Updated glpi package fixes security vulnerabilities
Publication date: 09 Jan 2015Modification date: 09 Jan 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-5032 , CVE-2014-8360 , CVE-2014-9258
Description
Updated glpi package fixes security vulnerabilities:
Due to a bug in GLPI before 0.84.7, a user without access to cost information
can in fact see the information when selecting cost as a search criteria
(CVE-2014-5032).
An issue in GLPI before 0.84.8 may allow arbitrary local files to be included
by PHP through an autoload function (CVE-2014-8360).
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1
allows remote authenticated users to execute arbitrary SQL commands via the
condition parameter (CVE-2014-9258).
References
- https://bugs.mageia.org/show_bug.cgi?id=14933
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=326&lang=en
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=330&lang=en
- http://www.glpi-project.org/spip.php?page=annonce&id_breve=334&lang=en
- http://tlk.tuxfamily.org/doku.php?id=writeup:cve-2014-8360
- https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147296.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5032
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8360
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9258
SRPMS
4/core
- glpi-0.84.3-1.2.mga4