Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3308
[SECURITY] [DLA 1905-1] gosa security update
2 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: gosa
Publisher: Debian
Operating System: Debian GNU/Linux 8
Linux variants
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-14466
Original Bulletin:
https://security-tracker.debian.org/tracker/DLA-1905-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running gosa check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- --hjwz2ufqx6pkgseb
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package : gosa
Version : 2.7.4+reloaded2-1+deb8u5
CVE ID : CVE-2019-14466
GOsa2 used unserialize to restore filter settings from a cookie. Since
this cookie was supplied by the client, authenticated users could have
passed arbitrary content to unserialized, which opened GOsa2 up to a
potential PHP object injection.
For Debian 8 "Jessie", this problem has been fixed in version
2.7.4+reloaded2-1+deb8u5.
We recommend that you upgrade your gosa packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
mike gabriel aka sunweaver (Debian Developer)
fon: +49 (1520) 1976 148
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: sunweaver@debian.org, http://sunweavers.net
- --hjwz2ufqx6pkgseb
Content-Type: application/pgp-signature; name="signature.asc"
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAl1qhQIACgkQmvRrMCV3
GzGdTBAAt0jWbr343eSBQi0Yy6S7/JH1eielvceVAjDOKEPK+YV9hi4TKJDrSqD5
kkzglycOjg9Bdx7aZNToXaBu3VK3aWjYFSXDvjO7KcXxTjvMyySya2iVdoU4OD1f
OVtqwMjuIa3YE8NvuWAH2TZpPkxxGqbHEX0liL/qGNPd1l0OOcrt8UGXxm9NUKfR
ISVIxhRG7SdDxuTjXycLoRSQG2/THNt1+1O+jdb9O+8+WHdIDWJHsSMPw3zt38OY
Vwvvfbl1Qemd2eALLYo7AbhP/r8rCmjkp6F3Cb9On4KhIvA544YU64ZQLvR06PqP
1mYSJgt3RFmQXdR5EZn+1+aipz7GbwEtTztHuC8zEGWcebPJyj5jiJDh2LPYB93i
wCEQnInUf3luPo3iX81xCKKT3P4TkwsQ+EY31B/To9UpwEPs/L+OHDXFix0GUDqW
weQu/j7GUZoPz1P/S3J3D7rX+j51hVyM/CV62PU64kd07N9HKOgu3hsKuEV9Zn5z
D3Biz3wMq9KN/94AhXnuj32cr/+i1iMWYnHnx0bR7cT77g7NYEStwYjHpurZHh66
sqOCUQf9wIoTm9T/bob4cKNREo7xRNNJZLI2oB//hIGjXuU6TpAlF7wg0BErF9cZ
nDWhgZC20xLjpwv7JkjiRL77KYADn0v+kNcJB/A3riWlF1zYSD8=
=C2hH
- -----END PGP SIGNATURE-----
- --hjwz2ufqx6pkgseb--
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXWxUXmaOgq3Tt24GAQiCHg/7BYR1NBbHluf/0C7AIJNhejCtq1Mc9NUG
Cl7+iCAJYdhqlDlpRm0YWNcgQIYAtBjhH3qT5xbevyuy2CZqN2DT5RXOZhMySls6
SJmMQh+YMkB6X4c9qBYUnh+D2N00waZoBgx+Vs6SsLk79J8UOZMQ2i/XID1nBtzn
/wAwitoKMIezXD7ZL0UJzxIkb4LHOjFVmXTDsgg1SYzVchE5XpNlAZAHOKksx0pX
/boUNSCoXKBMYaJCjMiu+7uZAAvtBYODc8nD5vgBtdLvqvTPjqstw/QMKv7zLx+k
rRhz0o+apHW+KiqpMTMIzb4VtHYC9BLh3tDp0hXQQA8LHCFndT/Nmr2e3nFsYbUO
H2EXVUQ+zvZNuol12JYYJtxA/uT1d7cEDAdvQA6x+qOlTjb4vv5LhShnJhG84N+w
oINvV+gSLoDom7OoddboOkQfTHWxfXnabHhwQf6uf6ICWo1VQqJADTB4NzFB8GHL
szJb27VldkEjHYkowzbn4qYXjud3zoDISr4Od70FUTNfUxmJgsHQlwkpTX+rJSg5
InUZhsISEBfoZ6VBRiHcZRspAat+m/dS/I7VBMyg5it92SkVh9+zn/3f53mf+sWE
odZ4l1KKZuSmFjXM4vCBv+NcMJVW8rQ5XMUhpCEZGO3QPPgO9RTQWPNnp/zP0c/4
zuhx2Z+KijM=
=KVwN
-----END PGP SIGNATURE-----