Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 27 Oct 2015 11:45:34 +0100
From: Patrick Uiterwijk <puiterwijk@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Multiple CVE info for Ipsilon

Hi,

I would like to provide information about multiple CVE's related to Ipsilon.


CVE-2015-5216:
Versions affected: 0.1.0 to 1.0.0
Fixed in versions: 1.0.1, 1.1.0
Description:
ipsilon does not escape HTML when processing http(s) request responses,
and that js code could potentially be injected into Python exception message template.

Mitigation: Users of Ipsilon should update to version 1.0.1 or later.
Credit: This issue was discovered by Michael Scherer of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1255170
Upstream patch: https://pagure.io/ipsilon/a503aa9c2a30a74e709d1c88099befd50fb2eb16


CVE-2015-5217:
Versions affected: 0.1.0 to 1.0.0
Fixed in versions: 1.0.1, 1.1.0
Description:
It was found that Ipsilon does not properly authorize change of the name of the provider.
Non-admin users could change the name to a duplicate value which could possibly lead to DoS attack.

Mitigation: Users of Ipsilon should update to version 1.0.1 or later.
Credit: This issue was discovered by Patrick Uiterwijk of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1255172
Upstream patch: https://pagure.io/ipsilon/826e6339441546f596320f3d73304ab5f7c10de6


CVE-2015-5301:
Versions affected: 0.1.0 to 1.0.1 and 1.1.0
Fixed in versions: 1.0.2, 1.1.1
Description:
It was found that Ipsilon does not check whether a user is authorized to delete a service provider.
This makes it possible for any authenticated user to delete any service provider, causing a denial of service.

Mitigation: Users of Ipsilon should update to version 1.0.2 or 1.1.1 or later.
Credit: This issue was discovered by Patrick Uiterwijk and Rob Crittenden of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1271530
Upstream patch: https://pagure.io/ipsilon/9dec97c3c83928d231ea10f4160523a13803e594


---
With kind regards,
Patrick Uiterwijk
Fedora Infra

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ