Guillaume Rousse has built an update for Mageia 1 and Mageia 2 to fix this issue, which was fixed upstream in 0.83.3. Cauldron has also been updated. 0.83.3 also fixed a CSRF issue, but the changeset was too complex to backport, so this update will only fix the XSS issue. Advisory: ======================== Updated glpi package fixes security vulnerability: Multiple XSS issues affecting glpi versions prior to 0.83.3 have been corrected (CVE-2012-4003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4003 https://forge.indepnet.net/issues/3705 http://www.glpi-project.org/spip.php?page=annonce&id_breve=275&lang=en ======================== Updated packages in core/updates_testing: ======================== glpi-0.78.2-2.3.mga1 glpi-0.80.7-2.1.mga2 from SRPMS: glpi-0.78.2-2.3.mga1.src.rpm glpi-0.80.7-2.1.mga2.src.rpm
CC: (none) => guillomovitchBlocks: (none) => 6762
Whiteboard: (none) => MGA1TOO
Couldn't make run glpi becuase of mysql errors, will try again next days to relax...(seriously)
CC: (none) => ed_rus099
Testing complete on Mageia 1 i586. Just testing that the package works. Added a location, and a computer entry. Eduard, I ran into the same problem accessing the mysql server, even though I could access it using phpmyadmin. I replaced /etc/php.ini with /usr/share/doc/php-doc/php.ini-development, and restarted the httpd service, expecting it to provide a more detailed error message. I was able to access the mysql server in glpi. I had restarted the http server after installing glpi, so it looks like there is something in the default php.ini that is preventing glpi from accessing the mysql server. I'll test Mageia 1 x86-64 and try to work out exactly which php.ini change(s) is(are) required to allow glpi to work.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO MGA1-32-OK
Forgot to note, that the License display is blank. Turns out commenting out the line "skip-networking" in /etc/my.cnf also works. Didn't have to use the dev php.ini. On Mageia 1 x86-64, in the step "Checking of the compatibility of your environment with the execution of GLPI", I'm getting the error "Mbstring extension of your parser PHP is not installed", so it looks like there is a missing dependency for php-mbstring. As this is a security update, I'll open a new bug report for the missing dependency and the missing license. Once I installed php-mbstring, the program is working. Testing complete on Mageia 1 x86-64.
Whiteboard: MGA1TOO MGA1-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK
Testing Mageia 2 i586 shortly.
Testing complete on Mageia 2 i586. The missing php-mbstring dependency and blank license applies to Mageia 2 as well. Testing Mageia 2 x86-64 shortly.
Whiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA1-32-OK
Bug 7157 opened for the missing requires and blank license. Testing complete on Mageia 2 x86-64. Could someone from the sysadmin team push the srpm glpi-0.80.7-2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates and the srpm glpi-0.78.2-2.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated glpi package fixes security vulnerability: Multiple XSS issues affecting glpi versions prior to 0.83.3 have been corrected (CVE-2012-4003). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4003 https://forge.indepnet.net/issues/3705 http://www.glpi-project.org/spip.php?page=annonce&id_breve=275&lang=e https://bugs.mageia.org/show_bug.cgi?id=7126
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1TOO MGA1-32-OK MGA1-64-OK MGA1-32-OK => MGA1TOO MGA1-32-OK MGA1-64-OK MGA2-32-OK MGA2-64-OK
Since this hasn't been pushed yet, Bug 7157 now blocks this.
Depends on: (none) => 7157
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0250
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED