------------------------------------------------------------------------- Debian LTS Advisory DLA-3486-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Tobias Frost July 08, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : ocsinventory-server Version : 2.5+dfsg1-1+deb10u1 CVE ID : n/a Debian Bug : The source package ocsinventory-server, a Hardware and software inventory tool has been updated to address the API change in php-cas due to CVE-2022-39369, see DLA 3485-1 for details. CAS is an optional authentication mechanism in the binary package ocsinventory-reports, and if used, ocsinventory-reports will stop working until it has been reconfigured: It now requires the baseURL of to-be-authenticated service to be configured. For ocsinventory-reports, this is configured with the variable $cas_service_base_url in the file /usr/share/ocsinventory-reports/backend/require/cas.config.php Warning: regardless of this update, ocsreports-server should only be used in secure and trusted environments. For Debian 10 buster, this update is available through version 2.5+dfsg1-1+deb10u1. We recommend that you upgrade your ocsinventory-server packages. For the detailed security status of ocsinventory-server please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ocsinventory-server Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature