640532 – (CVE-2017-11481, CVE-2017-11482) <www-apps/kibana-bin-{5.6.5,6.0.1}: Multiple vulnerabilities

Bug 640532 (CVE-2017-11481, CVE-2017-11482) - <www-apps/kibana-bin-{5.6.5,6.0.1}: Multiple vulnerabilities

Summary: <www-apps/kibana-bin-{5.6.5,6.0.1}: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-11481, CVE-2017-11482

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-12-10 16:10 UTC by GLSAMaker/CVETool Bot
Modified:	2018-01-25 22:01 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-12-10 16:10:26 UTC

CVE-2017-11482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11482):
  The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack
  installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect
  vulnerability on the login page that would enable an attacker to craft a
  link that redirects to an arbitrary website.

CVE-2017-11481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11481):
  Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS)
  vulnerability via URL fields that could allow an attacker to obtain
  sensitive information from or perform destructive actions on behalf of other
  Kibana users.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-12-10 16:11:17 UTC

@Maintainers please let us know when tree is clean.

Thank you

Comment 2 Tomáš Mózes 2017-12-11 06:10:25 UTC

https://github.com/gentoo/gentoo/pull/6514

Comment 3 Larry the Git Cow gentoo-dev

2017-12-14 18:25:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=745ad968f00a49b584a025bce88b95e2d89a4d8d

commit 745ad968f00a49b584a025bce88b95e2d89a4d8d
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2017-12-14 14:18:53 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-12-14 18:24:52 +0000

    www-apps/kibana-bin: drop old vulnerable.
    
    Bug: https://bugs.gentoo.org/640532
    Package-Manager: Portage-2.3.18, Repoman-2.3.6

 www-apps/kibana-bin/Manifest                |  5 ---
 www-apps/kibana-bin/kibana-bin-5.5.2.ebuild | 66 -----------------------------
 www-apps/kibana-bin/kibana-bin-5.6.4.ebuild | 66 -----------------------------
 www-apps/kibana-bin/kibana-bin-6.0.0.ebuild | 61 --------------------------
 4 files changed, 198 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71f119b80cf06485afcb802689f48ae24dc39642

commit 71f119b80cf06485afcb802689f48ae24dc39642
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2017-12-14 14:18:04 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-12-14 18:24:50 +0000

    www-apps/kibana-bin: version bump to 5.6.5/6.0.1.
    
    Bug: https://bugs.gentoo.org/640532
    Package-Manager: Portage-2.3.18, Repoman-2.3.6
    Closes: https://github.com/gentoo/gentoo/pull/6514

 www-apps/kibana-bin/Manifest                |  3 ++
 www-apps/kibana-bin/kibana-bin-5.6.5.ebuild | 66 +++++++++++++++++++++++++++++
 www-apps/kibana-bin/kibana-bin-6.0.1.ebuild | 61 ++++++++++++++++++++++++++
 3 files changed, 130 insertions(+)}

Comment 4 Tomáš Mózes 2017-12-14 21:05:13 UTC

(In reply to Christopher Díaz Riveros from comment #1)
> @Maintainers please let us know when tree is clean.
> 
> Thank you

Tree clean.