Mageia Bugzilla – Bug 11782
ganglia-web new security issue CVE-2013-6395
Last modified: 2013-12-02 16:43:36 CET
An XSS vulnerability in ganglia-web 3.5.10 was reported:
It was assigned CVE-2013-6395:
The patch in the first oss-security message is the same as the one in the debian bug, but it looks like a different patch was submitted in the github pull request mentioned on the debian bug:
I'm not sure if version 3.5.4 in Mageia 3 is affected.
Steps to Reproduce:
(In reply to David Walser from comment #0)
> I'm not sure if version 3.5.4 in Mageia 3 is affected.
How do we find out? Apply the patch to it and try building it?
(In reply to Johnny A. Solbu from comment #1)
> (In reply to David Walser from comment #0)
> > I'm not sure if version 3.5.4 in Mageia 3 is affected.
> How do we find out? Apply the patch to it and try building it?
Yeah, if the affected code looks reasonably similar, it's probably affected. If you're really unsure, maybe asking upstream could help too.
Fixed and submitted to Cauldron
Thanks Johnny! Fixed in ganglia-web-3.5.10-3.mga4.
The upstream advisory contains more information that may be helpful:
Under problem description there is a sample URL you can use as a proof of concept to reproduce the vulnerability. You could use that to test the Mageia 3 version to see if it's affected (as well as verifying that it's now fixed in Cauldron).
(In reply to David Walser from comment #4)
> Under problem description there is a sample URL you can use as a proof of
> concept to reproduce the vulnerability. You could use that to test the
> Mageia 3 version to see if it's affected
And it sems to also affect mga3. When I patched and installed the patched version, the popup didn't appear. Will commit the fix for mga3 in a few minutes.
I have uploaded updated packages for mageia 3
This update fixes this.
Updated mageia 3 packages in core/updates_testing:
Updated ganglia-web package fixes security vulnerability:
browser after tricking the victim into opening a specially crafted URL
Updated packages in core/updates_testing:
Advisory 11782.adv committed to svn.
Note there is a poc in the referenced advisory.
On Mageia 3, i586, before installing the update,
Also noticed error from systemctl -a status gmond.service ...
Nov 30 09:45:47 i3v.hodgins.homeip.net systemd: Started Ganglia Meta Daemon.
Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond: [PYTHON] Can't open the python module path /usr/lib/ganglia/python_modules.
Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond: Module python_module failed to initialize.
ganglia-web is working, but it doesn't appear that gmond is actually
gathering any data.
On Mageia 3, x86_64, despite a similar error, /usr/lib64 instead of /usr/lib,
it's clear it is gathering data.
I'll open a bug report for ganglia-core on i586, then validate this update.
Bug 11835 opened for the data gathering problem on i586.
Someone from the sysadmin team please push 11782.adv to updates.