Bug 748072 (CVE-2011-4024)
| Summary: | CVE-2011-4024 ocsinventory: XSS flaw | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | fedora, jlieskov, xavier |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-22 01:47:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Vincent Danen
2011-10-21 22:20:34 UTC
I'm not sure that this affects Fedora (as we ship 1.3.3). Unfortunately, I am completely unable to find any patch for this and the upstream web site is really unhelpful. Since there is no contact info on the site, I'm currently trying to find someone on IRC who may have further information. Bug also affects version 1.3.3. As an upgrade to 2.0.2 is not immediately possible (major code changes, bundled libraires, ...) I have wrote a patch, inspired from 2.0.2 fix. I'm waiting for upstream feedback and will push a quick update soon. About this issue, GLPI, when synchronized with OCS, is not affected (data are properly cleaned before insert in the GLPI DB). This issue affects the versions of the ocsinventory package, as shipped with Fedora release of 14 and 15. -- This issue affects the versions of the ocsinventory package, as shipped within Fedora EPEL 4, Fedora EPEL 5 and Fedora EPEL 6 repositories. This issue has been scheduled to be corrected in the following updates: 1) ocsinventory-1.3.3-5.fc16, 2) ocsinventory-1.3.3-5.fc15, 3) ocsinventory-1.3.3-5.fc14, 4) ocsinventory-1.3.3-5.el6, 5) ocsinventory-1.3.3-5.el5, 6) ocsinventory-1.3.3-5.el4. The above packages have been pushed to particular -testing repositories, and upon required level of testing they will be pushed to -stable repositories. Relevant upstream patches for the server code (thanks to Remi Collet for providing those): [1] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/789 [2] http://bazaar.launchpad.net/~ocsinventory-core/ocsinventory-ocsreports/stable-2.0/revision/792 ocsinventory-1.3.3-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. ocsinventory-1.3.3-5.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. ocsinventory-1.3.3-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. ocsinventory-1.3.3-5.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. ocsinventory-1.3.3-5.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. ocsinventory-1.3.3-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. |