From ${URL} : Description Multiple vulnerabilities have been reported in Ganglia, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via multiple parameters and scripts is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. List of affected scripts and parameters: http://[host]/autorotation.php?view_name http://[host]/actions.php?hreg http://[host]/actions.php?mreg http://[host]/actions.php?host_name http://[host]/actions.php?metric_name http://[host]/views_view.php?view_filename http://[host]/views.php?r http://[host]/views.php?cs http://[host]/views.php?ce http://[host]/trend_navigation.php?key http://[host]/trend_navigation.php?query_string http://[host]/mobile_helper.php?view_name http://[host]/mobile_helper.php?r http://[host]/mobile_helper.php?cs http://[host]/mobile_helper.php?ce http://[host]/mobile_helper.php?clustername http://[host]/mobile_helper.php?hostname http://[host]/mobile_helper.php?range http://[host]/header.php?selected_tab http://[host]/graph_all_periods.php?h http://[host]/graph_all_periods.php?c http://[host]/graph_all_periods.php?g http://[host]/graph_all_periods.php?m http://[host]/graph_all_periods.php?hreg http://[host]/graph_all_periods.php?mreg http://[host]/decompose_graph.php?hreg http://[host]/decompose_graph.php?mreg http://[host]/compare_hosts.php?hreg The vulnerabilities are reported in version 3.5.4. Other versions may also be affected. Solution Fixed in the source code repository. Provided and/or discovered by Reported by the vendor. Original Advisory https://bugzilla.redhat.com/show_bug.cgi?id=892823
Sent a query to upstream regarding the best approach: http://sourceforge.net/mailarchive/forum.php?thread_name=20130214151952.GL13486%40gmail.com&forum_name=ganglia-general
15 Feb 2013; Justin Bronder <jsbronder@gentoo.org> -ganglia-web-3.5.4.ebuild, +ganglia-web-3.5.6.ebuild: Version bump, contains fix for CVE-2013-0275. Drop old unstable. @security: if you want to fast stable it's ok with me.
(In reply to comment #2) > 15 Feb 2013; Justin Bronder <jsbronder@gentoo.org> > -ganglia-web-3.5.4.ebuild, > +ganglia-web-3.5.6.ebuild: > Version bump, contains fix for CVE-2013-0275. Drop old unstable. > > @security: if you want to fast stable it's ok with me. Thanks, Justin. Arches, please test and mark stable.
ppc stable
amd64 stable
x86 stable
CVE-2013-0275 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0275): Multiple cross-site scripting (XSS) vulnerabilities in Ganglia Web before 3.5.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Closing noglsa for XSS issues.
