ganglia-web (aka Ganglia Web Frontend) through 3.7.5 allows XSS via the header.php cs parameter.
CVE: (none) => CVE-2019-20379Component: RPM Packages => SecurityQA Contact: (none) => security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20379
Source RPM: ganglia-web-3.7.4-4.mga8.src => ganglia-web-3.7.4-4.mga8.src.rpmWhiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
CC: (none) => ouaurelienAssignee: bugsquad => cooker
Status comment: (none) => No fix available as of end of 2020
Whiteboard: MGA7TOO => MGA8TOO, MGA7TOO
Link to upstream bug repport
See Also: (none) => https://github.com/ganglia/ganglia-web/issues/351
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO
SUSE has issued an advisory on November 8: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012840.html CVE-2019-20378 appears to be related and to have been fixed last year (and in 3.7.5), and CVE-2019-20379 (or I may have the CVEs backwards) appears to require an additional patch.
Status comment: No fix available as of end of 2020 => Fixed upstream in 3.7.5 and/or in patch available from SUSESummary: ganglia-web security vulnerability CVE-2019-20379 => ganglia-web new security issues CVE-2019-2037[89]
(In reply to David Walser from comment #5) > SUSE has issued an advisory on November 8: > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012840. > html > > CVE-2019-20378 appears to be related and to have been fixed last year (and > in 3.7.5), and CVE-2019-20379 (or I may have the CVEs backwards) appears to > require an additional patch. v3.7.5 submitted to cauldron. Do you have a link to any patches? My searches finds that upstream can't reproduce the issue…
I don't see any patches on top of 3.7.5 added in openSUSE Factory. See if any of the fixes referenced here are missing from 3.7.5: https://bugzilla.suse.com/show_bug.cgi?id=1160761
(In reply to David Walser from comment #7) > I don't see any patches on top of 3.7.5 added in openSUSE Factory. > > See if any of the fixes referenced here are missing from 3.7.5: > https://bugzilla.suse.com/show_bug.cgi?id=1160761 I just viewed the spec diff SuSE claim fixes the issue, which is this one: https://build.opensuse.org/request/show/1032451 This is BULLSHIT! There is no patch changes of any kind!
No, the update to 3.7.5 was actually the commit before that one, but it was just a simple update to 3.7.5. I'm guessing that the patches are upstream in 3.7.5, but I haven't checked to verify that.
Mageia 8 EOL.
Version: Cauldron => 8Status: NEW => RESOLVEDStatus comment: Fixed upstream in 3.7.5 and/or in patch available from SUSE => (none)Whiteboard: MGA8TOO => (none)Resolution: (none) => OLDCC: (none) => nicolas.salguero