Bug 15608 - glpi new security issue fixed upstream in 0.85.3
Summary: glpi new security issue fixed upstream in 0.85.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/639227/
Whiteboard: advisory mga4-32-ok mga4-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-01 18:58 CEST by David Walser
Modified: 2015-05-11 22:11 CEST (History)
4 users (show)

See Also:
Source RPM: glpi-0.84.8-2.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-01 18:58:48 CEST
Fedora has issued an advisory on March 26:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/154116.html

The RedHat bug says that the issue is fixed in 0.85.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1194196

I don't see a release announcement upstream yet.

Fedora added this patch from the 0.84 branch in Fedora 21:
http://pkgs.fedoraproject.org/cgit/glpi.git/plain/glpi-0.84-bug5218.patch?h=f21&id=facea57d576dda9f4f2e01ec5065f38301b957b5

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-01 19:01:19 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-04-06 23:50:36 CEST

URL: (none) => http://lwn.net/Vulnerabilities/639227/

Comment 1 David Walser 2015-04-09 19:16:41 CEST
Here's the Fedora advisory for the Fedora 21 update:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154284.html
Comment 2 David Walser 2015-04-30 18:09:58 CEST
Ping?
David Walser 2015-05-04 23:51:10 CEST

Blocks: (none) => 14674

Comment 3 Nicolas Lécureuil 2015-05-11 08:24:23 CEST
cauldron is fixed.
I will look for mga4

CC: (none) => mageia

Comment 4 Nicolas Lécureuil 2015-05-11 08:32:41 CEST
fixed package is in mga4 core/updates_testing
Comment 5 David Walser 2015-05-11 14:01:00 CEST
Patched packages uploaded for Mageia 4 and Cauldron.  Thanks Nicolas!

They did finally post a release announcement for 0.85.3 upstream:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=338&lang=en

Advisory:
========================

Updated glpi package fixes security vulnerability:

Any user who has the rights to create a new user can create a super-admin
user.

References:
https://forge.indepnet.net/issues/5218
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154284.html
========================

Updated packages in core/updates_testing:
========================
glpi-0.84.3-1.3.mga4

from glpi-0.84.3-1.3.mga4.src.rpm

CC: (none) => guillomovitch
Version: Cauldron => 4
Blocks: 14674 => (none)
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)
Severity: normal => major

Comment 6 claire robinson 2015-05-11 15:26:09 CEST
Testing complete mga4 32 

Just ensuring it updates cleanly during mga5 final release cycle.

Whiteboard: (none) => mga4-32-ok

Comment 7 Shlomi Fish 2015-05-11 17:20:36 CEST
(In reply to claire robinson from comment #6)
> Testing complete mga4 32 
> 
> Just ensuring it updates cleanly during mga5 final release cycle.

Package update cleanly on MGA4-64-OK on a VBox x86-64 VM.

CC: (none) => shlomif
Whiteboard: mga4-32-ok => mga4-32-ok mga4-64-ok

Comment 8 claire robinson 2015-05-11 17:25:28 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok mga4-64-ok => advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2015-05-11 22:11:30 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0204.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.