Bug#531735: marked as done (SA35311: OCS Inventory NG "systemid" SQL Injection Vulnerability)

Fri, 05 Jun 2009 13:19:33 -0700 

Your message dated Fri, 5 Jun 2009 22:13:11 +0200
with message-id <20090605201311.gb22...@piche.inl.fr>
and subject line [giuse...@iuculano.it: Bug#531735: SA35311: OCS Inventory NG 
"systemid" SQL Injection Vulnerability]
has caused the Debian Bug report #531735,
regarding SA35311: OCS Inventory NG "systemid" SQL Injection Vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
531735: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531735
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: ocsinventory-server
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

The following SA (Secunia Advisory) id was published for OCS Inventory NG:

SA35311[0]:

Description:
Nico Leidecker has discovered a vulnerability in OCS Inventory NG, which can be 
exploited by malicious people to conduct SQL injection attacks.

Input passed to the "systemid" parameter in group_show.php is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

The vulnerability is confirmed in version 1.02.1. Other versions may also be 
affected.


If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.


[0]http://secunia.com/advisories/35311/
   http://archives.neohapsis.com/archives/bugtraq/2009-06/0009.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkomqRMACgkQNxpp46476aoYVwCgmN0vbbDxla23o2jNJ68eOVHB
yhAAnRaoQCIGLVDmO4VvwMCp0h11Dj7d
=bXC2
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Bug is fixed, so let's close it.


----- Forwarded message from Giuseppe Iuculano <giuse...@iuculano.it> -----

fixed 531735 1.02.1-1
tags 531735 lenny patch
thanks

Giuseppe Iuculano ha scritto:
> The vulnerability is confirmed in version 1.02.1. Other versions may also be 
> affected.

This was wrong, 1.02.1 is not vulnerable.

Patch:
http://ocsinventory.svn.sourceforge.net/viewvc/ocsinventory?view=rev&revision=1625

Cheers,
Giuseppe





----- End forwarded message -----

--- End Message ---

Reply via email to