Your message dated Thu, 27 Dec 2018 20:42:29 +0000
with message-id <[email protected]>
and subject line Bug#905396: fixed in ocsinventory-server 2.5+dfsg-1
has caused the Debian Bug report #905396,
regarding ocsinventory-server: CVE-2018-12482 CVE-2018-12483 CVE-2018-14473
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
905396: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905396
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: ocsinventory-server
Version: 2.4.1+dfsg-2
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for ocsinventory-server.
CVE-2018-12482[0]:
| OCS Inventory 2.4.1 contains multiple SQL injections in the search
| engine. Authentication is needed in order to exploit the issues.
CVE-2018-12483[1]:
| OCS Inventory 2.4.1 is prone to a remote command-execution
| vulnerability. Specifically, this issue occurs because the content of
| the ipdiscover_analyser rzo GET parameter is concatenated to a string
| used in an exec() call in the PHP code. Authentication is needed in
| order to exploit this vulnerability.
CVE-2018-14473[2]:
| OCS Inventory 2.4.1 lacks a proper XML parsing configuration, allowing
| the use of external entities. This issue can be exploited by an
| attacker sending a crafted HTTP request in order to exfiltrate
| information or cause a Denial of Service.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-12482
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12482
[1] https://security-tracker.debian.org/tracker/CVE-2018-12483
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12483
[2] https://security-tracker.debian.org/tracker/CVE-2018-14473
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14473
[3] https://www.tarlogic.com/en/blog/vulnerabilities-in-ocs-inventory-2-4-1/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: ocsinventory-server
Source-Version: 2.5+dfsg-1
We believe that the bug you reported is fixed in the latest version of
ocsinventory-server, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated ocsinventory-server
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 27 Dec 2018 20:53:23 +0100
Source: ocsinventory-server
Binary: ocsinventory-server ocsinventory-reports
Architecture: source
Version: 2.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 898686 905396 906668
Description:
ocsinventory-reports - Hardware and software inventory tool (Administration
Console)
ocsinventory-server - Hardware and software inventory tool (Communication
Server)
Changes:
ocsinventory-server (2.5+dfsg-1) unstable; urgency=medium
.
* Import upstream version 2.5, closes: CVE-2018-12482, CVE-2018-12483,
CVE-2018-14473, (CLoses: #905396, #906668, #898686)
* Add dataTables.conditionalPaging.js copyright
* Update patches offsets
* Add PHPMailer license (library kept until libphp-phpmailer will be
updated)
* Delete README and other files in /usr/share/!doc
* Fix PHP cron file permission and add php-cli in dependencies
* Move binutils/ doc files into .docs (and remove them in binutils)
* Declare compliance with policy 4.2.1
* Add patch to fix a privacy breach in mails (will be included in next
release)
* Add debian/tests/pkg-perl/SKIP for runtime-deps-and-recommends
* Email change: Xavier Guimard -> [email protected]
* Bump debhelper compatibility level to 11
* Declare compliance with policy 4.3.0
* Ignore lintian warnings for Select2 translations
Checksums-Sha1:
691c88fdfb2b840a3cdd35814f5a51c8d731e43c 2215
ocsinventory-server_2.5+dfsg-1.dsc
c8d67eafe51ee1788584b7c4029ea716607d236b 1152604
ocsinventory-server_2.5+dfsg.orig.tar.xz
4a42c23b3308bca417c08c8a61fc0ae583fab15c 19400
ocsinventory-server_2.5+dfsg-1.debian.tar.xz
Checksums-Sha256:
ba6b07781c5043c6cd42d3e521e5acfcab1b83ce960c74f8668b9d9e92c143da 2215
ocsinventory-server_2.5+dfsg-1.dsc
85a2e1e529aa5bccfbd9af57b9952a517b5f8538df703b7d36604c11f4307705 1152604
ocsinventory-server_2.5+dfsg.orig.tar.xz
4e23ac4da6c432033dfb070cd10e4068e4fef22c93e042d1bf6afb693224eaac 19400
ocsinventory-server_2.5+dfsg-1.debian.tar.xz
Files:
328d23b9b9abd7055355d0b497b69298 2215 web optional
ocsinventory-server_2.5+dfsg-1.dsc
2d23e22024ab3452062c71afedf0ce4d 1152604 web optional
ocsinventory-server_2.5+dfsg.orig.tar.xz
73cb954930fccf0d3242e04338c41540 19400 web optional
ocsinventory-server_2.5+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlwlL74QHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6eGeD/oDrvbwfyigo5QSgBj1EqDBFlnJIimdeNo6
7bOibJsboyzRWCAYse5LLtwNhxBeALtH42RKExadlk5o+VYxl4DTqN7O98Pjo7LB
rdoScwFesn6HZzNNWDLSpueCfk+QOQDSUHaYwS+Utc6Cxxw/QGPc5j3Ch1rQILNZ
NP3R6GdQpevdJJ9g9uQt6PE30ryyx1f216Cv+NJLmZyLRlXZm/+VUOYefaTVinGj
MUvSlxu4P1HnVrecD2kNrfWKT3o9GWybf+Vz5ME1kFQdxWEfbzyUhpG9+myd2Nlj
UTrbe6FfZvYElkpWfYnXqLl3nCug+WDjuAFG5mUTporEo5NMVyLZ1K6XU/ncFXMZ
v6W2Mjm4+mWMtpjDLnYp/VRBoRUAqPvn+G6e8bpCtsWSZdYPJk3DaCuL0nzCeNn/
7JZ2Y6V1inNskFRVeayG1h5OZvZErKk+OVpARVpc7bSgQP6WszYyoIThn1/NmdHw
exkPziExP2O9RWayMbwGB1ZvQKfYl7eeBiib6dqcbBJX5dguyqtPhNQuat8Xfwpe
APYkseDGKhPxj7LeVp/Kb2o2e7ARyj1VLkiFxTxRszaE7O90n4GOHyDZLl7zsas+
cYktwJZRYNPAkZjaMgLF+WhzItX9pc1Ez8g4i6+jj78EX9YKED8n1OXOJPgC8Cjf
CEBsUR+Mlg==
=6VcE
-----END PGP SIGNATURE-----
--- End Message ---