Hi ! I think that 3.2.1-1 Debian package already fixed the problem:
The following code was added: http://backuppc.cvs.sourceforge.net/viewvc/backuppc/BackupPC/lib/BackupPC/CGI/Browse.pm?r1=1.23&r2=1.24 BR, Ludovic. On Thu, Oct 27, 2011 at 04:22:54PM -0500, Jamie Strandboge wrote: > Package: backuppc > Version: 3.2.1-1 > Severity: grave > Tags: patch security > Justification: user security hole > User: ubuntu-de...@lists.ubuntu.com > Usertags: origin-ubuntu precise ubuntu-patch > > > In Ubuntu, the attached patch was applied to achieve the following: > > * SECURITY UPDATE: XSS in CGI/View.pm > - lib/BackupPC/CGI/View.pm: update to verify backup number is numeric > - CVE-2011-XXXX > > A CVE was requested on oss-security: > http://www.openwall.com/lists/oss-security/2011/10/27/8 > > Thanks for considering the patch. > > > -- System Information: > Debian Release: wheezy/sid > APT prefers oneiric-updates > APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, > 'oneiric') > Architecture: amd64 (x86_64) > > Kernel: Linux 3.0.0-12-generic (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > diff -u backuppc-3.2.1/debian/changelog backuppc-3.2.1/debian/changelog > diff -u backuppc-3.2.1/lib/BackupPC/CGI/View.pm > backuppc-3.2.1/lib/BackupPC/CGI/View.pm > --- backuppc-3.2.1/lib/BackupPC/CGI/View.pm > +++ backuppc-3.2.1/lib/BackupPC/CGI/View.pm > @@ -46,7 +46,7 @@ > my $compress = 0; > my $fh; > my $host = $In{host}; > - my $num = $In{num}; > + my $num = ${EscHTML($In{num})}; > my $type = $In{type}; > my $linkHosts = 0; > my($file, $comment); -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
