Fedora has issued an advisory today (May 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ The issues are fixed upstream in 9.4.6: https://github.com/glpi-project/glpi/releases/tag/9.4.6 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385
Status comment: (none) => Fixed upstream in 9.4.6
Pushed in updates testing. Advisory: ======================== A new version of libntlm. It fixes from CVE-2020-11033 to CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 Updated packages in core/updates_testing: ======================== glpi-9.4.5-1.1.mga7 from: glpi-9.4.5-1.1.mga7
Status: NEW => ASSIGNEDCC: (none) => mageiaAssignee: guillomovitch => qa-bugs
Advisory: ======================== Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033). In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034). In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035). In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1) </script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires (CVE-2020-11036). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 https://github.com/glpi-project/glpi/releases/tag/9.4.6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/
Status comment: Fixed upstream in 9.4.6 => (none)
Nicolas, you didn't actually update the package.
CC: (none) => qa-bugsAssignee: qa-bugs => mageia
Modifying advisory since we patched it instead of updating. Advisory: ======================== Updated glpi packages fix security vulnerabilities: In GLPI from version 9.1 and before version 9.4.6, any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User. The response contains: - All api_tokens which can be used to do privileges escalations or read/update/delete data normally non accessible to the current user. - All personal_tokens can display another users planning. Exploiting this vulnerability requires the api to be enabled, a technician account. It can be mitigated by adding an application token (CVE-2020-11033). In GLPI before version 9.4.6, there is a vulnerability that allows bypassing the open redirect protection based which is based on a regexp (CVE-2020-11034). In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens are generated using an insecure algorithm. The implementation uses rand and uniqid and MD5 which does not provide secure values (CVE-2020-11035). In GLPI before version 9.4.6 there are multiple related stored XSS vulnerabilities. The package is vulnerable to Stored XSS in the comments of items in the Knowledge base. Adding a comment with content "<script>alert(1) </script>" reproduces the attack. This can be exploited by a user with administrator privileges in the User-Agent field. It can also be exploited by an outside party through the following steps: 1. Create a user with the surname `" onmouseover="alert(document.cookie)` and an empty first name. 2. With this user, create a ticket 3. As an administrator (or other privileged user) open the created ticket 4. On the "last update" field, put your mouse on the name of the user 5. The XSS fires (CVE-2020-11036). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11035 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11036 https://github.com/glpi-project/glpi/security/advisories/GHSA-rf54-3r4w-4h55 https://github.com/glpi-project/glpi/security/advisories/GHSA-gxv6-xq9q-37hg https://github.com/glpi-project/glpi/security/advisories/GHSA-w7q8-58qp-vmpf https://github.com/glpi-project/glpi/security/advisories/GHSA-3g3h-rwhr-7385 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q4BG2UTINBVV7MTJRXKBQ26GV2UINA6L/ ======================== Updated packages in core/updates_testing: ======================== glpi-9.4.5-1.2.mga7 from glpi-9.4.5-1.2.mga7.src.rpm
Assignee: mageia => qa-bugsCC: qa-bugs => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref to bugs 25931 and 21331 for testing, so: # systemctl start httpd # systemctl start mysqld $ mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 10.3.22-MariaDB Mageia MariaDB Server Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database dbbglpi character set utf8; Query OK, 1 row affected (0.001 sec) MariaDB [(none)]> grant all privileges on dbbglpi.* to glpi@localhost identified by 'glpi'; Query OK, 0 rows affected (0.001 sec) Pointed then firefox to localhost:glpi and completed the installation step successfully. OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0220.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED