Fedora has issued an advisory on July 9: https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135525.html Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Note to QA: there is a PoC link on this page: http://packetstormsecurity.com/files/127295/ocsinventoryng-xss.txt Advisory: ======================== Updated ocsinventory packages fix security vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2014-4722). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4722 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135525.html ======================== Updated packages in core/updates_testing: ======================== ocsinventory-server-2.0.5-2.1.mga3 ocsinventory-reports-2.0.5-2.1.mga3 ocsinventory-server-2.0.5-3.1.mga4 ocsinventory-reports-2.0.5-3.1.mga4 from SRPMS: ocsinventory-2.0.5-2.1.mga3.src.rpm ocsinventory-2.0.5-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
See bug 7222 comment 0 and bug 7222 comment 5 for basic instructions about what should be done to test this update. Basically you have to install both ocsinventory-* packages and browse to http://localhost/ocsinventory-reports/install.php to start the installation. There's a link to a video PoC here: http://www.securityfocus.com/archive/1/archive/1/532664/100/0/threaded
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO has_procedure
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 The advisory still needs to be uploaded. Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure advisory
Testing on Mageia 4 i586, the update candidate installs fine. I can't start httpd out of the box, so I can't try to install ocs-inventory-reports to follow the procedure linked in comment 1. # systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: failed (Result: exit-code) since lun. 2014-08-04 22:24:17 CEST; 1min 19s ago Process: 5549 ExecStop=/usr/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 5548 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 5548 (code=exited, status=1/FAILURE) août 04 22:24:17 localhost systemd[1]: Starting The Apache HTTP Server... août 04 22:24:17 localhost httpd[5548]: AH00526: Syntax error on line 313 of /etc/httpd/conf/sites.d/ocsinventory-server.conf: août 04 22:24:17 localhost httpd[5548]: Unknown Authz provider: SOAP_USER août 04 22:24:17 localhost systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE août 04 22:24:17 localhost systemd[1]: Failed to start The Apache HTTP Server. août 04 22:24:17 localhost systemd[1]: Unit httpd.service entered failed state. août 04 22:25:14 localhost systemd[1]: Unit httpd.service cannot be reloaded because it is inactive. Removing the validated_update keyword for now, I'd like to now if this error is expected, or if it is another bug affecting ocsinventory (note that the same issue is present with the version from Core Release).
Keywords: validated_update => (none)
Fixed. Advisory: ======================== Updated ocsinventory packages fix security vulnerability: Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports Web Interface in OCS Inventory NG allow remote attackers to inject arbitrary web script or HTML via unspecified vectors (CVE-2014-4722). Also, the web interface has been fixed to work with Apache HTTPD 2.4. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4722 https://lists.fedoraproject.org/pipermail/package-announce/2014-July/135525.html ======================== Updated packages in core/updates_testing: ======================== ocsinventory-server-2.0.5-2.2.mga3 ocsinventory-reports-2.0.5-2.2.mga3 ocsinventory-server-2.0.5-3.2.mga4 ocsinventory-reports-2.0.5-3.2.mga4 from SRPMS: ocsinventory-2.0.5-2.2.mga3.src.rpm ocsinventory-2.0.5-3.2.mga4.src.rpm
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure
That was fast, thanks! Advisory updated.
Testing on Mageia 4 64bit using the procedure linked in comment 1, and these instructions from William in bug 13256: > Setup mariadb > In root terminal: systemctl start mysqld.service > Set password to: testmaria > [root@localhost wilcal]# mysqladmin -u root password > type password "testmaria" twice Configured the ocsinventory install with the root user and the defined testmaria password. The installation proceeds and leads to a working instead of ocsinventory (with default login/password admin/admin).
Whiteboard: MGA3TOO has_procedure advisory => MGA3TOO has_procedure MGA4-64-OK advisory
It would be good to have a quick test on Mageia 3 before we can validate again IMO.
(In reply to Rémi Verschelde from comment #8) > It would be good to have a quick test on Mageia 3 before we can validate > again IMO. It'd be nice, but the package is exactly the same...
Testing complete on Mageia 3 32bit.
Whiteboard: MGA3TOO has_procedure MGA4-64-OK advisory => MGA3TOO has_procedure MGA3-32-OK MGA4-64-OK advisory
Validating update, the advisory has already been uploaded. Please push to 3 & 4 core/updates.
Keywords: (none) => validated_update
Update pushed. http://advisories.mageia.org/MGASA-2014-0317.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED