Fedora has issued advisories on July 13: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45ZBDWBMNJVPQ6FZVBLDLZRLJNSTTEWL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZCFHSCYV72EJRKG2J6L2J737RWIZMGZH/ Fedora has patches and the RedHat bug links to the upstream commit to fix it: https://bugzilla.redhat.com/show_bug.cgi?id=1597423 Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
glpi-9.3.0-1.mga7 submitted in cauldron, and glpi-9.1.6-2.2.mga6 submitted in updates_testing.
Assignee: guillomovitch => qa-bugs
Advisory: ======================== Updated glpi package fixes security vulnerability: The constructSQL function in inc/search.class.php in GLPI 9.2.x through 9.3.0 allows SQL Injection, as demonstrated by triggering a crafted LIMIT clause to front/computer.php (CVE-2018-13049). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13049 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/45ZBDWBMNJVPQ6FZVBLDLZRLJNSTTEWL/
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Following bug 21331 found out that mysql database was already initialized from previous updates. So pointing to http://localhost/glpi/ and logging in with the default glpi user gets me into the initial screen of the application. So far for me, seems OK
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Mageia 6, x86_64 Installing and configuring mysql and task-lamp required a couple of days research following links and delving in notebooks before getting to the starting point. Had totally forgotten everything about mysql in less than a year. Checked the operation of glpi before the update and all seemed to be in order. Updated glpi, restarted mysqld, and httpd to be on the safe side. $ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. [...] MariaDB [(none)]> use dbbglpi Database changed > grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements > flush privileges; Query OK, 0 rows affected (0.00 sec) Pointed firefox at http://localhost/glpi/ and accepted the default language (English) and agreed to T&C. Selected upgrade and passed most of the tests. Connection parameters were { MySQL, glpi, 'root' password } Connection test failed - which is as far as it ever gets. I have always assumed that this is OK as far as it goes. Giving this the OK, with some uncertainty.
CC: (none) => tarazed25Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0330.html
Status: NEW => RESOLVEDResolution: (none) => FIXED