Project

General

Profile

Actions
Copy link

tickets #120597

closed

LimeSurvey Security Update

Added by clopez@suse.de over 1 year ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
crameleon
Category:
Core services and virtual infrastructure
Target version:
-
Start date:
2022-11-16
Due date:
% Done:

0%

Estimated time:

Description

Hi openSUSE Admins,

We recently received the following security advisory for LimeSurvey,
which is present in the openSUSE:infrastructure OBS project.

https://www.cve.org/CVERecord?id=CVE-2022-43279

Could you please check if we are running a vulnerable instance of this
software, and if so, update accordingly? Thanks!

Best,
Carlos

--
Carlos López
Security Engineer
SUSE Software Solutions

Related issues 1 (0 open1 closed)

Related to openSUSE admin - communication #130135: https://survey.opensuse.org/ is down (new deployment of limesurvey instance would be fine)Resolvedcrameleon2023-05-31

Actions
Actions
Copy link
 #1

Updated by pjessen over 1 year ago

  • Category set to Core services and virtual infrastructure
  • Private changed from Yes to No
Actions
Copy link
 #2

Updated by pjessen over 1 year ago

We have survey.opensuse.org, which ends up on limesurvey.infra.opensuse.org = 192.168.47.12. This doesn't seem to be running though, doesn't respond to pings nor can I login.

Actions
Copy link
 #3

Updated by crameleon over 1 year ago

The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.

Actions
Copy link
 #4

Updated by pjessen over 1 year ago

  • Assignee set to crameleon

crameleon wrote:

The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.

My guess - as we have no current surveys running, it was probably stopped intentionally. Let's boot it up and check what it's running. If necessary update it, otherwise just shut it down again.

Actions
Copy link
 #5

Updated by crameleon over 1 year ago

  • Status changed from New to In Progress

Had to repair this:

Afterwards I updated the packages, but could not update LimeSurvey, because I just noticed we don't have any built binaries for 5.4 - only the sources were updated in the project, but they fail to build.

I shut the machine down again and submitted https://build.opensuse.org/request/show/1036955.

Actions
Copy link
 #6

Updated by pjessen 11 months ago

  • Related to communication #130135: https://survey.opensuse.org/ is down (new deployment of limesurvey instance would be fine) added
Actions
Copy link
 #7

Updated by crameleon 11 months ago

  • Status changed from In Progress to Resolved

Is now running with version 6.1.0, still needs to be correctly packaged, but tracking further in the new ticket as the security problem should be resolved.

Actions
Copy link

Also available in: Atom PDF