Fedora has issued an advisory on December 23: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html This issue was fixed upstream in 0.85.1: http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en https://forge.indepnet.net/issues/5147 Fedora has backported the patch to 0.84.x, which we also have in Mageia 4 and Cauldron: http://pkgs.fedoraproject.org/cgit/glpi.git/plain/glpi-0.84-CVE-2014-9258.patch?h=f21&id=06e8e7fe81dbf4854d19c1d9a2023731e3b4420e Additionally, a security issue was fixed upstream in 0.84.8, which we already have in Cauldron, but 0.84.3 in Mageia 4 would still be affected: http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en https://forge.indepnet.net/issues/5101 Finally, we still have CVE-2014-5032 unfixed in Mageia 4 (Bug 13789). We deferred fixing it when it was reported, but we can fix it now when we do an update for Mageia 4. Reproducible: Steps to Reproduce:
Version: 4 => CauldronBlocks: (none) => 13789Whiteboard: (none) => MGA4TOO
Fixed in glpi-0.84.8-2.mga5 in Cauldron.
Version: Cauldron => 4Whiteboard: MGA4TOO => (none)
glpi-0.84.3-1.1.mga4, in update_testing, addresses CVE-2014-9258 and CVE-2014-5032.
Thanks Guillaume. What about the other issue? It looks like it received CVE-2014-8360: https://forge.indepnet.net/issues/5101 https://forge.indepnet.net/issues/5113
Here's what I have for the advisory so far with just the two patches. Advisory: ======================== Updated glpi packages fix security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
Patched package uploaded by Guillaume. Thanks again! Advisory: ======================== Updated glpi packages fix security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). An issue in GLPI before 0.84.8 may allow arbitrary local files to be included by PHP through an autoload function (CVE-2014-8360). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Whoops, forgot the package list. Advisory: ======================== Updated glpi package fixes security vulnerabilities: Due to a bug in GLPI before 0.84.7, a user without access to cost information can in fact see the information when selecting cost as a search criteria (CVE-2014-5032). An issue in GLPI before 0.84.8 may allow arbitrary local files to be included by PHP through an autoload function (CVE-2014-8360). SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter (CVE-2014-9258). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258 http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360 https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html ======================== Updated packages in core/updates_testing: ======================== glpi-0.84.3-1.2.mga4 from glpi-0.84.3-1.2.mga4.src.rpm
MGA4-64 on HP Probook 6555b KDE No installation issues. After installing and initializing mysql, I could run the glpi initialization without problems. I will not test on MGA4-32 since that PC is too weak to run all this.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: glpi default install of glpi [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.mga4.noarch is already installed glpi installs without issue. I can run the glpi initialization without problems. install glpi from updates_testing [root@localhost wilcal]# urpmi glpi Package glpi-0.84.3-1.2.mga4.noarch is already installed glpi update installs without issue. System reboots back to a working desktop without issue. Install/setup continues to operate. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Comment 6 advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0017.html
Status: NEW => RESOLVEDResolution: (none) => FIXED