Bug 15723 - ntop new security issue CVE-2014-4165
Summary: ntop new security issue CVE-2014-4165
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/640807/
Whiteboard: has_procedure advisory MGA4-64-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-04-17 17:33 CEST by David Walser
Modified: 2015-04-24 10:59 CEST (History)
3 users (show)

See Also:
Source RPM: ntop-5.0.1-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-04-17 17:33:49 CEST
OpenSuSE has issued an advisory on April 16:
http://lists.opensuse.org/opensuse-updates/2015-04/msg00029.html

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested.

PoC is here:
https://bugzilla.suse.com/show_bug.cgi?id=882971#c12

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-17 17:33:55 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-04-17 18:22:44 CEST

URL: (none) => http://lwn.net/Vulnerabilities/640807/

Comment 1 David Walser 2015-04-18 02:39:29 CEST
Patched packages uploaded for Mageia 4 and Cauldron.

See the PoC information linked in Comment 0.

Advisory:
========================

Updated ntop package fixes security vulnerability:

Lack of filtering in the title parameter of links to rrdPlugin allowed
cross-site-scripting (XSS) attacks against users of the web interface
(CVE-2014-4165).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4165
http://lists.opensuse.org/opensuse-updates/2015-04/msg00029.html
========================

Updated packages in core/updates_testing:
========================
ntop-5.0.1-4.1.mga4

from ntop-5.0.1-4.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => has_procedure

Comment 2 Shlomi Fish 2015-04-20 12:46:33 CEST
MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the upgrade to the package from updates_testing and not vulnerable afterwards. I had to tweak the PoC a little to get it to work.

CC: (none) => shlomif
Whiteboard: has_procedure => has_procedure MGA4-64-OK

Comment 3 Shlomi Fish 2015-04-20 13:05:28 CEST
(In reply to Shlomi Fish from comment #2)
> MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the
> upgrade to the package from updates_testing and not vulnerable afterwards. I
> had to tweak the PoC a little to get it to work.

Similary, MGA4-32-OK in a VBox i586 VM.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 4 claire robinson 2015-04-22 17:34:42 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-04-23 23:15:18 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0168.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Shlomi Fish 2015-04-24 08:44:04 CEST
(In reply to Mageia Robot from comment #5)
> An update for this issue has been pushed to Mageia Updates repository.
> 
> http://advisories.mageia.org/MGASA-2015-0168.html

"to Mageia" should preferably be "to the Mageia". Where are the sources of the Mageia Robot so it can be fixed?
Comment 7 Rémi Verschelde 2015-04-24 08:47:07 CEST
(In reply to Shlomi Fish from comment #6)
> (In reply to Mageia Robot from comment #5)
> > An update for this issue has been pushed to Mageia Updates repository.
> > 
> > http://advisories.mageia.org/MGASA-2015-0168.html
> 
> "to Mageia" should preferably be "to the Mageia". Where are the sources of
> the Mageia Robot so it can be fixed?

Here: http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/Advisories.pm#n711

CC: (none) => rverschelde

Comment 8 Shlomi Fish 2015-04-24 10:59:00 CEST
(In reply to Rémi Verschelde from comment #7)
> (In reply to Shlomi Fish from comment #6)
> > (In reply to Mageia Robot from comment #5)
> > > An update for this issue has been pushed to Mageia Updates repository.
> > > 
> > > http://advisories.mageia.org/MGASA-2015-0168.html
> > 
> > "to Mageia" should preferably be "to the Mageia". Where are the sources of
> > the Mageia Robot so it can be fixed?
> 
> Here:
> http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/
> Advisories.pm#n711

Many thanks! I fixed it there.

Note You need to log in before you can comment on or make changes to this bug.