Security advisories for *mbank-cli* and the dependent libraries
===============================================================

2014-07-11: insecure module search path
---------------------------------------

Perl includes the current directory as the last element in the module search
path (``@INC``). If a Perl script is run in an untrusted directory (such as
``/tmp``), and it attempts to load a module that is not installed
system-wide, the script will try to load it from the untrusted directory,
potentially executing code that was planted there by a malicious local user.

This is a bug in Perl, but a work-around has been implemented in mbank-cli.

It is recommended that users upgrade to mbank-cli 1.2 (or a later version).

References:

   - https://www.nntp.perl.org/group/perl.perl5.porters/2010/08/msg162729.html
   - https://github.com/jwilk/mbank-cli/commit/143b94b2c14a


2014-05-01: missing certificate validation
------------------------------------------

Because of a bug in the LWP module, if the IO::Socket::SSL module was
installed, mbank-cli did not verify the SSL certificate, making
man-in-the-middle attacks feasible.

It is highly recommended that affected users:

   1) Upgrade mbank-cli to 20120617 (or a later version).

   2) Log out from any existing mbank-cli sessions.

   3) Change the mBank password.

References:

   - https://bugs.debian.org/746579
   - https://bugs.debian.org/788698
   - https://github.com/jwilk/mbank-cli/commit/7fa0c66d0e18


2014-04-09: Heartbleed
----------------------

The Heartbleed_ Bug (also known as CVE-2014-0160_) is a serious
vulnerability in the OpenSSL library. When the weakness is exploited it
leads to the leak of memory contents from the server to the client, or
from the client to the server.

mbank-cli uses the OpenSSL library under the hood to connect to the mBank
server. It is believed that exploiting Heartbleed to attack mbank-cli,
while difficult, is feasible.

It is highly recommended that users of affected versions of OpenSSL:

   1) Upgrade the OpenSSL library.

   2) Log out from any existing mbank-cli sessions.

   3) Change the mBank password.

.. _Heartbleed: https://heartbleed.com/
.. _CVE-2014-0160: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160


2012-02-15: insecure file permissions
-------------------------------------

mbank-cli did not ensure that files (including some of security-sensitive
nature, e.g. the session cookie store) are created with secure
permissions.

It is highly recommended that users:

   1) Upgrade to 20120215 (or a later version).

   2) Log out from any existing mbank-cli sessions.

   3) Truncate and unlink any files that were exposed to other local users.

Note that previous version of this advisory incorrectly stated that the bug
was fixed in 20110215.

References:

   - https://github.com/jwilk/mbank-cli/commit/1e29af6c0fd3


2009-12-08: insufficient certificate validation
-----------------------------------------------

mbank-cli did not check whether the server hostname matches the Common Name
(CN) of the SSL certificate, making man-in-the-middle attacks feasible.

It is highly recommended that users:

   1) Upgrade mbank-cli to 20091208 (or a later version).

   2) Log out from any existing mbank-cli sessions.

   3) Change the mBank password.

References:

   - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0633
   - https://github.com/jwilk/mbank-cli/commit/f67189bd242a

.. vim:ft=rst tw=76 ts=3 sts=3 sw=3 et
