From e5cdb6bcb6c17ad72d7a406ad5adc75aef0c2790 Mon Sep 17 00:00:00 2001
From: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
Date: Fri, 29 Jun 2018 15:38:25 +0530
Subject: CVE-2018-11652 nikto: arbitray OS command injection via http server
 field.

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers
to inject arbitrary OS commands via the Server field in an HTTP response header,
 which is directly injected into a CSV report.

Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
Reviewed-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
 recipes-security/nikto/nikto_2.1.5.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'recipes-security/nikto/nikto_2.1.5.bb')

diff --git a/recipes-security/nikto/nikto_2.1.5.bb b/recipes-security/nikto/nikto_2.1.5.bb
index 8080d4a..19eb14f 100644
--- a/recipes-security/nikto/nikto_2.1.5.bb
+++ b/recipes-security/nikto/nikto_2.1.5.bb
@@ -7,7 +7,8 @@ LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
 
 SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \
-           file://location.patch"
+           file://location.patch \
+           file://CVE-2018-11652.patch"
 
 SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e"
 SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f"
-- 
cgit v1.2.3-54-g00ecf