Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, by modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb. This is fixed in versions 2.7.2 and 3.0.0.
CVE: (none) => CVE-2020-15221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221 https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 2.7.2Assignee: bugsquad => brunoSummary: itop-itsm security update CVE-2020-15221 => itop-itsm new security issue CVE-2020-15221
version 2.7.3 Freeze push asked for cauldron.
CC: (none) => mageia
itop-itsm-2.7.3-1.mga8 uploaded for Cauldron.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
new version pushed in mga7: src: - itop-itsm-2.7.3-1.mga7
Status comment: Fixed upstream in 2.7.2 => (none)Assignee: bruno => qa-bugs
Advisory: ======================== Updated itop-itsm package fixes security vulnerability: By modifying target browser local storage, an XSS can be generated in the iTop console breadcrumb (CVE-2020-15221). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15221 https://github.com/Combodo/iTop/security/advisories/GHSA-w6g2-p7pf-7hvw ======================== Updated packages in core/updates_testing: ======================== itop-itsm-2.7.3-1.mga7 from itop-itsm-2.7.3-1.mga7.src.rpm
I looked for previous updates to this, and came up dry. Then checked online, finding several tutorials that only served to show to me that this is far too complex for a novice to test adequately. So, I was going to go for a clean install over the old rpm, BUT... No issues with the original install. But when I went to update, I get this: 1 installation transactions failed There was a problem during the installation: file /usr/share/itop-itsm/data from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch file /usr/share/itop-itsm/log from install of itop-itsm-2.7.3-1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch So, it's back in your hands, Nicolas.
CC: (none) => andrewsfarm
Keywords: (none) => feedback
itop-itsm-2.7.3-1.1.mga7 itop-itsm-2.7.3-1.1.mga8 should fix the upgrade from 2.0.3. Also, webapp packages like this should be dropped as previously discussed. Mageia 7 advisory in Comment 5. Mageia 8 advisory (bugfix only): ----------------- The itop-itsm package had an issue upgrading from Mageia 7. This has been corrected.
Keywords: feedback => (none)Whiteboard: (none) => MGA7TOOVersion: 7 => 8
First installed the 2.0.3 version. Not changing anything pointed browser at http://localhost/itop-itsm and got error 403 access forbidden! So there iss some config work on it, but in view of purpose of thi s update, Ileft it at that. Then tried to install the new update and immediately got: 1 installation transactions failed There was a problem during the installation: file /usr/share/itop-itsm/data from install of itop-itsm-2.7.3-1.1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch file /usr/share/itop-itsm/log from install of itop-itsm-2.7.3-1.1.mga7.noarch conflicts with file from package itop-itsm-2.0.3-5.mga7.noarch
CC: (none) => herman.viaene
That makes no sense, the %pretrans I added should have fixed that. I wish I had dropped this package before Mageia 8. Oh well. Dropping this update.
Resolution: (none) => OLDStatus: NEW => RESOLVED