Debian Bug report logs -
#723837
glpi: Multiple security vulnerabilities
Reported by: Henri Salo <henri@nerv.fi>
Date: Fri, 20 Sep 2013 09:45:01 UTC
Severity: important
Tags: fixed-upstream, security
Found in version glpi/0.83.91-3
Fixed in version glpi/0.84.2-1
Done: Pierre Chifflier <pollux@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Pierre Chifflier <pollux@debian.org>:
Bug#723837; Package glpi.
(Fri, 20 Sep 2013 09:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Pierre Chifflier <pollux@debian.org>.
(Fri, 20 Sep 2013 09:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: glpi
Version: 0.83.91-3
Severity: important
Tags: security, fixed-upstream
Fixed in GLPI 0.84.2.
* SQL Injection
* PHP Code Execution
* CSRF (seems that it is the vector for the SQL injection)
CVE split pending: http://www.openwall.com/lists/oss-security/2013/09/20/2
References:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=308
https://forge.indepnet.net/issues/4480
https://www.htbridge.com/advisory/HTB23173
---
Henri Salo
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Pierre Chifflier <pollux@debian.org>:
You have taken responsibility.
(Sun, 06 Oct 2013 16:06:12 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 06 Oct 2013 16:06:12 GMT) (full text, mbox, link).
Message #10 received at 723837-close@bugs.debian.org (full text, mbox, reply):
Source: glpi
Source-Version: 0.84.2-1
We believe that the bug you reported is fixed in the latest version of
glpi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 723837@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Chifflier <pollux@debian.org> (supplier of updated glpi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 06 Oct 2013 17:42:11 +0200
Source: glpi
Binary: glpi
Architecture: source all
Version: 0.84.2-1
Distribution: unstable
Urgency: low
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Pierre Chifflier <pollux@debian.org>
Description:
glpi - IT and Asset management software
Closes: 722454 723837
Changes:
glpi (0.84.2-1) unstable; urgency=low
.
* Imported Upstream version 0.84
* Update SQL file location in installer
* Imported Upstream version 0.84.2 (Closes: #723837)
Security fixes:
- CVE-2013-5696 multiple vulnerabilities in install.php script
* Merge patch from Adam Cécile (Closes: #722454):
- Add 00-fix-css-typo patch
- Add 01-upgrade-from-0.71-fix patch
- Add missing libjs-extjs dependency
- Add cron.d for scheduled/recurring tasks
- Fix symlinks for external dependencies
Checksums-Sha1:
aa3161c1371c57709aad1200418d962c9af8bdf0 1344 glpi_0.84.2-1.dsc
77351e056161b3fc2ab14cd9ce549c774b80b986 10074325 glpi_0.84.2.orig.tar.gz
7dc694dffd350e6f8d4cfba427f7ff95b2533230 17624 glpi_0.84.2-1.debian.tar.gz
d9dbea1b83485ddc4fb721125cd593196450ee5d 3259512 glpi_0.84.2-1_all.deb
Checksums-Sha256:
cc77947150914a0348c2ed40f42dc0573cae26f927c738499c4c617310cd0fd3 1344 glpi_0.84.2-1.dsc
1e18b58ee5c58cf9cf8989586e549c7c4c3b702c3d085364ae9417ab8ebb0de7 10074325 glpi_0.84.2.orig.tar.gz
350f21616318168a4cbaa59e1dbd650354b8b585ffb37333f04d131d122053ba 17624 glpi_0.84.2-1.debian.tar.gz
69a0953ea014d1b6b6d46c7755438d5ee58913b9a42c6530586576b7b1e913ae 3259512 glpi_0.84.2-1_all.deb
Files:
2001b5d7f0a55249ec869f23f98a4fec 1344 web optional glpi_0.84.2-1.dsc
ad4d0e2830b316182e4028349ab6bcc1 10074325 web optional glpi_0.84.2.orig.tar.gz
4f27bcdff8c52ab9c82fdcbb4af8dd1a 17624 web optional glpi_0.84.2-1.debian.tar.gz
76052fb97d12b0571281731cabdc893a 3259512 web optional glpi_0.84.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQEcBAEBAgAGBQJSUYXMAAoJEFqCeQfe0MQYFhEIAMizA8exKOu/sP6YcSGYFYWL
CyVb6h+8wCnsFKQfzHfYrSGKew1GLfxIfwjE2U9whDb3+ZLC5i+vRLgT8bP78IiT
NlMGw90AvVgAUVd+NpTpCswbhlDZUKYWUMdLQSRm3r2olK90S5HVPlPrryRSlC0c
lYnJcQ3aPLKZjcAqvUx7dKobbjO16fZvxpP+hoBKXUHbLL2GPFjYskeCRqNVHvxr
jFu1qsNedZkBaTnrh8Y9whAqQcBPZiYGSWF+YfB9OMFQw1ryWI4gH8ILDFMooMUs
BN5NSnW5Mee2kYjsU5KxVeJyI/0bYhq4y57Jy9WIG0iinHdB8fSRcN4uwHjcjXU=
=ol2x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Nov 2013 07:29:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:04:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon