--------------------------------------------------------------------------------Fedora Update Notification
FEDORA-2020-885e2343ed
2020-05-14 02:28:00.022666
--------------------------------------------------------------------------------Name        : glpi
Product     : Fedora 31
Version     : 9.4.6
Release     : 1.fc31
URL         : https://glpi-project.org/
Summary     : Free IT asset management software
Description :
GLPI is the Information Resource-Manager with an additional Administration-Interface. You can use it to build up a database with an inventory for your
company (computer, software, printers...). It has enhanced functions to make
the daily life for the administrators easier, like a job-tracking-system with
mail-notification and methods to build a database with basic information
about your network-topology.

--------------------------------------------------------------------------------Update Information:

Last Upstream release, including (among others):  - (security) Prevent execution
of SQL injection while assigning a technician, - (security) Permit to change key
used to store passwords, - (security) Improve CSRF token, - (security) Fix
several possible XSS, - (security) Fix a few possible SQL injections, - Fix SCSS
caching issues, - Fix inline images handling on item update, - Fix PHP 7.4
compatibility, - Connect to database using socket, - ...  Full changelog at
https://github.com/glpi-project/glpi/milestone/39?closed=1
--------------------------------------------------------------------------------ChangeLog:

* Tue May  5 2020 Johan Cwiklinski  - 9.4.6-1
- update to 9.4.6
- drop patches applied upstream
--------------------------------------------------------------------------------References:

  [ 1 ] Bug #1834489 - CVE-2020-11033 glpi: any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1834489
  [ 2 ] Bug #1834492 - CVE-2020-11036 glpi: XSS in the comments of items in the knowledge base and via the User-Agent for administrators [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1834492
  [ 3 ] Bug #1834498 - CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1834498
  [ 4 ] Bug #1834505 - CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=1834505
--------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2020-885e2343ed' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
--------------------------------------------------------------------------------_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Fedora 31: glpi FEDORA-2020-885e2343ed

May 13, 2020
Last Upstream release, including (among others): - (security) Prevent execution of SQL injection while assigning a technician, - (security) Permit to change key used to store passw...

Summary

GLPI is the Information Resource-Manager with an additional Administration-Interface. You can use it to build up a database with an inventory for your

company (computer, software, printers...). It has enhanced functions to make

the daily life for the administrators easier, like a job-tracking-system with

mail-notification and methods to build a database with basic information

about your network-topology.

Last Upstream release, including (among others): - (security) Prevent execution

of SQL injection while assigning a technician, - (security) Permit to change key

used to store passwords, - (security) Improve CSRF token, - (security) Fix

several possible XSS, - (security) Fix a few possible SQL injections, - Fix SCSS

caching issues, - Fix inline images handling on item update, - Fix PHP 7.4

compatibility, - Connect to database using socket, - ... Full changelog at

https://github.com/glpi-project/glpi/milestone/39?closed=1

* Tue May 5 2020 Johan Cwiklinski - 9.4.6-1

- update to 9.4.6

- drop patches applied upstream

[ 1 ] Bug #1834489 - CVE-2020-11033 glpi: any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1834489

[ 2 ] Bug #1834492 - CVE-2020-11036 glpi: XSS in the comments of items in the knowledge base and via the User-Agent for administrators [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1834492

[ 3 ] Bug #1834498 - CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1834498

[ 4 ] Bug #1834505 - CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1834505

su -c 'dnf upgrade --advisory FEDORA-2020-885e2343ed' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

FEDORA-2020-885e2343ed 2020-05-14 02:28:00.022666 Product : Fedora 31 Version : 9.4.6 Release : 1.fc31 URL : https://glpi-project.org/ Summary : Free IT asset management software Description : GLPI is the Information Resource-Manager with an additional Administration-Interface. You can use it to build up a database with an inventory for your company (computer, software, printers...). It has enhanced functions to make the daily life for the administrators easier, like a job-tracking-system with mail-notification and methods to build a database with basic information about your network-topology. Last Upstream release, including (among others): - (security) Prevent execution of SQL injection while assigning a technician, - (security) Permit to change key used to store passwords, - (security) Improve CSRF token, - (security) Fix several possible XSS, - (security) Fix a few possible SQL injections, - Fix SCSS caching issues, - Fix inline images handling on item update, - Fix PHP 7.4 compatibility, - Connect to database using socket, - ... Full changelog at https://github.com/glpi-project/glpi/milestone/39?closed=1 * Tue May 5 2020 Johan Cwiklinski - 9.4.6-1 - update to 9.4.6 - drop patches applied upstream [ 1 ] Bug #1834489 - CVE-2020-11033 glpi: any API user with READ right on User itemtype will have access to full list of users when querying apirest.php/User [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1834489 [ 2 ] Bug #1834492 - CVE-2020-11036 glpi: XSS in the comments of items in the knowledge base and via the User-Agent for administrators [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1834492 [ 3 ] Bug #1834498 - CVE-2020-11035 glpi: CSRF tokens are generated using an insecure algorithm [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1834498 [ 4 ] Bug #1834505 - CVE-2020-11034 glpi: bypass open redirect protection based on a regexp [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1834505 su -c 'dnf upgrade --advisory FEDORA-2020-885e2343ed' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Change Log

References

Update Instructions

Severity
Product : Fedora 31
Version : 9.4.6
Release : 1.fc31
URL : https://glpi-project.org/
Summary : Free IT asset management software

Related News

24.Key Code Esm H320
Akira Ransomware Gang Targets Linux Servers, Extorts $42 Million
2 - 3 min read
Apr 19, 2024
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
Linus Torvalds Addresses Malicious Developers, Hardware Errors and More at Open Source Summit
2 - 3 min read
Apr 18, 2024
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
SPDX 3.0 Revolutionizes Software Management & Security
1 - 2 min read
Apr 17, 2024
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
xz-style Attacks Continue to Target Open-Source Maintainers
2 - 3 min read
Apr 16, 2024
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
Threat Actors Are Actively Using Pupy RAT Malware to Attack Linux Systems
1 - 2 min read
Apr 15, 2024
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
Ubuntu Linux 24.04 LTS Beta Released with Enhanced Security & Performance
2 - 4 min read
Apr 15, 2024
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
Growth in Open Source Use Among Businesses Analyzed
2 - 3 min read
Apr 12, 2024
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
Rust-Based Edera: Locking Down Container Security Once and For All
2 - 3 min read
Apr 12, 2024
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved