GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue May 27, 2008 9:26 pm Post subject: [ GLSA 200805-21 ] Roundup: Permission bypass |
 |
|
Gentoo Linux Security Advisory
Title: Roundup: Permission bypass (GLSA 200805-21)
Severity: normal
Exploitable: remote
Date: May 27, 2008
Bug(s): #212488, #214666
ID: 200805-21
Synopsis
A vulnerability in Roundup allows for bypassing permission restrictions.
Background
Roundup is an issue-tracking system with command-line, web and e-mail
interfaces.
Affected Packages
Package: www-apps/roundup
Vulnerable: < 1.4.4-r1
Unaffected: >= 1.4.4-r1
Architectures: All supported architectures
Description
Philipp Gortan reported that the xml-rpc server in Roundup does not
check property permissions (CVE-2008-1475). Furthermore, Roland Meister
discovered multiple vulnerabilities caused by unspecified errors, some
of which may be related to cross-site scripting (CVE-2008-1474).
Impact
A remote attacker could possibly exploit the first vulnerability to
edit or view restricted properties via the list(), display(), and set()
methods. The impact and attack vectors of the second vulnerability are
unknown.
Workaround
There is no known workaround at this time.
Resolution
All Roundup users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/roundup-1.4.4-r1" |
References
CVE-2008-1474
CVE-2008-1475
Last edited by GLSA on Wed Sep 09, 2009 4:18 am; edited 2 times in total |
|
News & Announcements
