Summary
A security flaw was found in the password change form of Server Manager. It allows an authenticated user to escalate privileges and execute arbitrary code, that means a malicious local user can take full control of the system.
Affected version
All NethServer 7 versions before 7.4 milestone are affected.
Solution
NethServer 6 and NethServer 7 after 7.4 milestone release are not affected.
If your ns7 system is updated at least to September 8 2017, you can cherry-pick and install the fix with the following command:
yum localinstall http://packages.nethserver.org/nethserver/7.4.1708/base/x86_64/Packages/nethserver-base-3.1.1-1.ns7.noarch.rpm
Bug
https://github.com/NethServer/dev/issues/5367
Further details will be available from the link above on Monday, November 6.
Disclosure process
The disclosure process has been discussed among the @ambassadors_group in private form, during the previous week. The discussion is now publicly available here: