Package: cgiwrap
Version: 3.9-3.1
Severity: important
Tags: security
I just noticed the CGIWrap upstream homepage at
http://cgiwrap.sourceforge.net/ has this security notice:
CGIWrap 4.1 update protects against a cross-site scripting vulnerability
in the error page handling due to how some browsers behave when a
charset is not specified. CGIWrap now sets a default charset and allows
overriding it during the configure process.
Advisories:
* http://jvn.jp/en/jp/JVN45389864/index.html (English)
* http://jvn.jp/jp/JVN45389864/index.html (Japanese)
This is CVE-2008-2852. I haven't actually verified it in the Debian
version, but pre-4.1 versions are listed as vulnerable. This includes
the version in Etch.
I'm not sure about the severity, CC'ing the security team. Note that
this package is orphaned and the last maintainer upload was in 2005.
It might make sense to remove the package from lenny.
--
Niko Tyni [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
