| Summary: | itop-itsm new security issue CVE-2020-15221 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, mageia |
| Version: | 8 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2020-15221 | ||
| Whiteboard: | MGA7TOO | ||
| Source RPM: | itop-itsm-2.7.1-1.mga8.src.rpm | CVE: | CVE-2020-15221 |
| Status comment: | |||
|
Description
Zombie Ryushu
2021-01-17 13:19:49 CET
Zombie Ryushu
2021-01-17 13:20:16 CET
CVE:
(none) =>
CVE-2020-15221 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221 https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw Whiteboard:
(none) =>
MGA7TOO version 2.7.3 Freeze push asked for cauldron. CC:
(none) =>
mageia itop-itsm-2.7.3-1.mga8 uploaded for Cauldron. Version:
Cauldron =>
7 new version pushed in mga7:
src:
- itop-itsm-2.7.3-1.mga7Status comment:
Fixed upstream in 2.7.2 =>
(none) Advisory: ======================== Updated itop-itsm package fixes security vulnerability: By modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb (CVE-2020-15221). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221 https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw ======================== Updated packages in core/updates_testing: ======================== itop-itsm-2.7.3-1.mga7 from itop-itsm-2.7.3-1.mga7.src.rpm I looked for previous updates to this, and came up dry. Then checked online, finding several tutorials that only served to show to me that this is far too complex for a novice to test adequately. So, I was going to go for a clean install over the old rpm, BUT... No issues with the original install. But when I went to update, I get this: 1 installation transactions failed There was a problem during the installation: file /usr/share/itop-itsm/data from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch file /usr/share/itop-itsm/log from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch So, it's back in your hands, Nicolas. CC:
(none) =>
andrewsfarm
David Walser
2021-03-27 21:53:24 CET
Keywords:
(none) =>
feedback itop-itsm-2.7.3-1.1.mga7 itop-itsm-2.7.3-1.1.mga8 should fix the upgrade from 2.0.3. Also, webapp packages like this should be dropped as previously discussed. Mageia 7 advisory in Comment 5. Mageia 8 advisory (bugfix only): ----------------- The itop-itsm package had an issue upgrading from Mageia 7. This has been corrected. Keywords:
feedback =>
(none) First installed the 2.0.3 version. Not changing anything pointed browser at http://localhost/itop-itsm and got error 403 access forbidden! So there iss some config work on it, but in view of purpose of thi s update, Ileft it at that. Then tried to install the new update and immediately got: 1 installation transactions failed There was a problem during the installation: file /usr/share/itop-itsm/data from install of itop-itsm-2.7.3-1.1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch file /usr/share/itop-itsm/log from install of itop-itsm-2.7.3-1.1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch CC:
(none) =>
herman.viaene That makes no sense, the %pretrans I added should have fixed that. I wish I had dropped this package before Mageia 8. Oh well. Dropping this update. Resolution:
(none) =>
OLD |