[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200904-01.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200904-01.xml
Date:	Thu, 02 Apr 2009 20:48:43
Message-Id:	`E1LpTq5-0001Z6-8h@stork.gentoo.org`

1

py          09/04/02 20:48:41

2

3

  Added:                glsa-200904-01.xml

4

  Log:

5

  GLSA 200904-01

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200904-01.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200904-01.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200904-01.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200904-01.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200904-01">

21

  <title>Openfire: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities were discovered in Openfire, the worst of which

24

    may allow remote execution of arbitrary code.

25

  </synopsis>

26

  <product type="ebuild">openfire</product>

27

  <announced>April 02, 2009</announced>

28

  <revised>April 02, 2009: 01</revised>

29

  <bug>246008</bug>

30

  <bug>254309</bug>

31

  <access>remote</access>

32

  <affected>

33

    <package name="net-im/openfire" auto="yes" arch="*">

34

      <unaffected range="ge">3.6.3</unaffected>

35

      <vulnerable range="lt">3.6.3</vulnerable>

36

    </package>

37

  </affected>

38

  <background>

39

<p>

40

    Ignite Realtime Openfire is a fast real-time collaboration server.

41

    </p>

42

  </background>

43

  <description>

44

<p>

45

    Two vulnerabilities have been reported by Federico Muttis, from CORE

46

    IMPACT's Exploit Writing Team:

47

    </p>

48

    <ul>

49

    <li>

50

    Multiple missing or incomplete input validations in several .jsps

51

    (CVE-2009-0496).

52

    </li>

53

    <li>

54

    Incorrect input validation of the "log" parameter in log.jsp

55

    (CVE-2009-0497).

56

    </li>

57

    </ul> <p>

58

    Multiple vulnerabilities have been reported by Andreas Kurtz:

59

    </p>

60

    <ul>

61

    <li>

62

    Erroneous built-in exceptions to input validation in login.jsp

63

    (CVE-2008-6508).

64

    </li>

65

    <li>

66

    Unsanitized user input to the "type" parameter in

67

    sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)

68

    </li>

69

    <li>

70

    A Cross-Site-Scripting vulnerability due to unsanitized input to the

71

    "url" parameter. (CVE-2008-6510, CVE-2008-6511)

72

    </li>

73

    </ul>

74

  </description>

75

  <impact type="normal">

76

<p>

77

    A remote attacker could execute arbitrary code on clients' systems by

78

    uploading a specially crafted plugin, bypassing authentication.

79

    Additionally, an attacker could read arbitrary files on the server or

80

    execute arbitrary SQL statements. Depending on the server's

81

    configuration the attacker might also execute code on the server via an

82

    SQL injection.

83

    </p>

84

  </impact>

85

  <workaround>

86

<p>

87

    There is no known workaround at this time.

88

    </p>

89

  </workaround>

90

  <resolution>

91

<p>

92

    All Openfire users should upgrade to the latest version:

93

    </p>

94

    <code>

95

    # emerge --sync

96

    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/openfire-3.6.3&quot;</code>

97

  </resolution>

98

  <references>

99

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508">CVE-2008-6508</uri>

100

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509">CVE-2008-6509</uri>

101

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510">CVE-2008-6510</uri>

102

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511">CVE-2008-6511</uri>

103

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496">CVE-2009-0496</uri>

104

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497">CVE-2009-0497</uri>

105

  </references>

106

  <metadata tag="submitter" timestamp="Sat, 21 Mar 2009 10:46:26 +0000">

107

    mabi

108

  </metadata>

109

  <metadata tag="bugReady" timestamp="Sat, 21 Mar 2009 11:36:24 +0000">

110

p-y

111

  </metadata>

112

</glsa>

1	py 09/04/02 20:48:41
2
3	Added: glsa-200904-01.xml
4	Log:
5	GLSA 200904-01
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200904-01.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200904-01.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200904-01.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200904-01.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200904-01">
21	<title>Openfire: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities were discovered in Openfire, the worst of which
24	may allow remote execution of arbitrary code.
25	</synopsis>
26	<product type="ebuild">openfire</product>
27	<announced>April 02, 2009</announced>
28	<revised>April 02, 2009: 01</revised>
29	<bug>246008</bug>
30	<bug>254309</bug>
31	<access>remote</access>
32	<affected>
33	<package name="net-im/openfire" auto="yes" arch="*">
34	<unaffected range="ge">3.6.3</unaffected>
35	<vulnerable range="lt">3.6.3</vulnerable>
36	</package>
37	</affected>
38	<background>
39	<p>
40	Ignite Realtime Openfire is a fast real-time collaboration server.
41	</p>
42	</background>
43	<description>
44	<p>
45	Two vulnerabilities have been reported by Federico Muttis, from CORE
46	IMPACT's Exploit Writing Team:
47	</p>
48	<ul>
49	<li>
50	Multiple missing or incomplete input validations in several .jsps
51	(CVE-2009-0496).
52	</li>
53	<li>
54	Incorrect input validation of the "log" parameter in log.jsp
55	(CVE-2009-0497).
56	</li>
57	</ul> <p>
58	Multiple vulnerabilities have been reported by Andreas Kurtz:
59	</p>
60	<ul>
61	<li>
62	Erroneous built-in exceptions to input validation in login.jsp
63	(CVE-2008-6508).
64	</li>
65	<li>
66	Unsanitized user input to the "type" parameter in
67	sipark-log-summary.jsp used in SQL statement. (CVE-2008-6509)
68	</li>
69	<li>
70	A Cross-Site-Scripting vulnerability due to unsanitized input to the
71	"url" parameter. (CVE-2008-6510, CVE-2008-6511)
72	</li>
73	</ul>
74	</description>
75	<impact type="normal">
76	<p>
77	A remote attacker could execute arbitrary code on clients' systems by
78	uploading a specially crafted plugin, bypassing authentication.
79	Additionally, an attacker could read arbitrary files on the server or
80	execute arbitrary SQL statements. Depending on the server's
81	configuration the attacker might also execute code on the server via an
82	SQL injection.
83	</p>
84	</impact>
85	<workaround>
86	<p>
87	There is no known workaround at this time.
88	</p>
89	</workaround>
90	<resolution>
91	<p>
92	All Openfire users should upgrade to the latest version:
93	</p>
94	<code>
95	# emerge --sync
96	# emerge --ask --oneshot --verbose ">=net-im/openfire-3.6.3"</code>
97	</resolution>
98	<references>
99	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6508">CVE-2008-6508</uri>
100	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6509">CVE-2008-6509</uri>
101	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6510">CVE-2008-6510</uri>
102	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6511">CVE-2008-6511</uri>
103	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0496">CVE-2009-0496</uri>
104	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0497">CVE-2009-0497</uri>
105	</references>
106	<metadata tag="submitter" timestamp="Sat, 21 Mar 2009 10:46:26 +0000">
107	mabi
108	</metadata>
109	<metadata tag="bugReady" timestamp="Sat, 21 Mar 2009 11:36:24 +0000">
110	p-y
111	</metadata>
112	</glsa>

Gentoo Archives: gentoo-commits