CVE-2019-12385 (https://nvd.nist.gov/vuln/detail/CVE-2019-12385): An issue was discovered in Ampache through 3.9.1. The search engine is affected by a SQL Injection, so any user able to perform lib/class/search.class.php searches (even guest users) can dump any data contained in the database (sessions, hashed passwords, etc.). This may lead to a full compromise of admin accounts, when combined with the weak password generator algorithm used in the lostpassword functionality. CVE-2019-12386 (https://nvd.nist.gov/vuln/detail/CVE-2019-12386): An issue was discovered in Ampache through 3.9.1. A stored XSS exists in the localplay.php LocalPlay "add instance" functionality. The injected code is reflected in the instances menu. This vulnerability can be abused to force an admin to create a new privileged user whose credentials are known by the attacker.
@maintainer(s): please create an appropriate ebuild, and call for stabilization when ready.
@maintainer(s): ping
ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ef446edb1a0c915f8b7007be0ae51ffe3e6398f commit 0ef446edb1a0c915f8b7007be0ae51ffe3e6398f Author: Sam James <sam@gentoo.org> AuthorDate: 2020-08-30 03:26:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-08-30 03:26:59 +0000 profiles/package.mask: last-rite www-apps/ampache Bug: https://bugs.gentoo.org/645886 Bug: https://bugs.gentoo.org/655558 Bug: https://bugs.gentoo.org/699834 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+)
The bug where this is referenced (https://github.com/ampache/ampache/issues/1872) is marked as fixed, isn't it?
(In reply to Bearcat M. Sandor from comment #5) > The bug where this is referenced > (https://github.com/ampache/ampache/issues/1872) is marked as fixed, isn't > it? Somebody needs to take care of this package in Gentoo though.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82d2c7a010372b49b3d22bd673c5c20b24705efd commit 82d2c7a010372b49b3d22bd673c5c20b24705efd Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2020-10-01 15:07:14 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2020-10-01 15:12:52 +0000 www-apps/ampache: Remove last-rited pkg Closes: https://bugs.gentoo.org/699834 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 5 ---- www-apps/ampache/Manifest | 2 -- www-apps/ampache/ampache-3.8.3-r1.ebuild | 51 -------------------------------- www-apps/ampache/ampache-3.8.8-r1.ebuild | 51 -------------------------------- www-apps/ampache/files/installdoc.txt | 6 ---- www-apps/ampache/metadata.xml | 11 ------- 6 files changed, 126 deletions(-)
Sorry, my bad.
commit 82d2c7a010372b49b3d22bd673c5c20b24705efd Author: Michał Górny <mgorny@gentoo.org> Date: Thu Oct 1 17:07:14 2020 +0200 www-apps/ampache: Remove last-rited pkg
