| Summary: | glpi new security issue CVE-2014-9258 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | guillomovitch, herman.viaene, sysadmin-bugs, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/628326/ | ||
| Whiteboard: | advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | glpi-0.84.8-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 13789 | ||
|
Description
David Walser
2015-01-02 19:45:04 CET
David Walser
2015-01-02 19:45:41 CET
Version:
4 =>
Cauldron Fixed in glpi-0.84.8-2.mga5 in Cauldron. Version:
Cauldron =>
4 glpi-0.84.3-1.1.mga4, in update_testing, addresses CVE-2014-9258 and CVE-2014-5032. Thanks Guillaume. What about the other issue? It looks like it received CVE-2014-8360: https://forge.indepnet.net/issues/5101 https://forge.indepnet.net/issues/5113 Here's what I have for the advisory so far with just the two patches. Advisory: ======================== Updated glpi packages fix security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html Patched package uploaded by Guillaume. Thanks again! Advisory: ======================== Updated glpi packages fix security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). An issue in GLPI before 0.84.8 may allow arbitrary local files to be included by PHP through an autoload function (CVE-2014-8360). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html CC:
(none) =>
guillomovitch Whoops, forgot the package list. Advisory: ======================== Updated glpi package fixes security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). An issue in GLPI before 0.84.8 may allow arbitrary local files to be included by PHP through an autoload function (CVE-2014-8360). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html ======================== Updated packages in core/updates_testing: ======================== glpi-0.84.3-1.2.mga4 from glpi-0.84.3-1.2.mga4.src.rpm MGA4-64 on HP Probook 6555b KDE No installation issues. After installing and initializing mysql, I could run the glpi initialization without problems. I will not test on MGA4-32 since that PC is too weak to run all this. CC:
(none) =>
herman.viaene In VirtualBox, M4, KDE, 32-bit Package(s) under test: glpi default install of glpi [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed glpi installs without issue. I can run the glpi initialization without problems. install glpi from updates_testing [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.2.mga4.noarch is already installed glpi update installs without issue. System reboots back to a working desktop without issue. Install/setup continues to operate. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64 CC:
(none) =>
wilcal.int This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0017.html Status:
NEW =>
RESOLVED |