Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 555850

Summary: <www-apps/joomla-3.4.3: Multiple vulnerabilities (CVE-2015-5397)
Product: Gentoo Security Reporter: Dainius Masiliūnas <pastas4>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: harold
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Dainius Masiliūnas 2015-07-25 09:08:36 UTC 
The current Joomla version in portage is 3.4.1, which is affected by multiple vulnerabilities:

[20150601] - Core - Open Redirect:
Inadequate checking of the return value allowed to redirect to an external page.
http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html

[20150602] - Core - CSRF Protection
Lack of CSRF checks potentially enabled uploading malicious code.
http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html
CVE-2015-5397 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5397 )

At the moment of writing, the current Joomla release is 3.4.3, so a version bump would solve this.

Reproducible: Always
Comment 1 Dainius Masiliūnas 2015-07-31 22:13:13 UTC 
Should I also create a version bump request?
Comment 2 Harold Anderson 2015-07-31 22:29:05 UTC 
You don't have to submit a version bump.  I will fix it, but it might take a bit of time.
Comment 3 Harold Anderson 2015-08-09 14:58:54 UTC 
I have added joomla-3.4.3 to my overlay (hnaparst) and will ask to have it added to portage.
Comment 4 Yixun Lan archtester gentoo-dev 2015-08-12 01:29:51 UTC 
drop vulnerable version 3.4.1, and bumped 3.4.3
(proxy for Harold Naparst)

@security team, please proceed
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 14:20:26 UTC 
Maintainer(s), Thank you for your work.

Closing noglsa.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-09-13 14:22:05 UTC 
CVE-2015-5397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5397):
  Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through
  3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the
  authentication of unspecified victims for requests that upload code via
  unknown vectors.