[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fedora] Schwachstelle in OCS Inventory - FEDORA-2009-8819 / FEDORA-2009-8799



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

  RedHat Bug ID 517837 - SQL Injection Schwachstelle in OCS Inventory NG

  Das Script machine.php von OCS Inventory NG ueberprueft die
  uebergebenen Parameter nicht ausreichend auf evtl. enthaltene SQL
  Metazeichen. Ein am System angemeldeter Angreifer kann diese
  Schwachstelle dazu ausnutzen, um an evtl. vertrauliche Daten aus der
  Datenbank zu gelangen oder beliebigen SQL-Code in der Datenbank
  auszufuehren.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket ocsinventory

  Fedora 10
  Fedora 11

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00929.html
  https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00950.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Incident Response Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrase 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-8819
2009-08-20 20:34:05
- --------------------------------------------------------------------------------

Name        : ocsinventory
Product     : Fedora 11
Version     : 1.02.1
Release     : 3.fc11
URL         : http://www.ocsinventory-ng.org/
Summary     : Open Computer and Software Inventory Next Generation
Description :
Open Computer and Software Inventory Next Generation is an application
designed to help a network or system administrator keep track of the
computers configuration and software that are installed on the network.

OCS Inventory is also able to detect all active devices on your network,
such as switch, router, network printer and unattended devices.

OCS Inventory NG includes package deployment feature on client computers.

ocsinventory is a metapackage that will install the communication server,
the administration console and the database server (MySQL).

- --------------------------------------------------------------------------------
Update Information:

A security issue has been found in GUI
http://seclists.org/fulldisclosure/2009/Aug/0143.html
- --------------------------------------------------------------------------------
ChangeLog:

* Mon Aug 17 2009 Remi Collet <Fedora@xxxxxxxxxxxxxxxxx> 1.02.1-3
- - add ChangeLog
- - Security Fixes (internal version 5003) Bug #517837
* Sat May 30 2009 Remi Collet <Fedora@xxxxxxxxxxxxxxxxx> 1.02.1-1
- - update to OCS Inventory NG 1.02.1 - Security Fixes (internal version 5003)
* Mon Apr 20 2009 Remi Collet <Fedora@xxxxxxxxxxxxxxxxx> 1.02-1
- - update to OCS Inventory NG 1.02 final release (internal version 5003)
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #517837 - OCS Inventory NG: SQL injection in machine blacklisting
        https://bugzilla.redhat.com/show_bug.cgi?id=517837
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update ocsinventory' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFKjn6Ik0kIxZMiiQ8RAjmAAKCQhW1Bm8kT+fgBgokJXVXYU9Jc6ACgnsbw
OTVfjdDvh5VaDcRa7nFoxDE=
=xBVS
-----END PGP SIGNATURE-----