==========================================================================
Ubuntu Security Notice USN-4609-1
October 28, 2020

gosa vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in gosa.

Software Description:
– gosa: Web Based LDAP Administration Program

Details:

Fabian Henneke discovered that GOsa incorrectly handled client cookies. An
authenticated user could exploit this with a crafted cookie to perform
file deletions in the context of the user account that runs the web
server. (CVE-2019-14466)

It was discovered that GOsa incorrectly handled user access control. A
remote attacker could use this issue to log into any account with a
username containing the word “success”. (CVE-2019-11187)

Fabian Henneke discovered that GOsa was vulnerable to cross-site scripting
attacks via the change password form. A remote attacker could use this
flaw to run arbitrary web scripts. (CVE-2018-1000528)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
gosa 2.7.4+reloaded2-9ubuntu1.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4609-1
CVE-2018-1000528, CVE-2019-11187, CVE-2019-14466

Package Information:
https://launchpad.net/ubuntu/+source/gosa/2.7.4+reloaded2-9ubuntu1.1

—–BEGIN PGP SIGNATURE—–

iQEzBAEBCAAdFiEElnO/d49FoUPK9fwytGdj0GOh2+wFAl+Z2GoACgkQtGdj0GOh
2+w9kAgAn3fADmxCz5kjlgbSaPhZai+nG4qzZ4p2HlosHHdYfYw752RPefa4pEIb
oSVbL8xyuuXlPQZJbK0gqpraqXkZhUy39yYccEWdgGoGDmGrx/eYzP7RJuE9n1PI
PvHcC35IVijU6zk86SBgTZFAIePAYrW2boFq7o34S4OxvjrD2vm+k3oubLrPdPEf
yGkOSBV56j9mKfzKv59oiFE8TZrtlq/H3O1sOI7n4F8FvITsCjv4OXY4fHFRGEZx
dGLchfIqw62qYFV+K8pTI2dgEMv7/f3H8o+w4Vkg2nEsePZshS73yLmvylBEiZp4
J+5/xpZRL2JWGztJdHq+AePhgU44Qw==
=vnwW
—–END PGP SIGNATURE—–
—