U radu programskog paketa glpi uočen je sigurnosni nedostatak koji udaljenom napadaču omogućuje otkrivanje osjetljivih informacija.
Paket:
glpi 1.x
Operacijski sustavi:
Mandriva Linux Enterprise Server 5.0
Kritičnost:
4.4
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
udaljeno
Posljedica:
otkrivanje osjetljivih informacija
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-2720
Izvorni ID preporuke:
MDVSA-2012:014
Izvor:
Mandriva
Problem:
Nedostatak je posljedica nepravilnosti u radu "autocompletion" funkcionalnosti zbog neodgovarajućeg rukovanja podacima o korisničkim imenima i lozinkama.
Posljedica:
Napadač ga može iskoristiti za otkrivanje osjetljivih informacija putem posebno oblikovanog POST zahtjeva.
Rješenje:
Svim se korisnicima navedenog programskog paketa, u svrhu zaštite sigurnosti, savjetuje njegova nadogradnja na novije inačice.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:014
http://www.mandriva.com/security/
_______________________________________________________________________
Package : glpi
Date : February 6, 2012
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in GLPI:
The autocompletion functionality in GLPI before 0.80.2 does not
blacklist certain username and password fields, which allows remote
attackers to obtain sensitive information via a crafted POST request
(CVE-2011-2720).
This advisory provides the latest version of GLPI (0.80.6) which are
not vulnerable to this issue. Additionally the latest versions of
the corresponding plugins are also being provided.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2720
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
c7f395789eb64eb9e0ffc4342a99ed55
mes5/i586/glpi-0.80.6-0.1mdvmes5.2.noarch.rpm
078100b3f360e6582e87298a81145f1a
mes5/i586/glpi-plugin-archires-1.9.1-0.1mdvmes5.2.noarch.rpm
53890496416d72fdd51b2057ae1a1f3c
mes5/i586/glpi-plugin-datainjection-2.1.2-0.1mdvmes5.2.noarch.rpm
a708034532f947e7a63af7c2c621d0ce
mes5/i586/glpi-plugin-fusioninventory-2.4.0-0.1mdvmes5.2.noarch.rpm
fd71716b4725f241bd4f0e84a8758202
mes5/i586/glpi-plugin-fusioninventory-deploy-2.4.0-0.1mdvmes5.2.noarch.rpm
00c3905d1ebe05f496302681371b5caa
mes5/i586/glpi-plugin-fusioninventory-inventory-2.4.0-0.1mdvmes5.2.noarch.rpm
4e34bd20f1e30ef96ea5dfcf0a8fe7cb
mes5/i586/glpi-plugin-fusioninventory-snmp-2.4.0-0.1mdvmes5.2.noarch.rpm
cd03c2b5099971e730f17dc9d882a564
mes5/i586/glpi-plugin-genericobject-2.0.1-0.1mdvmes5.2.noarch.rpm
8964b51517e131d3f07a0ee4bc38ef22
mes5/i586/glpi-plugin-manufacturersimports-1.4.1-0.1mdvmes5.2.noarch.rpm
b3c462fef41e1878b41f7355a84d59e4
mes5/i586/glpi-plugin-massocsimport-1.5.2-0.1mdvmes5.2.noarch.rpm
2301fd4253cfdfc61422f2defabe6cb6
mes5/i586/glpi-plugin-racks-1.2.0-0.1mdvmes5.2.noarch.rpm
f0f0842991e24b58c0e348dbd836d767
mes5/i586/glpi-plugin-reports-1.5.0-0.1mdvmes5.2.noarch.rpm
7288cd69af6d5848a373b2628c69bc66
mes5/i586/glpi-plugin-webservices-1.2.0-0.1mdvmes5.2.noarch.rpm
955fbca4fe60125b3e19bac2fb333376
mes5/i586/perl-Parallel-ForkManager-0.7.9-0.1mdvmes5.2.noarch.rpm
1d11c45cea71dd7730eee4439f48ef05 mes5/SRPMS/glpi-0.80.6-0.1mdvmes5.2.src.rpm
87c1748b9a0391655babc46ff5b85405
mes5/SRPMS/glpi-plugin-archires-1.9.1-0.1mdvmes5.2.src.rpm
af029f6e1c9397d9e48c8f5bbe4169c3
mes5/SRPMS/glpi-plugin-datainjection-2.1.2-0.1mdvmes5.2.src.rpm
0776abf6bf577c5250898152c306b6e6
mes5/SRPMS/glpi-plugin-fusioninventory-2.4.0-0.1mdvmes5.2.src.rpm
332327381f568a1874959649c4c90d10
mes5/SRPMS/glpi-plugin-genericobject-2.0.1-0.1mdvmes5.2.src.rpm
23fe81b495620dd3b585c379159a4356
mes5/SRPMS/glpi-plugin-manufacturersimports-1.4.1-0.1mdvmes5.2.src.rpm
f278b793d1da40e30d5ca6b48dd10d57
mes5/SRPMS/glpi-plugin-massocsimport-1.5.2-0.1mdvmes5.2.src.rpm
d1ae9d8e59075559ff9bf258585142de
mes5/SRPMS/glpi-plugin-racks-1.2.0-0.1mdvmes5.2.src.rpm
afb9113a0043b01cd6ae20aee54836d0
mes5/SRPMS/glpi-plugin-reports-1.5.0-0.1mdvmes5.2.src.rpm
4cb6f5e63f60eb123e9c934f26361b13
mes5/SRPMS/glpi-plugin-webservices-1.2.0-0.1mdvmes5.2.src.rpm
fadf8996860cde48a9b22aa3d20173eb
mes5/SRPMS/perl-Parallel-ForkManager-0.7.9-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
e29fd9e505428488ebdc44bbd9a8ef85
mes5/x86_64/glpi-0.80.6-0.1mdvmes5.2.noarch.rpm
736f66685b8abf7bd50d991467641c4f
mes5/x86_64/glpi-plugin-archires-1.9.1-0.1mdvmes5.2.noarch.rpm
6b729ce24cf97bdedc4592222899df51
mes5/x86_64/glpi-plugin-datainjection-2.1.2-0.1mdvmes5.2.noarch.rpm
b38dff9e035640be7e391fff3b353bfd
mes5/x86_64/glpi-plugin-fusioninventory-2.4.0-0.1mdvmes5.2.noarch.rpm
7b27d4ece0c54032c55602a1688ecbd7
mes5/x86_64/glpi-plugin-fusioninventory-deploy-2.4.0-0.1mdvmes5.2.noarch.rpm
b153b807be6f6e1ed585e656ccb0fa20
mes5/x86_64/glpi-plugin-fusioninventory-inventory-2.4.0-0.1mdvmes5.2.noarch.rpm
b75527a8b2bbc79bb7f441465f3962e2
mes5/x86_64/glpi-plugin-fusioninventory-snmp-2.4.0-0.1mdvmes5.2.noarch.rpm
7a1758ad413b72d537bf623697751ceb
mes5/x86_64/glpi-plugin-genericobject-2.0.1-0.1mdvmes5.2.noarch.rpm
bbc1b138b488a08f4d67fb077808892e
mes5/x86_64/glpi-plugin-manufacturersimports-1.4.1-0.1mdvmes5.2.noarch.rpm
892a7f48b8e809a8746b564f85b13a92
mes5/x86_64/glpi-plugin-massocsimport-1.5.2-0.1mdvmes5.2.noarch.rpm
6cad8a2f9f8c17135f996317d5e23845
mes5/x86_64/glpi-plugin-racks-1.2.0-0.1mdvmes5.2.noarch.rpm
95c066f7b2f13b06332da9807ebdeef5
mes5/x86_64/glpi-plugin-reports-1.5.0-0.1mdvmes5.2.noarch.rpm
4d19a6dda012a3c7599e133b93728d80
mes5/x86_64/glpi-plugin-webservices-1.2.0-0.1mdvmes5.2.noarch.rpm
d786be82c4669422ab2b67e6cdbe6fe7
mes5/x86_64/perl-Parallel-ForkManager-0.7.9-0.1mdvmes5.2.noarch.rpm
1d11c45cea71dd7730eee4439f48ef05 mes5/SRPMS/glpi-0.80.6-0.1mdvmes5.2.src.rpm
87c1748b9a0391655babc46ff5b85405
mes5/SRPMS/glpi-plugin-archires-1.9.1-0.1mdvmes5.2.src.rpm
af029f6e1c9397d9e48c8f5bbe4169c3
mes5/SRPMS/glpi-plugin-datainjection-2.1.2-0.1mdvmes5.2.src.rpm
0776abf6bf577c5250898152c306b6e6
mes5/SRPMS/glpi-plugin-fusioninventory-2.4.0-0.1mdvmes5.2.src.rpm
332327381f568a1874959649c4c90d10
mes5/SRPMS/glpi-plugin-genericobject-2.0.1-0.1mdvmes5.2.src.rpm
23fe81b495620dd3b585c379159a4356
mes5/SRPMS/glpi-plugin-manufacturersimports-1.4.1-0.1mdvmes5.2.src.rpm
f278b793d1da40e30d5ca6b48dd10d57
mes5/SRPMS/glpi-plugin-massocsimport-1.5.2-0.1mdvmes5.2.src.rpm
d1ae9d8e59075559ff9bf258585142de
mes5/SRPMS/glpi-plugin-racks-1.2.0-0.1mdvmes5.2.src.rpm
afb9113a0043b01cd6ae20aee54836d0
mes5/SRPMS/glpi-plugin-reports-1.5.0-0.1mdvmes5.2.src.rpm
4cb6f5e63f60eb123e9c934f26361b13
mes5/SRPMS/glpi-plugin-webservices-1.2.0-0.1mdvmes5.2.src.rpm
fadf8996860cde48a9b22aa3d20173eb
mes5/SRPMS/perl-Parallel-ForkManager-0.7.9-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPL/hKmqjQ0CJFipgRAmPqAJ9z3UK7UzfWJy5qax1St6uY3ZAM/ACg6v7T
3Z9myGeq0S6DAqIk3ctP1Cs=
=TLKh
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke