Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603604 (CVE-2015-6972, CVE-2015-6973, CVE-2015-7707) - <net-im/openfire-4.1.0: Multiple vulnerabilities
Summary: <net-im/openfire-4.1.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-6972, CVE-2015-6973, CVE-2015-7707
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://download.igniterealtime.org/op...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-23 18:38 UTC by Thomas Deutschmann (RETIRED)
Modified: 2016-12-31 06:28 UTC (History)
1 user (show)

See Also:
Package list:
=net-im/openfire-4.1.0
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 18:38:06 UTC
OpenFire v4.1.0 change log from $URL lists the following vulnerabilities:


[OF-941] - CVE-2015-7707 Admin Console Privilege Escalation Vulnerability

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.


[OF-942] - CVE-2015-6972 CVE-2015-6973 Admin Console Security Improvements

Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote attackers to inject arbitrary web script or HTML via the (1) groupchatName parameter to plugins/clientcontrol/create-bookmark.jsp; the (2) urlName parameter to plugins/clientcontrol/create-bookmark.jsp; the (3) hostname parameter to server-session-details.jsp; or the (4) search parameter to group-summary.jsp.

Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite Realtime Openfire 3.10.2 allow remote a
ttackers to hijack the authentication of administrators for requests that (1) change a password via a crafted request to
 user-password.jsp, (2) add users via a crafted request to user-create.jsp, (3) edit server settings or (4) disable SSL
on the server via a crafted request to server-props.jsp, or (5) add clients via a crafted request to plugins/clientcontr
ol/permitted-clients.jsp.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 18:40:09 UTC
@ Maintainer(s): Can we stabilize =net-im/openfire-4.1.0?
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2016-12-23 21:20:37 UTC
Yes, it's ok to stabilise =net-im/openfire-4.1.0
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 21:23:02 UTC
@ Arches,

please test and mark stable: =net-im/openfire-4.1.0
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-12-24 09:21:21 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-29 11:00:21 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2016-12-30 10:28:16 UTC
Removed old versions as: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ab21af1ea2b469a2de10938bb996d21b209a262
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-31 00:16:32 UTC
New GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-12-31 06:28:40 UTC
This issue was resolved and addressed in
 GLSA 201612-50 at https://security.gentoo.org/glsa/201612-50
by GLSA coordinator Aaron Bauman (b-man).