Bug 25931

Summary:	glpi new security issues fixed upstream in 9.4.3 and 9.4.4
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, guillomovitch, herman.viaene, sysadmin-bugs
Version:	7	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA7-64-OK
Source RPM:	glpi-9.4.2-1.mga7.src.rpm	CVE:
Status comment:	Fixed upstream in 9.4.4

Description David Walser 2019-12-23 18:54:46 CET

Fedora has issued advisories on July 1 and October 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROTE7BNJCTAVIL4RSFUQYYYRBB3WWD54/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KGVXGT2LJGLCEMEGGOOWT26ERXONTM2J/

These are updates to 9.4.3 and 9.4.4, which fix security issues:
https://github.com/glpi-project/glpi/releases/tag/9.4.3
https://github.com/glpi-project/glpi/releases/tag/9.4.4

9.4.5, not yet in Cauldron, is just a bugfix release:
https://github.com/glpi-project/glpi/releases/tag/9.4.5

David Walser 2020-01-14 17:40:12 CET

Status comment: (none) => Fixed upstream in 9.4.4

Comment 1 David Walser 2020-01-18 20:32:01 CET

glpi-9.4.5-1.1.mga7 uploaded by Guillaume.  Thanks for the update.

Just a couple of notes though, this update should not have had a subrel, and when you do add one it should be immediately above the line that calls %mkrel (for consistency).

Comment 2 David Walser 2020-01-18 20:32:42 CET

Assigning to QA.  Advisory to come later.

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs

Comment 3 Herman Viaene 2020-01-20 15:50:01 CET

MGA7-64 Plasma on Lenovo B50
No installation issues.
Make sure httpd and mysqld are installed and running
Ref bug 21331 for procedure, so as described:
run mysql_secure_installation
comment out the line plugin-load-add=cracklib_password_check.so in /etc/my.cnf.d/cracklib_password_check.cnf 
then run the commands to create the glpi database
point firefox to to localhost/glpi which brings me to http://localhost/glpi/install/install.php and gives me the glpi starting screen where to select the language.
Going on gives a list of checks on dependencies, where the exif extension is given as not present.According https://glpi-install.readthedocs.io/en/latest/prerequisites.html  this is not essential, so going on completes the installation and allows to login to glpi. I did not proceed any further as in previous updates. So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-01-22 19:00:40 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2020-01-23 17:05:34 CET

Advisory:
========================

Updated glpi packages fix security vulnerabilities:

The glpi package has been updated to version 9.4.5, fixing several bugs and
security issues.  See the upstream announcements for details.

References:
https://github.com/glpi-project/glpi/releases/tag/9.4.3
https://github.com/glpi-project/glpi/releases/tag/9.4.4
https://github.com/glpi-project/glpi/releases/tag/9.4.5
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ROTE7BNJCTAVIL4RSFUQYYYRBB3WWD54/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KGVXGT2LJGLCEMEGGOOWT26ERXONTM2J/

Comment 6 Lewis Smith 2020-01-27 21:26:44 CET

I took the advisory SRPM from comment 1.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-01-28 08:54:24 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0052.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED