tickets #120597: LimeSurvey Security Update - openSUSE admin - openSUSE Project Management Tool

Custom queries

Events of the openSUSE Heroes
my assigned stuff
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (ready issues)
QE tools team - backlog (w/o infra)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (w/o infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

tickets #120597

closed

LimeSurvey Security Update

Added by clopez@suse.de over 1 year ago. Updated 11 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

crameleon

Category:

Core services and virtual infrastructure

Target version:

Start date:

2022-11-16

Due date:

% Done:

Estimated time:

Description

Hi openSUSE Admins,

We recently received the following security advisory for LimeSurvey,
which is present in the openSUSE:infrastructure OBS project.

https://www.cve.org/CVERecord?id=CVE-2022-43279

Could you please check if we are running a vulnerable instance of this
software, and if so, update accordingly? Thanks!

Best,
Carlos

--
Carlos López
Security Engineer
SUSE Software Solutions

Related issues 1 (0 open — 1 closed)

Related to openSUSE admin - communication #130135: https://survey.opensuse.org/ is down (new deployment of limesurvey instance would be fine)

Resolved

crameleon

2023-05-31

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by pjessen over 1 year ago

Category set to Core services and virtual infrastructure
Private changed from Yes to No

Actions

Copy link

Updated by pjessen over 1 year ago

We have survey.opensuse.org, which ends up on limesurvey.infra.opensuse.org = 192.168.47.12. This doesn't seem to be running though, doesn't respond to pings nor can I login.

Actions

Copy link

Updated by crameleon over 1 year ago

The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.

Actions

Copy link

Updated by pjessen over 1 year ago

Assignee set to crameleon

crameleon wrote:

The VM is currently not running. Can someone verify if this is intentional? If not, I would boot it again, and update it to the latest version of LimeSurvey if it is not up to date already - we have 5.4.5 in https://build.opensuse.org/package/show/openSUSE:infrastructure/limesurvey already, and only 5.4.4 is affected according to the CVE.

My guess - as we have no current surveys running, it was probably stopped intentionally. Let's boot it up and check what it's running. If necessary update it, otherwise just shut it down again.

Actions

Copy link

Updated by crameleon over 1 year ago

Status changed from New to In Progress

Had to repair this:

Afterwards I updated the packages, but could not update LimeSurvey, because I just noticed we don't have any built binaries for 5.4 - only the sources were updated in the project, but they fail to build.

I shut the machine down again and submitted https://build.opensuse.org/request/show/1036955.

Actions

Copy link

Updated by pjessen 11 months ago

Related to communication #130135: https://survey.opensuse.org/ is down (new deployment of limesurvey instance would be fine) added

Actions

Copy link

Updated by crameleon 11 months ago

Status changed from In Progress to Resolved

Is now running with version 6.1.0, still needs to be correctly packaged, but tracking further in the new ticket as the security problem should be resolved.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

openSUSE admin

Tags

Custom queries

tickets #120597

LimeSurvey Security Update

Updated by pjessen over 1 year ago

Updated by pjessen over 1 year ago

Updated by crameleon over 1 year ago

Updated by pjessen over 1 year ago

Updated by crameleon over 1 year ago

Updated by pjessen 11 months ago

Updated by crameleon 11 months ago