From the upstream advisory at $URL: Description Weak random number generation during password reset leads to possibility of changing a user's password. Affected Installs Joomla! version 1.5.24 and all earlier 1.5 versions Solution Upgrade to the latest Joomla! 1.5 version (1.5.25 or later)
First thank you for your work on making gentoo more secure. I've already notify fauli about this. So the bump is on it's way. But he's very busy right now. Please note that 1.6.X and <1.7.3 are also affected by this vulnerability. url: http://developer.joomla.org/security/news/374-20111102-core-password-change.html Also 1.6.X and <1.7.3 are affected by a XSS vuln url: http://developer.joomla.org/security/news/373-20111101-core-xss-vulnerability.html This concerns us since we have 1.7.2 in the tree.
Before end of November I will not come to this. Bump it yourself please, should be straightforward.
*** Bug 391929 has been marked as a duplicate of this bug. ***
Created attachment 295231 [details, diff] patch for upgrade Somebody can apply this to bump joomla 1.5 in the tree
Created attachment 295233 [details, diff] patch for upgrade Somebody can use this to bump Joomla 1.7
CVE-2011-4321 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4321): The password reset functionality in Joomla! 1.5.x through 1.5.24 uses weak random numbers, which makes it easier for remote attackers to change the passwords of arbitrary users via unspecified vectors.
ebuild added, thanks for the patience.
Thanks, Christian. Closing noglsa.
