-0.1.0/vulndb/db/en/fix/4.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/4.md 2018-12-14 12:02:55.000000000 +0000 @@ -2,8 +2,7 @@ equally, utilising the latest and most secure encryption protocols. These include SSL version 3.0 and TLS version 1.2. -While TLS 1.2 is -the latest and the most preferred protocol, not all browsers will +While TLS 1.2 is the latest and the most preferred protocol, not all browsers will support this encryption method. Therefore, the more common SSL is included. Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should also be disabled. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/5.md python-vulndb-0.1.1/vulndb/db/en/fix/5.md --- python-vulndb-0.1.0/vulndb/db/en/fix/5.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/5.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,7 +1,5 @@ The identified form handler should at a minimum: - - 1. Whitelist permitted file types and block all others. This should be conducted on the MIME type of the file rather than its extension. diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/6.md python-vulndb-0.1.1/vulndb/db/en/fix/6.md --- python-vulndb-0.1.0/vulndb/db/en/fix/6.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/6.md 2018-12-14 12:02:55.000000000 +0000 @@ -2,5 +2,4 @@ ensure that NoSQL API calls are not constructed via string concatenation that includes unsanitized data. -Sanitization is best -achieved using existing escaping libraries. \ No newline at end of file +Sanitization is best achieved using existing escaping libraries. \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/7.md python-vulndb-0.1.1/vulndb/db/en/fix/7.md --- python-vulndb-0.1.0/vulndb/db/en/fix/7.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/7.md 2018-12-14 12:02:55.000000000 +0000 @@ -1,55 +1 @@ -M -a -n -u -a -l -l -y - -i -n -s -p -e -c -t - -t -h -e - -H -T -T -P - -r -e -s -p -o -n -s -e - -s -t -a -t -u -s - -c -o -d -e - -a -n -d - -b -o -d -y \ No newline at end of file +Manually inspect the HTTP response status code and body \ No newline at end of file diff -Nru python-vulndb-0.1.0/vulndb/db/en/fix/9.md python-vulndb-0.1.1/vulndb/db/en/fix/9.md --- python-vulndb-0.1.0/vulndb/db/en/fix/9.md 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db/en/fix/9.md 2018-12-14 12:02:55.000000000 +0000 @@ -2,9 +2,8 @@ action, using untrusted data, should be avoided wherever possible, as these may not be inspected by server side filtering. -To remedy DOM -XSS vulnerabilities where these sensitive document actions must be -used, it is essential to: +To remedy DOM XSS vulnerabilities where these sensitive document actions +must be used, it is essential to: 1. Ensure any untrusted data is treated as text, as opposed to being interpreted as code or mark-up within the page. diff -Nru python-vulndb-0.1.0/vulndb/db-version.txt python-vulndb-0.1.1/vulndb/db-version.txt --- python-vulndb-0.1.0/vulndb/db-version.txt 2018-05-03 14:28:11.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/db-version.txt 2018-12-14 12:02:55.000000000 +0000 @@ -1 +1 @@ -cffd9f03c415157767d50c904ad20675debecaa7 +20459bc133f0c09d06d5c78efe77079f1ce4a5c0 diff -Nru python-vulndb-0.1.0/vulndb/version.txt python-vulndb-0.1.1/vulndb/version.txt --- python-vulndb-0.1.0/vulndb/version.txt 2018-05-04 19:05:36.000000000 +0000 +++ python-vulndb-0.1.1/vulndb/version.txt 2018-12-14 12:02:55.000000000 +0000 @@ -1 +1 @@ -0.1.0 +0.1.1 diff -Nru python-vulndb-0.1.0/vulndb.egg-info/PKG-INFO python-vulndb-0.1.1/vulndb.egg-info/PKG-INFO --- python-vulndb-0.1.0/vulndb.egg-info/PKG-INFO 2018-05-04 19:05:40.000000000 +0000 +++ python-vulndb-0.1.1/vulndb.egg-info/PKG-INFO 2018-12-14 12:10:39.000000000 +0000 @@ -1,12 +1,11 @@ Metadata-Version: 1.1 Name: vulndb -Version: 0.1.0 +Version: 0.1.1 Summary: Provides access to the vulndb information Home-page: https://github.com/vulndb/python-sdk/ Author: Andres Riancho Author-email: self@andresriancho.com License: BSD 3-clause -Description-Content-Type: UNKNOWN Description: Python SDK to access the `vulnerability database `_ .. image:: https://circleci.com/gh/vulndb/python-sdk/tree/master.svg?style=svg