Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 555850 - <www-apps/joomla-3.4.3: Multiple vulnerabilities (CVE-2015-5397)
Summary: <www-apps/joomla-3.4.3: Multiple vulnerabilities (CVE-2015-5397)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-25 09:08 UTC by Dainius Masiliūnas
Modified: 2015-09-13 14:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dainius Masiliūnas 2015-07-25 09:08:36 UTC 
The current Joomla version in portage is 3.4.1, which is affected by multiple vulnerabilities:

[20150601] - Core - Open Redirect:
Inadequate checking of the return value allowed to redirect to an external page.
http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html

[20150602] - Core - CSRF Protection
Lack of CSRF checks potentially enabled uploading malicious code.
http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html
CVE-2015-5397 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5397 )

At the moment of writing, the current Joomla release is 3.4.3, so a version bump would solve this.

Reproducible: Always
Comment 1 Dainius Masiliūnas 2015-07-31 22:13:13 UTC 
Should I also create a version bump request?
Comment 2 Harold Anderson 2015-07-31 22:29:05 UTC 
You don't have to submit a version bump.  I will fix it, but it might take a bit of time.
Comment 3 Harold Anderson 2015-08-09 14:58:54 UTC 
I have added joomla-3.4.3 to my overlay (hnaparst) and will ask to have it added to portage.
Comment 4 Yixun Lan archtester gentoo-dev 2015-08-12 01:29:51 UTC 
drop vulnerable version 3.4.1, and bumped 3.4.3
(proxy for Harold Naparst)

@security team, please proceed
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 14:20:26 UTC 
Maintainer(s), Thank you for your work.

Closing noglsa.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-09-13 14:22:05 UTC 
CVE-2015-5397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5397):
  Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through
  3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the
  authentication of unspecified victims for requests that upload code via
  unknown vectors.