| Summary: | ntop new security issue CVE-2014-4165 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | rverschelde, shlomif, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/640807/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | ntop-5.0.1-4.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-04-17 17:33:49 CEST
David Walser
2015-04-17 17:33:55 CEST
Whiteboard:
(none) =>
MGA5TOO, MGA4TOO
David Walser
2015-04-17 18:22:44 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/640807/ Patched packages uploaded for Mageia 4 and Cauldron. See the PoC information linked in Comment 0. Advisory: ======================== Updated ntop package fixes security vulnerability: Lack of filtering in the title parameter of links to rrdPlugin allowed cross-site-scripting (XSS) attacks against users of the web interface (CVE-2014-4165). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4165 http://lists.opensuse.org/opensuse-updates/2015-04/msg00029.html ======================== Updated packages in core/updates_testing: ======================== ntop-5.0.1-4.1.mga4 from ntop-5.0.1-4.1.mga4.src.rpm Version:
Cauldron =>
4 MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the upgrade to the package from updates_testing and not vulnerable afterwards. I had to tweak the PoC a little to get it to work. CC:
(none) =>
shlomif (In reply to Shlomi Fish from comment #2) > MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the > upgrade to the package from updates_testing and not vulnerable afterwards. I > had to tweak the PoC a little to get it to work. Similary, MGA4-32-OK in a VBox i586 VM. Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA4-32-OK Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0168.html Status:
NEW =>
RESOLVED (In reply to Mageia Robot from comment #5) > An update for this issue has been pushed to Mageia Updates repository. > > http://advisories.mageia.org/MGASA-2015-0168.html "to Mageia" should preferably be "to the Mageia". Where are the sources of the Mageia Robot so it can be fixed? (In reply to Shlomi Fish from comment #6) > (In reply to Mageia Robot from comment #5) > > An update for this issue has been pushed to Mageia Updates repository. > > > > http://advisories.mageia.org/MGASA-2015-0168.html > > "to Mageia" should preferably be "to the Mageia". Where are the sources of > the Mageia Robot so it can be fixed? Here: http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/Advisories.pm#n711 CC:
(none) =>
rverschelde (In reply to Rémi Verschelde from comment #7) > (In reply to Shlomi Fish from comment #6) > > (In reply to Mageia Robot from comment #5) > > > An update for this issue has been pushed to Mageia Updates repository. > > > > > > http://advisories.mageia.org/MGASA-2015-0168.html > > > > "to Mageia" should preferably be "to the Mageia". Where are the sources of > > the Mageia Robot so it can be fixed? > > Here: > http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/ > Advisories.pm#n711 Many thanks! I fixed it there. |