In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure Direct Object Reference (IDOR) vulnerability that allows an attacker to read data from any itemType (e.g., Ticket, Users, etc.).
Whiteboard: (none) => MGA7TOOCVE: (none) => CVE-2020-27663
Quite a few more issues than that that we've missed. Release log: https://github.com/glpi-project/glpi/releases Upstream security advisories page lists these that we've missed. Affecting only Mageia 7: CVE-2020-5248 CVE-2020-1106[02]: https://github.com/glpi-project/glpi/security/advisories/GHSA-j222-j9mf-h6j9 https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h Also affecting Cauldron: CVE-2020-11031 CVE-2020-15108 CVE-2020-1517[5-7] CVE-2020-15226: https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v https://github.com/glpi-project/glpi/security/advisories/GHSA-rm52-jx9h-rwcp https://github.com/glpi-project/glpi/security/advisories/GHSA-x93w-64x9-58qw https://github.com/glpi-project/glpi/security/advisories/GHSA-prvh-9m4h-4m79 https://github.com/glpi-project/glpi/security/advisories/GHSA-jwpv-7m4h-5gvc https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4
Status comment: (none) => Fixed upstream in 9.5.3Summary: glpi security issue CVE-2020-27663 => glpi new security issues CVE-2020-5248, CVE-2020-1106[02], CVE-2020-11031, CVE-2020-15108, CVE-2020-1517[5-7], CVE-2020-15226, CVE-2020-26212 and CVE-2020-2766[23]Severity: normal => majorAssignee: bugsquad => guillomovitchURL: https://nvd.nist.gov/vuln/detail/CVE-2020-27663 => (none)
planned to be removed from cauldron.
Version: Cauldron => 7CC: (none) => mageiaWhiteboard: MGA7TOO => (none)
Package is still in Cauldron.
Whiteboard: (none) => MGA7TOOVersion: 7 => Cauldron
removed now :-)
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Why are you removing stuff that still works?!
The maintainer isn't interesting in continuing to maintain it going forward. Also, generally speaking, as web apps continue to suffer serious vulnerabilities and need to be updated quickly and more of them offer self-updating capability, it is making less sense to package them as RPMs.
@Zombie: feel free to volunteer for taking over maintainership, but it's a pain in the ass. Basically, constraints imposed by distribution packaging standards, such as debundling dependencies, and providing security updates without changing version, doesn't mix well with web application ecosystem. Given than those applications are also relatively easy to install for end users, comparatively with compiled applications, there isn't enough added value to invest time anymore.
I'm closing this issue as WONTFIX. Anyone is free to reopen it, but only if he intend to fix the issue himself.
Status: NEW => RESOLVEDResolution: (none) => WONTFIX
I cannot commit updates to Mageia, only the Rosa build cluster. Which I can link you to whatever Rosa's resolution is, would that be alright?
We don't need whatever solution, we need a solution compatible with our update policy, which means patches for version 9.4.6.
trying to look. I will look if we can just update to latest 9.4.6 ( updating to 9.5 is not possible without a lot of work )
the main issue is that updating to 9.4.6 is simple. But for ex https://github.com/glpi-project/glpi/security/advisories/GHSA-7xwm-4vjr-jvqh make use of a new library ( this explain well why we drop it ).
My mistake, I've been confused by the information in the ticket. I'll take care of pushing 9.4.6 as security update for mageia 7. Pushing 9.5.x is not just a lot of work, it is also a violation of update policy, as it involves a database schema change.
Resolution: WONTFIX => (none)Status: RESOLVED => REOPENED
We'll just have to clone the bug and fix what we can. Some issues are only fixed in 9.5.3, so we'd need patches if we're ever going to fix those, but some are fixed in 9.4.6.
glpi-9.4.6-1.1.mga7 just submitted in updates_testing
Thanks. It won't really matter here, but for future reference, the subrel should be removed when upgrading to a new version.
We could fix a few more issues before issuing an update. These advisories all link patches that can be applied: https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4
(In reply to David Walser from comment #17) > We could fix a few more issues before issuing an update. These advisories > all link patches that can be applied: > https://github.com/glpi-project/glpi/security/advisories/GHSA-qv6w-68gq-wx2v > https://github.com/glpi-project/glpi/security/advisories/GHSA-qmw3-87hr-5wgx 9.4.6 isn't affected by those two. > https://github.com/glpi-project/glpi/security/advisories/GHSA-wq38-gwxp-8p5p Would take significant work to backport. > https://github.com/glpi-project/glpi/security/advisories/GHSA-pqfv-4pvr-55r4 Appears to already be fixed in 9.4.6. We do have an update to 9.4.6 already built, but I'm not sure it's worth pushing at this point. Feel free to assign to QA if you disagree.
CC: (none) => luigiwalser
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Status: REOPENED => RESOLVEDResolution: (none) => OLD