Bug 32092 - fusiondirectory new security issues CVE-2022-36179 and CVE-2022-36180
Summary: fusiondirectory new security issues CVE-2022-36179 and CVE-2022-36180
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-10 22:31 CEST by David Walser
Modified: 2023-09-16 14:25 CEST (History)
2 users (show)

See Also:
Source RPM: fusiondirectory-1.3-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-07-10 22:31:51 CEST
Debian-LTS has issued an advisory on July 8:
https://www.debian.org/lts/security/2023/dla-3487

The issues are fixed upstream in 1.3.1.

Mageia 8 is also affected.
David Walser 2023-07-10 22:32:04 CEST

Status comment: (none) => Fixed upstream in 1.3.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-07-11 21:42:31 CEST
Query:
 Source RPM:  fusiondirectory-1.3-2.mga9.src.rpm
 Sophie shows fusiondirectory-1.3-2.mga9.src.rpm
But
 The issues are fixed upstream in 1.3.1          ???

Luigi, when you have clarified this, please assign the bug to pkg-bugs, since this pkg has been quiet for ages, and long past maintainers are iffy today.
Comment 2 David Walser 2023-07-12 04:06:05 CEST
I'm not sure what needs clarified.  We have version 1.3, and the issues are fixed in 1.3.1.

Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Salguero 2023-09-05 13:42:54 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Fusiondirectory 1.3 suffers from Improper Session Handling. (CVE-2022-36179)

Fusiondirectory 1.3 is vulnerable to Cross Site Scripting (XSS) via /fusiondirectory/index.php?message=[injection], /fusiondirectory/index.php?message=invalidparameter&plug={Injection], /fusiondirectory/index.php?signout=1&message=[injection]&plug=106. (CVE-2022-36180)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36180
https://www.debian.org/lts/security/2023/dla-3487
========================

Updated packages in {8|9}/core/updates_testing:
========================
fusiondirectory-1.3.1-1.mga{8|9}
fusiondirectory-database-1.3.1-1.mga{8|9}
fusiondirectory-plugin-alias-1.3.1-1.mga{8|9}
fusiondirectory-plugin-applications-1.3.1-1.mga{8|9}
fusiondirectory-plugin-argonaut-1.3.1-1.mga{8|9}
fusiondirectory-plugin-audit-1.3.1-1.mga{8|9}
fusiondirectory-plugin-autofs-1.3.1-1.mga{8|9}
fusiondirectory-plugin-certificates-1.3.1-1.mga{8|9}
fusiondirectory-plugin-community-1.3.1-1.mga{8|9}
fusiondirectory-plugin-cyrus-1.3.1-1.mga{8|9}
fusiondirectory-plugin-debconf-1.3.1-1.mga{8|9}
fusiondirectory-plugin-developers-1.3.1-1.mga{8|9}
fusiondirectory-plugin-dhcp-1.3.1-1.mga{8|9}
fusiondirectory-plugin-dns-1.3.1-1.mga{8|9}
fusiondirectory-plugin-dovecot-1.3.1-1.mga{8|9}
fusiondirectory-plugin-dsa-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ejbca-1.3.1-1.mga{8|9}
fusiondirectory-plugin-fai-1.3.1-1.mga{8|9}
fusiondirectory-plugin-freeradius-1.3.1-1.mga{8|9}
fusiondirectory-plugin-fusioninventory-1.3.1-1.mga{8|9}
fusiondirectory-plugin-gpg-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ipmi-1.3.1-1.mga{8|9}
fusiondirectory-plugin-kolab2-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ldapdump-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ldapmanager-1.3.1-1.mga{8|9}
fusiondirectory-plugin-mail-1.3.1-1.mga{8|9}
fusiondirectory-plugin-mixedgroups-1.3.1-1.mga{8|9}
fusiondirectory-plugin-nagios-1.3.1-1.mga{8|9}
fusiondirectory-plugin-netgroups-1.3.1-1.mga{8|9}
fusiondirectory-plugin-newsletter-1.3.1-1.mga{8|9}
fusiondirectory-plugin-opsi-1.3.1-1.mga{8|9}
fusiondirectory-plugin-personal-1.3.1-1.mga{8|9}
fusiondirectory-plugin-posix-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ppolicy-1.3.1-1.mga{8|9}
fusiondirectory-plugin-puppet-1.3.1-1.mga{8|9}
fusiondirectory-plugin-pureftpd-1.3.1-1.mga{8|9}
fusiondirectory-plugin-quota-1.3.1-1.mga{8|9}
fusiondirectory-plugin-renater-partage-1.3.1-1.mga{8|9}
fusiondirectory-plugin-repository-1.3.1-1.mga{8|9}
fusiondirectory-plugin-samba-1.3.1-1.mga{8|9}
fusiondirectory-plugin-sinaps-1.3.1-1.mga{8|9}
fusiondirectory-plugin-sogo-1.3.1-1.mga{8|9}
fusiondirectory-plugin-spamassassin-1.3.1-1.mga{8|9}
fusiondirectory-plugin-squid-1.3.1-1.mga{8|9}
fusiondirectory-plugin-ssh-1.3.1-1.mga{8|9}
fusiondirectory-plugin-subcontracting-1.3.1-1.mga{8|9}
fusiondirectory-plugin-sudo-1.3.1-1.mga{8|9}
fusiondirectory-plugin-supann-1.3.1-1.mga{8|9}
fusiondirectory-plugin-sympa-1.3.1-1.mga{8|9}
fusiondirectory-plugin-systems-1.3.1-1.mga{8|9}
fusiondirectory-plugin-user-reminder-1.3.1-1.mga{8|9}
fusiondirectory-plugin-weblink-1.3.1-1.mga{8|9}
fusiondirectory-plugin-webservice-1.3.1-1.mga{8|9}
fusiondirectory-schema-1.3.1-1.mga{8|9}

from SRPMS:
fusiondirectory-1.3.1-1.mga{8|9}.src.rpm

Version: Cauldron => 9
Status comment: Fixed upstream in 1.3.1 => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero

Comment 4 Herman Viaene 2023-09-16 14:25:45 CEST
MGA8-64 Xfce on Acer Aspire 5253
No installation issues.
No wiki, no previous update, so googling brought me to https://fusiondirectory-user-manual.readthedocs.io/en/1.3/fusiondirectory/index.html
but trying to follow this (apart from the installation instructions) I run into problems.
According this manual, I would need to run
# fusiondirectory-insert-schema -i /etc/openldap/schema/cosine.schema
but
Can't exec "ldap-schema-manager": No such file or directory at /usr/sbin/fusiondirectory-insert-schema line 37.
This is overcome by installing the schema2ldif package. Missed dependency???
and then.
# fusiondirectory-insert-schema -i /etc/openldap/schema/cosine.schema               
! /etc/ldap/schema/fusiondirectory/ doesn't seems to exists
Note the difference between /etc/openldap/ and /etc/ldap/, this seems an inconsistency here.

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.