Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 564242 (CVE-2015-8010) - <net-analyzer/icinga-1.13.3-r1: XSS (CVE-2015-8010)
Summary: <net-analyzer/icinga-1.13.3-r1: XSS (CVE-2015-8010)
Status: RESOLVED FIXED
Alias: CVE-2015-8010
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-27 08:39 UTC by Agostino Sarubbo
Modified: 2015-11-16 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-27 08:39:35 UTC
From ${URL} :

there is is a XSS vulnerability in Icinga Classic-UI 1.13.3.

This got originally introduced with this issue https://dev.icinga.org/issues/593 and version 1.3.

Example: http://classic.demo.icinga.org/icinga/cgi-bin/status.cgi?host=all&'onmouseover='prompt(25435);'bad='

More infos can be found in this issue: https://dev.icinga.org/issues/10453



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-02 20:46:21 UTC
arches, please stablize the following

=net-analyzer/icinga-1.13.3
Comment 2 Agostino Sarubbo gentoo-dev 2015-11-03 17:12:47 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2015-11-03 17:13:58 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-03 17:44:14 UTC
cleaned up
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 20:42:25 UTC
Arches and Maintainer(s), Thank you for your work.

Security Please Vote.
GLSA Vote: No
Comment 6 Icebird2000 2015-11-04 21:59:36 UTC
Hello,

the vulnerabilitiy is also in Icinga Classic-UI 1.13.3!

So this Problem still exist.

It is fixed with this commit 

https://dev.icinga.org/projects/icinga-core/repository/revisions/5c816f5d9352c373e9dadb95b63612a96cf96dff
Comment 8 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-04 23:12:19 UTC
fixed in r1, arches please stablize the following

=net-analyzer/icinga-1.13.3-r1
Comment 9 Icebird2000 2015-11-04 23:29:10 UTC
The file CVE-2015-8010_1.13.3.patch in git repo is empty.
Comment 10 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-04 23:38:13 UTC
ok, fixed it
Comment 11 Agostino Sarubbo gentoo-dev 2015-11-05 10:06:45 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2015-11-05 10:07:44 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-05 10:46:41 UTC
cleaned up
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:00:13 UTC
Vote: NO.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2015-11-16 22:37:07 UTC
GLSA Vote: No

Thank you all. Closing as noglsa.