| Summary: | glpi XSS security issue (CVE-2012-4003) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, ed_rus099, guillomovitch, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | https://forge.indepnet.net/issues/3705 | ||
| Whiteboard: | MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK | ||
| Source RPM: | glpi-0.80.7-2.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 7157 | ||
| Bug Blocks: | 6762 | ||
|
Description
David Walser
2012-08-20 21:45:04 CEST
David Walser
2012-08-20 21:45:31 CEST
CC:
(none) =>
guillomovitch
David Walser
2012-08-20 21:46:59 CEST
Whiteboard:
(none) =>
MGA1TOO Couldn't make run glpi becuase of mysql errors, will try again next days to relax...(seriously) CC:
(none) =>
ed_rus099 Testing complete on Mageia 1 i586. Just testing that the package works. Added a location, and a computer entry. Eduard, I ran into the same problem accessing the mysql server, even though I could access it using phpmyadmin. I replaced /etc/php.ini with /usr/share/doc/php-doc/php.ini-development, and restarted the httpd service, expecting it to provide a more detailed error message. I was able to access the mysql server in glpi. I had restarted the http server after installing glpi, so it looks like there is something in the default php.ini that is preventing glpi from accessing the mysql server. I'll test Mageia 1 x86-64 and try to work out exactly which php.ini change(s) is(are) required to allow glpi to work. CC:
(none) =>
davidwhodgins Forgot to note, that the License display is blank. Turns out commenting out the line "skip-networking" in /etc/my.cnf also works. Didn't have to use the dev php.ini. On Mageia 1 x86-64, in the step "Checking of the compatibility of your environment with the execution of GLPI", I'm getting the error "Mbstring extension of your parser PHP is not installed", so it looks like there is a missing dependency for php-mbstring. As this is a security update, I'll open a new bug report for the missing dependency and the missing license. Once I installed php-mbstring, the program is working. Testing complete on Mageia 1 x86-64. Whiteboard:
MGA1TOO MGA1-32-OK =>
MGA1TOO MGA1-32-OK MGA1-64-OK Testing Mageia 2 i586 shortly. Testing complete on Mageia 2 i586. The missing php-mbstring dependency and blank license applies to Mageia 2 as well. Testing Mageia 2 x86-64 shortly. Whiteboard:
MGA1TOO MGA1-32-OK MGA1-64-OK =>
MGA1TOO MGA1-32-OK MGA1-64-OK MGA1-32-OK Bug 7157 opened for the missing requires and blank license. Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm glpi-0.80.7-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm glpi-0.78.2-2.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated glpi package fixes security vulnerability: Multiple XSS issues affecting glpi versions prior to 0.83.3 have been corrected (CVE-2012-4003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4003 https://forge.indepnet.net/issues/3705 http://www.glpi-project.org/spip.php?page=annonce&id_breve=275&lang=e https://bugs.mageia.org/show_bug.cgi?id=7126 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0250 Status:
NEW =>
RESOLVED |