oss-sec mailing list archives
Multiple CVE info for Ipsilon
From: Patrick Uiterwijk <puiterwijk () redhat com>
Date: Tue, 27 Oct 2015 11:45:34 +0100
Hi, I would like to provide information about multiple CVE's related to Ipsilon. CVE-2015-5216: Versions affected: 0.1.0 to 1.0.0 Fixed in versions: 1.0.1, 1.1.0 Description: ipsilon does not escape HTML when processing http(s) request responses, and that js code could potentially be injected into Python exception message template. Mitigation: Users of Ipsilon should update to version 1.0.1 or later. Credit: This issue was discovered by Michael Scherer of Red Hat. References: https://bugzilla.redhat.com/show_bug.cgi?id=1255170 Upstream patch: https://pagure.io/ipsilon/a503aa9c2a30a74e709d1c88099befd50fb2eb16 CVE-2015-5217: Versions affected: 0.1.0 to 1.0.0 Fixed in versions: 1.0.1, 1.1.0 Description: It was found that Ipsilon does not properly authorize change of the name of the provider. Non-admin users could change the name to a duplicate value which could possibly lead to DoS attack. Mitigation: Users of Ipsilon should update to version 1.0.1 or later. Credit: This issue was discovered by Patrick Uiterwijk of Red Hat. References: https://bugzilla.redhat.com/show_bug.cgi?id=1255172 Upstream patch: https://pagure.io/ipsilon/826e6339441546f596320f3d73304ab5f7c10de6 CVE-2015-5301: Versions affected: 0.1.0 to 1.0.1 and 1.1.0 Fixed in versions: 1.0.2, 1.1.1 Description: It was found that Ipsilon does not check whether a user is authorized to delete a service provider. This makes it possible for any authenticated user to delete any service provider, causing a denial of service. Mitigation: Users of Ipsilon should update to version 1.0.2 or 1.1.1 or later. Credit: This issue was discovered by Patrick Uiterwijk and Rob Crittenden of Red Hat. References: https://bugzilla.redhat.com/show_bug.cgi?id=1271530 Upstream patch: https://pagure.io/ipsilon/9dec97c3c83928d231ea10f4160523a13803e594 --- With kind regards, Patrick Uiterwijk Fedora Infra
Current thread:
- Multiple CVE info for Ipsilon Patrick Uiterwijk (Oct 27)