[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 09 Nov 2016 13:20:55 +0100
From: Marek Hulán <mhulan@...hat.com>
To: oss-security@...ts.openwall.com
Cc: foreman-security@...glegroups.com
Subject: CVE-2016-7077: information disclosure from association lists shown without authorization
CVE-2016-7077: information disclosure from association lists shown without
authorization
Lists of associated resources, such as operating systems associated to a new
architecture, are not restricted to listing resources that the user is
authorized to view, when rendering with fewer than six items. The list will
show all possible associated resources, disclosing their names.
Affects Foreman 1.1 and higher, but was first mitigated against in Foreman
1.9.0 for some cases
Patch available at https://github.com/theforeman/foreman/pull/3955
Fix will be released in Foreman 1.14 (to be released)
For more information please see Redmine issue
http://projects.theforeman.org/issues/16971
--
Marek
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
