Mandriva issued this advisory on February 6: http://www.mandriva.com/support/security/advisories/?dis=mes5&name=MDVSA-2012:014 The vulnerability affects versions before 0.80.2 (we have 0.78.2), and MDV updated it to version 0.80.6 to address the vulnerability.
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Keywords: (none) => TriagedAssignee: bugsquad => guillomovitch
Updating to a new version seems a bad idea there, as it requires to update the plugins too (additional work for the maintainer) and to upgrade the database too (additional work for end user). I'd rather try to backport the fix.
Status: NEW => ASSIGNED
Right now it's up to your discretion as the maintainer. MDV only updated the version in MES5, which we don't *officially* support upgrading from. So far they haven't issued an update for the version in MDV 2010.2. I'll let you know if they do.
FYI, I just saw 0.80.7 announced as a security fix upstream: https://forge.indepnet.net/issues/3338 Also, here is the reference for the security fix in 0.80.2: https://forge.indepnet.net/issues/3017 Upstream has noted several bugs fixed in each of the updates, but hasn't identified any others as security bugs.
Mandriva issued the 0.80.7 update for MES5 today (February 10). Here's the link (mainly passing it along for the advisory info): http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:016
I just submitted glpi-0.78.2-2.1.mga1 with the two upstream patches applied. Here's an advisory. This GLPI updates fixes two security issues: The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request (CVE-2011-2720). GLPI before 0.80.7 fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file, which could be used by an authenticated user for remote file inclusion (RFI). (CVE-2012-1037)
Thanks Guillaume. Assigning to QA. Here's a reference URL list for the advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037 http://seclists.org/fulldisclosure/2012/Feb/157
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
I've found install info at http://blog.famillecollet.com/pages/OCS-GLPI-en Do the ocsinventory packages (agent, reports, and server) have to be installed too, or can glpi work without them? Btw, I noticed when it asks to accept the license, the license is blank. Haven't checked to see if that's a regression, although I doubt it.
CC: (none) => davidwhodgins
glpi works perfectly without ocs, and if you really need an agent to automatically collect inventory, fusioninventory is a better choice.
In the glpi setup, I keep getting Can't connect to MySQL server on '127.0.0.1' (111) The server is running, and I've double checked the mysql id and password. Suggestions?
Figured it out. I had to comment out the line skip-networking in /etc/my.cnf, and set the password for the glpi user on the host localhost. For some reason it doesn't work if it's only specified for the host "Any". Note from the install instructions, the initial login once the database has been initialized is user glpi with password glpi, not the mysql password. Testing complete on i586 for the srpm glpi-0.78.2-2.1.mga1.src.rpm I added a user under administration, and then a computer under inventory.
I'm having problems testing this. I performed the mysql steps apart from one ocs one which failed as ocsinventory is not installed. I am unable to connect to locolhost/glpi, it says connection was reset, so I'm not able to reach the setup. I checked /etc/httpd/conf/webapps.d/glpi.conf and it seems to be OK but still unable to connect for some reason..
problem solved, I had to remove php-suhosin Testing x86_64
Completed setup and logged in as each user, created a new note as glpi and viewed it as tech. Created a user and a computer with various bits of information. Testing complete x86_64 Advisory ---------- This GLPI update fixes two security issues: The autocompletion functionality in GLPI before 0.80.2 does not blacklist certain username and password fields, which allows remote attackers to obtain sensitive information via a crafted POST request (CVE-2011-2720). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2720 GLPI before 0.80.7 fails to properly sanitize the GET 'sub_type' parameter in the front/popup.php file, which could be used by an authenticated user for remote file inclusion (RFI). (CVE-2012-1037) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1037 http://seclists.org/fulldisclosure/2012/Feb/157 ------------- SRPM: glpi-0.78.2-2.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: Triaged => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED