Bug 203085

Summary:	sys-cluster/ganglia < 3.0.6 Multiple cross-site scripting issues (CVE-2007-6465)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	hp-cluster
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://sourceforge.net/project/shownotes.php?release_id=562168
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	172206
Bug Blocks:

Description Robert Buchholz (RETIRED) gentoo-dev

2007-12-22 21:34:23 UTC

CVE-2007-6465 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6465):
  Multiple cross-site scripting (XSS) vulnerabilities in ganglia-web in Ganglia
  before 3.0.6 allow remote attackers to inject arbitrary web script or HTML
  via the (1) c and (2) h parameters to (a) web/host_gmetrics.php; the (3) G,
  (4) me, (5) x, (6) n, (7) v, (8) l, (9) vl, and (10) st parameters to (b)
  web/graph.php; and the (11) c, (12) G, (13) h, (14) r, (15) m, (16) s, (17)
  cr, (18) hc, (19) sh, (20) p, (21) t, (22) jr, (23) js, (24) gw, (25) z, and
  (26) gs parameters to (c) web/get_context.php.  NOTE: some of these details
  are obtained from third party information.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-22 21:36:54 UTC

HP-Cluster herd, please advise.

Bug 172206 contains updated ebuilds.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-01-05 00:18:56 UTC

ping.

Comment 3 Justin Bronder (RETIRED) gentoo-dev

2008-01-05 01:36:34 UTC

ganglia-3.0.6 added to cvs.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-01-05 02:14:10 UTC

Thanks a lot.

Arches, please test and mark stable sys-cluster/ganglia-3.0.6.
Target keywords : "x86"

Comment 5 Markus Meier gentoo-dev

2008-01-05 11:34:48 UTC

x86 stable, last arch.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-01-05 12:59:16 UTC

It's a vote.

NO for me.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-01-05 18:12:54 UTC

Voting NO and closing.