tickets #120597
closedLimeSurvey Security Update
0%
Description
Hi openSUSE Admins,
We recently received the following security advisory for LimeSurvey,
which is present in the openSUSE:infrastructure OBS project.
https://www.cve.org/CVERecord?id=CVE-2022-43279
Could you please check if we are running a vulnerable instance of this
software, and if so, update accordingly? Thanks!
Best,
Carlos
--
Carlos López
Security Engineer
SUSE Software Solutions
Updated by pjessen over 1 year ago
- Category set to Core services and virtual infrastructure
- Private changed from Yes to No
Updated by pjessen over 1 year ago
We have survey.opensuse.org, which ends up on limesurvey.infra.opensuse.org = 192.168.47.12. This doesn't seem to be running though, doesn't respond to pings nor can I login.
Updated by crameleon over 1 year ago
The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.
Updated by pjessen over 1 year ago
- Assignee set to crameleon
crameleon wrote:
The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.
My guess - as we have no current surveys running, it was probably stopped intentionally. Let's boot it up and check what it's running. If necessary update it, otherwise just shut it down again.
Updated by crameleon over 1 year ago
- Status changed from New to In Progress
Had to repair this:
Afterwards I updated the packages, but could not update LimeSurvey, because I just noticed we don't have any built binaries for 5.4 - only the sources were updated in the project, but they fail to build.
I shut the machine down again and submitted https://build.opensuse.org/request/show/1036955.
Updated by pjessen 11 months ago
- Related to communication #130135: https://survey.opensuse.org/ is down (new deployment of limesurvey instance would be fine) added