Description A vulnerability has been reported in Ganglia, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary PHP code. The vulnerability is reported in versions 3.1.7 through 3.5.0. Other versions may also be affected. Solution Update to version 3.5.1.
CVE assignment per http://www.openwall.com/lists/oss-security/2012/08/02/1
CVE-2012-3448 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3448): Unspecified vulnerability in Ganglia Web before 3.5.1 allows remote attackers to execute arbitrary PHP code via unknown attack vectors.
*** Bug 433048 has been marked as a duplicate of this bug. ***
*ganglia-web-3.5.2 (04 Sep 2012) 04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> +ganglia-web-3.5.2.ebuild, +metadata.xml: Add sys-cluster/ganglia-web to match upstream development. Resolves #428776
(In reply to comment #4) > *ganglia-web-3.5.2 (04 Sep 2012) > > 04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> > +ganglia-web-3.5.2.ebuild, > +metadata.xml: > Add sys-cluster/ganglia-web to match upstream development. Resolves #428776 Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to stabilize 3.5.2?
(In reply to comment #5) > (In reply to comment #4) > > *ganglia-web-3.5.2 (04 Sep 2012) > > > > 04 Sep 2012; Justin Bronder <jsbronder@gentoo.org> > > +ganglia-web-3.5.2.ebuild, > > +metadata.xml: > > Add sys-cluster/ganglia-web to match upstream development. Resolves #428776 > > Thanks, Justin. So ganglia-web replaces ganglia? And are we ready to > stabilize 3.5.2? ganglia-web replaces the web component of ganglia which had this vulnerability. I'd like to let the two sit in the tree for a couple of weeks just to get some usage before going for stable as this is a decent sized change to how things were being packaged. However, if the security team thinks this vulnerability should be addressed now, then I have no problem with going ahead with stabilization.
Been a couple of weeks with no bugs, please feel free to go forward with stabilization.
Targets: =sys-cluster/ganglia-3.4.0 amd64 ppc x86 =sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
(In reply to comment #8) > Targets: > =sys-cluster/ganglia-3.4.0 amd64 ppc x86 There is no ganglia-3.4.0 in the tree up to now!? # ls /usr/portage/sys-cluster/ganglia ChangeLog Manifest files ganglia-3.2.0.ebuild ganglia-3.3.7.ebuild metadata.xml
(In reply to comment #9) > (In reply to comment #8) > > Targets: > > =sys-cluster/ganglia-3.4.0 amd64 ppc x86 > > There is no ganglia-3.4.0 in the tree up to now!? > # ls /usr/portage/sys-cluster/ganglia > ChangeLog Manifest files ganglia-3.2.0.ebuild ganglia-3.3.7.ebuild > metadata.xml You're right. Sorry for that I've looked in a wrong place. Correct targets: =sys-cluster/ganglia-3.3.7 amd64 ppc x86 =sys-cluster/ganglia-web-3.5.2 amd64 ppc x86
x86 done.
=sys-cluster/ganglia-3.3.7 tested on amd64. A part of bug 435784, everything looks fine.
=sys-cluster/ganglia-web-3.5.2 tested amd64.
amd64 stable
stable ppc
Thanks, everyone. Filing a new GLSA request.
This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle).