[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Multiple CVE info for Ipsilon
From: Patrick Uiterwijk <puiterwijk () redhat ! com>
Date: 2015-10-27 10:45:34
Message-ID: 20151027104534.GA1620 () bofh ! thuis ! puiterwijk ! org
[Download RAW message or body]
Hi,
I would like to provide information about multiple CVE's related to Ipsilon.
CVE-2015-5216:
Versions affected: 0.1.0 to 1.0.0
Fixed in versions: 1.0.1, 1.1.0
Description:
ipsilon does not escape HTML when processing http(s) request responses,
and that js code could potentially be injected into Python exception message template.
Mitigation: Users of Ipsilon should update to version 1.0.1 or later.
Credit: This issue was discovered by Michael Scherer of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1255170
Upstream patch: https://pagure.io/ipsilon/a503aa9c2a30a74e709d1c88099befd50fb2eb16
CVE-2015-5217:
Versions affected: 0.1.0 to 1.0.0
Fixed in versions: 1.0.1, 1.1.0
Description:
It was found that Ipsilon does not properly authorize change of the name of the provider.
Non-admin users could change the name to a duplicate value which could possibly lead to DoS attack.
Mitigation: Users of Ipsilon should update to version 1.0.1 or later.
Credit: This issue was discovered by Patrick Uiterwijk of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1255172
Upstream patch: https://pagure.io/ipsilon/826e6339441546f596320f3d73304ab5f7c10de6
CVE-2015-5301:
Versions affected: 0.1.0 to 1.0.1 and 1.1.0
Fixed in versions: 1.0.2, 1.1.1
Description:
It was found that Ipsilon does not check whether a user is authorized to delete a service provider.
This makes it possible for any authenticated user to delete any service provider, causing a denial of service.
Mitigation: Users of Ipsilon should update to version 1.0.2 or 1.1.1 or later.
Credit: This issue was discovered by Patrick Uiterwijk and Rob Crittenden of Red Hat.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1271530
Upstream patch: https://pagure.io/ipsilon/9dec97c3c83928d231ea10f4160523a13803e594
---
With kind regards,
Patrick Uiterwijk
Fedora Infra
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic