Bugzilla – Bug 850928
VUL-1: CVE-2013-1869: spacewalk: header injection flaw
Last modified: 2014-02-11 18:06:03 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=923464 Vincent Danen 2013-03-19 18:50:28 EDT Ryan Giobbi from UPMC reported a header injection flaw in the Spacewalk web UI's return URL parameter: Request GET /rhn/systems/Overview.do?empty_set=true&return_url=67172%0d%0ad42e002fa0f HTTP/1.1 Host: host.example.com Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: https://host.example.com/rhn/YourRhn.do Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; JSESSIONID=FAEED8F0E45715879B0D0AFACB8ADFF7 Response HTTP/1.0 302 Moved Temporarily Date: Thu, 21 Feb 2013 17:43:48 GMT Location: https://host.example.com/rhn/systems/67172 d42e002fa0f Content-Type: text/html;charset=UTF-8 Content-Length: 0 Set-Cookie: pxt-session-cookie=7053xcace9e6d1158735e6f047ab49e4e509c; Path=/; Secure; HttpOnly Connection: close
Created attachment 567894 [details] spacewalk_820003_patch.diff
Patch to stop trusting return_url Only allow return-url for 'local' URLs
bugbot adjusting priority
The SWAMPID for this issue is 55894. This issue was rated as moderate. Please submit fixed packages until 2014-01-31. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Public now.
released
Update released for: spacewalk-backend, spacewalk-backend-app, spacewalk-backend-applet, spacewalk-backend-config-files, spacewalk-backend-config-files-common, spacewalk-backend-config-files-tool, spacewalk-backend-iss, spacewalk-backend-iss-export, spacewalk-backend-libs, spacewalk-backend-package-push-server, spacewalk-backend-server, spacewalk-backend-sql, spacewalk-backend-sql-oracle, spacewalk-backend-sql-postgresql, spacewalk-backend-tools, spacewalk-backend-xml-export-libs, spacewalk-backend-xmlrpc, spacewalk-backend-xp, spacewalk-base, spacewalk-base-minimal, spacewalk-branding, spacewalk-certs-tools, spacewalk-dobby, spacewalk-grail, spacewalk-html, spacewalk-java, spacewalk-java-config, spacewalk-java-lib, spacewalk-java-oracle, spacewalk-java-postgresql, spacewalk-java-tests, spacewalk-pxt, spacewalk-search, spacewalk-sniglets, spacewalk-taskomatic, spacewalk-utils, spacewalk-web, susemanager, susemanager-tools Products: SUSE-MANAGER 1.7 (x86_64)
SUSE-SU-2014:0222-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (moderate) Bug References: 834415,846356,850925,850927,850928,850929,850930,853913,854090,858197,858652 CVE References: CVE-2010-2236,CVE-2012-6149,CVE-2013-1869,CVE-2013-1871,CVE-2013-4415 Sources used: SUSE Manager 1.7 for SLE 11 SP2 (src): spacewalk-backend-1.7.38.31-0.5.1, spacewalk-branding-1.7.1.11-0.5.1, spacewalk-certs-tools-1.7.3.11-0.5.1, spacewalk-java-1.7.54.30-0.5.1, spacewalk-search-1.7.3.12-0.5.1, spacewalk-utils-1.7.15.12-0.5.3, spacewalk-web-1.7.28.20-0.5.1, susemanager-1.7.27-0.5.2