Arch Linux User Repository

OpenWSMAN >= 2.6.9 is affected by two CVEs:

CVE-2019-3816: "Openwsman, versions up to and including 2.6.9, are vulnerable to arbitrary file disclosure because the working directory of openwsmand daemon was set to root directory. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request to openwsman server."

https://nvd.nist.gov/vuln/detail/CVE-2019-3816

CVE-2019-3833: "Openwsman, versions up to and including 2.6.9, are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote, unauthenticated attacker can exploit this vulnerability by sending malicious HTTP request to cause denial of service to openwsman server."

https://nvd.nist.gov/vuln/detail/CVE-2019-3833

Patches are available through in the above CVE reports, or as a pull request on Github (which upstream couldn't be bothered to look at in almost three weeks): https://github.com/Openwsman/openwsman/pull/118

On top of that, there seem to be a few buffer overflows with an easy patch available, which upstream, again, couldn't be bothered to even look at since December 2018: https://github.com/Openwsman/openwsman/pull/117

So basically, this looks like abandonware.

@mattski: PKGBUILD updated, thanks!

I am getting a build error (below) it seems you need to add ruby-rdoc as a dependency. It was split from ruby earlier this year.

============================

Scanning dependencies of target ruby_rdoc [ 35%] Generating html Creating rdoc documentation ...Traceback (most recent call last): 2: from ./rdoc:45:in <main>' 1: from /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:inrequire' /usr/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- rdoc/encoding (LoadError) make[2]: [bindings/ruby/CMakeFiles/ruby_rdoc.dir/build.make:64: bindings/ruby/html] Error 1 make[1]: [CMakeFiles/Makefile2:1151: bindings/ruby/CMakeFiles/ruby_rdoc.dir/all] Error 2 make: *** [Makefile:163: all] Error 2 ==> ERROR: A failure occurred in build(). Aborting...

@Megatonna: It doesn't seem to be supported (yet) without patching CMakeLists.txt. I get the following error when using python3:

=====
CMake Error at /usr/share/cmake-3.8/Modules/FindPackageHandleStandardArgs.cmake:137 (message):
Could NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_DIRS)
(Required is at least version "2.6")
Call Stack (most recent call first):
/usr/share/cmake-3.8/Modules/FindPackageHandleStandardArgs.cmake:377 (_FPHSA_FAILURE_MESSAGE)
/usr/share/cmake-3.8/Modules/FindPythonLibs.cmake:262 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
CMakeLists.txt:180 (FIND_PACKAGE)

Could you add bindings for python3?

@dankles: PKGBUILD updated to use openssl-1.0, it should be ok now.

I'm getting a build error:
====
Scanning dependencies of target wsman_curl_client_transport
[ 1%] Building C object src/lib/CMakeFiles/wsman_curl_client_transport.dir/wsman-client-transport.o
[ 2%] Building C object src/lib/CMakeFiles/wsman_curl_client_transport.dir/wsman-curl-client-transport.o
/home/dankles/.cache/pacaur/openwsman/src/openwsman-2.6.3/src/lib/wsman-curl-client-transport.c: In function ‘ssl_certificate_thumbprint_verify_callback’:
/home/dankles/.cache/pacaur/openwsman/src/openwsman-2.6.3/src/lib/wsman-curl-client-transport.c:244:18: error: dereferencing pointer to incomplete type ‘X509_STORE_CTX {aka struct x509_store_ctx_st}’
X509 *cert = ctx->cert;
^~
make[2]: *** [src/lib/CMakeFiles/wsman_curl_client_transport.dir/build.make:87: src/lib/CMakeFiles/wsman_curl_client_transport.dir/wsman-curl-client-transport.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:1549: src/lib/CMakeFiles/wsman_curl_client_transport.dir/all] Error 2
make: *** [Makefile:163: all] Error 2
==> ERROR: A failure occurred in build().
Aborting...
:: failed to build openwsman package(s)
====

Anyone else seeing this?