Date: Wed, 09 Nov 2016 13:20:55 +0100 From: Marek Hulán <mhulan@...hat.com> To: oss-security@...ts.openwall.com Cc: foreman-security@...glegroups.com Subject: CVE-2016-7077: information disclosure from association lists shown without authorization CVE-2016-7077: information disclosure from association lists shown without authorization Lists of associated resources, such as operating systems associated to a new architecture, are not restricted to listing resources that the user is authorized to view, when rendering with fewer than six items. The list will show all possible associated resources, disclosing their names. Affects Foreman 1.1 and higher, but was first mitigated against in Foreman 1.9.0 for some cases Patch available at https://github.com/theforeman/foreman/pull/3955 Fix will be released in Foreman 1.14 (to be released) For more information please see Redmine issue http://projects.theforeman.org/issues/16971 -- Marek
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ