An XSS vulnerability in ganglia-web 3.5.10 was reported: http://openwall.com/lists/oss-security/2013/11/26/4 It was assigned CVE-2013-6395: http://openwall.com/lists/oss-security/2013/11/26/12 The patch in the first oss-security message is the same as the one in the debian bug, but it looks like a different patch was submitted in the github pull request mentioned on the debian bug: https://github.com/SesterhennEric/ganglia-web/commit/91f9d9893f0a349521710a542af09ba2d69dcf81 I'm not sure if version 3.5.4 in Mageia 3 is affected. Reproducible: Steps to Reproduce:
Blocks: (none) => 11726
(In reply to David Walser from comment #0) > I'm not sure if version 3.5.4 in Mageia 3 is affected. How do we find out? Apply the patch to it and try building it?
Status: NEW => ASSIGNED
(In reply to Johnny A. Solbu from comment #1) > (In reply to David Walser from comment #0) > > I'm not sure if version 3.5.4 in Mageia 3 is affected. > > How do we find out? Apply the patch to it and try building it? Yeah, if the affected code looks reasonably similar, it's probably affected. If you're really unsure, maybe asking upstream could help too.
Fixed and submitted to Cauldron
Thanks Johnny! Fixed in ganglia-web-3.5.10-3.mga4. The upstream advisory contains more information that may be helpful: http://www.rusty-ice.de/advisory/advisory_2013002.txt Under problem description there is a sample URL you can use as a proof of concept to reproduce the vulnerability. You could use that to test the Mageia 3 version to see if it's affected (as well as verifying that it's now fixed in Cauldron).
(In reply to David Walser from comment #4) > Under problem description there is a sample URL you can use as a proof of > concept to reproduce the vulnerability. You could use that to test the > Mageia 3 version to see if it's affected And it sems to also affect mga3. When I patched and installed the patched version, the popup didn't appear. Will commit the fix for mga3 in a few minutes.
Whiteboard: (none) => MGA3TOO
I have uploaded updated packages for mageia 3 Suggested advisory: === It is possible to execute JavaScript in a victims' browser after tricking the victim into opening a specially crafted URL. This update fixes this. === Source RPM: ganglia-web-3.5.4-2.1.mga3.src.rpm Updated mageia 3 packages in core/updates_testing: ganglia-web-3.5.4-2.1.mga3
CC: (none) => cookerAssignee: cooker => qa-bugs
Thanks Johnny! Advisory: ======================== Updated ganglia-web package fixes security vulnerability: XSS issue in ganglia-web makes it possible to execute JavaScript in victims' browser after tricking the victim into opening a specially crafted URL (CVE-2013-6395). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6395 http://www.rusty-ice.de/advisory/advisory_2013002.txt ======================== Updated packages in core/updates_testing: ======================== ganglia-web-3.5.4-2.1.mga3 from ganglia-web-3.5.4-2.1.mga3.src.rpm
Version: Cauldron => 3Whiteboard: MGA3TOO => (none)
Advisory 11782.adv committed to svn. Note there is a poc in the referenced advisory.
CC: (none) => davidwhodginsWhiteboard: (none) => advisory has_procedure
On Mageia 3, i586, before installing the update, http://localhost/ganglia/?r=custom&cs=1&ce=1&s=by+name&c=1&h=&host_regex=%27%3E%3Cscript%3Ealert%281%29%3C/script%3E&max_graphs=0&tab=m&vn=&hide-hf=false&sh=1&z=small&hc=0 does execute the javascript. Also noticed error from systemctl -a status gmond.service ... Nov 30 09:45:47 i3v.hodgins.homeip.net systemd[1]: Started Ganglia Meta Daemon. Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond[5059]: [PYTHON] Can't open the python module path /usr/lib/ganglia/python_modules. Nov 30 09:45:47 i3v.hodgins.homeip.net /usr/sbin/gmond[5059]: Module python_module failed to initialize. ganglia-web is working, but it doesn't appear that gmond is actually gathering any data. On Mageia 3, x86_64, despite a similar error, /usr/lib64 instead of /usr/lib, it's clear it is gathering data. After installing the update, the javascript does not get executed. I'll open a bug report for ganglia-core on i586, then validate this update.
Bug 11835 opened for the data gathering problem on i586. Someone from the sysadmin team please push 11782.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory has_procedure => advisory has_procedure MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Blocks: 11726 => (none)
Update pushed: http://advisories.mageia.org/MGASA-2013-0361.html
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/575366/