oss-security - Security issues in GOsa

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Fri, 15 Jan 2016 10:26:31 +0000
From: Mike Gabriel <mike.gabriel@...-netzwerkteam.de>
To: oss-security@...ts.openwall.com
Subject: Security issues in GOsa

Hi,

GOsa is a framework written in PHP for LDAP-based management of  
intranet infrastructures.

As part of upstream (I joined the team recently) I would like to make  
you aware of (at least) two security issues +/- recently discovered:

(1) Possibility of code injection when setting passwords for Samba.  
Solved upstream:
https://github.com/gosa-project/gosa-core/commit/a67a047cba2cdae8bccb0f0e2bc6d3eb45cfcbc8

(2) XSS vulnerability during session log on. Solved upstream:
https://github.com/gosa-project/gosa-core/commit/e35b990464a2c2cf64d6833a217ed944876e7732

Please assign individual CVE Ids for both issues, if appropriate.

Thanks,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@...-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

Content of type "application/pgp-signature" skipped

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.