Summary: | net-im/openfire <= 3.6.0a multiple vulnerabilities (CVE-2008-{6508,6509,6510,6511}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | stupendoussteve |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | jokey, net-im, swapon |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.andreas-kurtz.de/advisories/AKADV2008-001-v1.0.txt | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
stupendoussteve
2008-11-07 21:28:18 UTC
Thanks. Advisory says that there is no information about a patch and upstream has apparently been unresponsive. Homepage has no information either... Might be a candidate for at least temporary masking? a ticket regarding this issue was opened on Jive's ticketing system[1], but still no replies from upstream. [1] http://www.igniterealtime.org/issues/browse/JM-1489 3.6.1 added to CVS Arches, please test and mark stable. Package '=net-im/openfire-3.6.1' Target keywords = amd64 x86 amd64/x86 stable, all arches done. Sorry, there has no glsa been filed yet. Sorry for the delay, request filed. CVE-2008-6508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6508): Directory traversal vulnerability in the AuthCheck filter in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to bypass authentication and access the admin interface via a .. (dot dot) in a URI that matches the Exclude-Strings list, as demonstrated by a /setup/setup-/.. sequence in a URI. CVE-2008-6509 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6509): SQL injection vulnerability in CallLogDAO in SIP Plugin in Openfire 3.6.0a and earlier allows remote attackers to execute arbitrary SQL commands via the type parameter to sipark-log-summary.jsp. CVE-2008-6510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6510): Cross-site scripting (XSS) vulnerability in login.jsp in the Admin Console in Openfire 3.6.0a and earlier allows remote attackers to inject arbitrary web script or HTML via the url parameter. CVE-2008-6511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6511): Open redirect vulnerability in login.jsp in Openfire 3.6.0a and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter. GLSA 200904-01, sorry for the delay. |