OpenSuSE has issued an advisory on April 16: http://lists.opensuse.org/opensuse-updates/2015-04/msg00029.html Patch checked into Mageia 4 and Cauldron SVN. Freeze push requested. PoC is here: https://bugzilla.suse.com/show_bug.cgi?id=882971#c12 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
URL: (none) => http://lwn.net/Vulnerabilities/640807/
Patched packages uploaded for Mageia 4 and Cauldron. See the PoC information linked in Comment 0. Advisory: ======================== Updated ntop package fixes security vulnerability: Lack of filtering in the title parameter of links to rrdPlugin allowed cross-site-scripting (XSS) attacks against users of the web interface (CVE-2014-4165). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4165 http://lists.opensuse.org/opensuse-updates/2015-04/msg00029.html ======================== Updated packages in core/updates_testing: ======================== ntop-5.0.1-4.1.mga4 from ntop-5.0.1-4.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the upgrade to the package from updates_testing and not vulnerable afterwards. I had to tweak the PoC a little to get it to work.
CC: (none) => shlomifWhiteboard: has_procedure => has_procedure MGA4-64-OK
(In reply to Shlomi Fish from comment #2) > MGA4-64-OK - ing (in an x86-64 VBox VM) - ntop is vulnerable before the > upgrade to the package from updates_testing and not vulnerable afterwards. I > had to tweak the PoC a little to get it to work. Similary, MGA4-32-OK in a VBox i586 VM.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0168.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to Mageia Robot from comment #5) > An update for this issue has been pushed to Mageia Updates repository. > > http://advisories.mageia.org/MGASA-2015-0168.html "to Mageia" should preferably be "to the Mageia". Where are the sources of the Mageia Robot so it can be fixed?
(In reply to Shlomi Fish from comment #6) > (In reply to Mageia Robot from comment #5) > > An update for this issue has been pushed to Mageia Updates repository. > > > > http://advisories.mageia.org/MGASA-2015-0168.html > > "to Mageia" should preferably be "to the Mageia". Where are the sources of > the Mageia Robot so it can be fixed? Here: http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/Advisories.pm#n711
CC: (none) => rverschelde
(In reply to Rémi Verschelde from comment #7) > (In reply to Shlomi Fish from comment #6) > > (In reply to Mageia Robot from comment #5) > > > An update for this issue has been pushed to Mageia Updates repository. > > > > > > http://advisories.mageia.org/MGASA-2015-0168.html > > > > "to Mageia" should preferably be "to the Mageia". Where are the sources of > > the Mageia Robot so it can be fixed? > > Here: > http://gitweb.mageia.org/software/infrastructure/mgaadvisories/tree/lib/MGA/ > Advisories.pm#n711 Many thanks! I fixed it there.