From ${URL} : A cross-site scripting (XSS) flaw was discovered in the Ganglia web interface: https://github.com/ganglia/ganglia-web/issues/218 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730507 Quoting from the original report: "" Temporary Workaround and Fix ============================ Apply the following patch to properly encode the variable: --- header.php.old 2013-09-30 21:07:26.272287657 +0200 +++ header.php 2013-09-30 21:09:42.226281990 +0200 @@ -491,7 +491,7 @@ $data->assign("custom_time", $custom_tim ///////////////////////////////////////////////////////////////////////// if ( $context == "cluster" ) { if ( isset($user['host_regex']) && $user['host_regex'] != "" ) - $set_host_regex_value="value='" . $user['host_regex'] . "'"; + $set_host_regex_value="value='" . htmlentities($user['host_regex'], ENT_QUOTES) . "'"; else $set_host_regex_value=""; "" @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2013-6395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6395): Cross-site scripting (XSS) vulnerability in header.php in Ganglia Web 3.5.8 and 3.5.10 allows remote attackers to inject arbitrary web script or HTML via the host_regex parameter to the default URI, which is processed by get_context.php.
23 Dec 2013; Justin Bronder <jsbronder@gentoo.org> +ganglia-web-3.5.6-r1.ebuild, -ganglia-web-3.5.8.ebuild, +ganglia-web-3.5.8-r1.ebuild, -ganglia-web-3.5.10.ebuild, +ganglia-web-3.5.10-r1.ebuild, +files/CVE-2013-6395-fix-xss.patch: Add patch to fix CVE-2013-6395 (#492580). @security, please fast track stablizing 3.5.6-r1. The only change to any of these ebuilds was to add the patch posted in the original report. Thanks,
old bug. new ebuilds with proper patch. 3.5.8-r1 stable in tree.
GLSA Vote: No