Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 640532 (CVE-2017-11481, CVE-2017-11482)

Summary: <www-apps/kibana-bin-{5.6.5,6.0.1}: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hydrapolic, proxy-maint
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-10 16:10:26 UTC
CVE-2017-11482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11482):
  The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack
  installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect
  vulnerability on the login page that would enable an attacker to craft a
  link that redirects to an arbitrary website.

CVE-2017-11481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-11481):
  Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS)
  vulnerability via URL fields that could allow an attacker to obtain
  sensitive information from or perform destructive actions on behalf of other
  Kibana users.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 16:11:17 UTC
@Maintainers please let us know when tree is clean.

Thank you
Comment 2 Tomáš Mózes 2017-12-11 06:10:25 UTC
https://github.com/gentoo/gentoo/pull/6514
Comment 3 Larry the Git Cow gentoo-dev 2017-12-14 18:25:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=745ad968f00a49b584a025bce88b95e2d89a4d8d

commit 745ad968f00a49b584a025bce88b95e2d89a4d8d
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2017-12-14 14:18:53 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-12-14 18:24:52 +0000

    www-apps/kibana-bin: drop old vulnerable.
    
    Bug: https://bugs.gentoo.org/640532
    Package-Manager: Portage-2.3.18, Repoman-2.3.6

 www-apps/kibana-bin/Manifest                |  5 ---
 www-apps/kibana-bin/kibana-bin-5.5.2.ebuild | 66 -----------------------------
 www-apps/kibana-bin/kibana-bin-5.6.4.ebuild | 66 -----------------------------
 www-apps/kibana-bin/kibana-bin-6.0.0.ebuild | 61 --------------------------
 4 files changed, 198 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71f119b80cf06485afcb802689f48ae24dc39642

commit 71f119b80cf06485afcb802689f48ae24dc39642
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2017-12-14 14:18:04 +0000
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: 2017-12-14 18:24:50 +0000

    www-apps/kibana-bin: version bump to 5.6.5/6.0.1.
    
    Bug: https://bugs.gentoo.org/640532
    Package-Manager: Portage-2.3.18, Repoman-2.3.6
    Closes: https://github.com/gentoo/gentoo/pull/6514

 www-apps/kibana-bin/Manifest                |  3 ++
 www-apps/kibana-bin/kibana-bin-5.6.5.ebuild | 66 +++++++++++++++++++++++++++++
 www-apps/kibana-bin/kibana-bin-6.0.1.ebuild | 61 ++++++++++++++++++++++++++
 3 files changed, 130 insertions(+)}
Comment 4 Tomáš Mózes 2017-12-14 21:05:13 UTC
(In reply to Christopher Díaz Riveros from comment #1)
> @Maintainers please let us know when tree is clean.
> 
> Thank you

Tree clean.