Your message dated Thu, 03 Feb 2005 13:47:07 -0500
with message-id <[EMAIL PROTECTED]>
and subject line Bug#281655: fixed in info2www 1.2.2.9-23
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Nov 2004 02:46:36 +0000
>From [EMAIL PROTECTED] Tue Nov 16 18:46:36 2004
Return-path: <[EMAIL PROTECTED]>
Received: from duke.exaprobe.net (duke-out.exaprobe.net) [62.39.86.145]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CUFq7-0007yP-00; Tue, 16 Nov 2004 18:46:36 -0800
Received: from bobby.exaprobe.com (unknown [82.251.0.35])
by duke.exaprobe.net (Postfix) with ESMTP
id 365D13F662; Wed, 17 Nov 2004 03:46:01 +0100 (CET)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Nicolas Gregoire <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: info2www: Cross-site scripting vulnerability
X-Mailer: reportbug 2.63
Date: Wed, 17 Nov 2004 03:45:55 +0100
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
HTML_60_70,HTML_MESSAGE autolearn=no
version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: info2www
Version: 1.2.2.9-22
Severity: normal
Tags: security
There's a XSS vulnerabilty in the info2www CGI.
The following URL will display the document location using Javascript :
/cgi-bin/info2www?(coreutils)<script>alert(document.location)<script>
Every user-supplied parameter should be sanitized before use.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
Versions of packages info2www depends on:
ii apache [httpd] 1.3.31-7 Versatile, high-performance HTTP s
ii perl 5.8.4-3 Larry Wall's Practical Extraction
-- no debconf information
---------------------------------------
Received: (at 281655-close) by bugs.debian.org; 3 Feb 2005 18:53:05 +0000
>From [EMAIL PROTECTED] Thu Feb 03 10:53:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cwm6D-0006Nh-00; Thu, 03 Feb 2005 10:53:05 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1Cwm0R-0000c0-00; Thu, 03 Feb 2005 13:47:07 -0500
From: Uwe Hermann <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.55 $
Subject: Bug#281655: fixed in info2www 1.2.2.9-23
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 03 Feb 2005 13:47:07 -0500
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: info2www
Source-Version: 1.2.2.9-23
We believe that the bug you reported is fixed in the latest version of
info2www, which is due to be installed in the Debian FTP archive:
info2www_1.2.2.9-23.diff.gz
to pool/main/i/info2www/info2www_1.2.2.9-23.diff.gz
info2www_1.2.2.9-23.dsc
to pool/main/i/info2www/info2www_1.2.2.9-23.dsc
info2www_1.2.2.9-23_all.deb
to pool/main/i/info2www/info2www_1.2.2.9-23_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Uwe Hermann <[EMAIL PROTECTED]> (supplier of updated info2www package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Feb 2005 19:15:56 +0100
Source: info2www
Binary: info2www
Architecture: source all
Version: 1.2.2.9-23
Distribution: unstable
Urgency: high
Maintainer: Uwe Hermann <[EMAIL PROTECTED]>
Changed-By: Uwe Hermann <[EMAIL PROTECTED]>
Description:
info2www - Read info files with a WWW browser
Closes: 281655
Changes:
info2www (1.2.2.9-23) unstable; urgency=high
.
* SECURITY FIX: This release prevents _some_ forms of Cross Site Scripting
(XSS) attacks against info2www. A more thorough security audit needs to
be done, though. It's expected that more vulnerabilities can be found.
Thanks to Nicolas Gregoire for the bug-report and Justin Pryzby for his
help with analyzing the issue and providing a first fix (Closes: #281655).
Files:
e5fb2af8e848702164800ef5c06257d0 588 doc optional info2www_1.2.2.9-23.dsc
7c955232786ec117c9a8533c6c57a981 14921 doc optional info2www_1.2.2.9-23.diff.gz
9d52f6351f1ced7242fb28a28acf1f6a 22362 doc optional info2www_1.2.2.9-23_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCAmukXdVoV3jWIbQRAhDzAJ92S/XQsezh8OiT1xzdnKL1lSp8iQCdFAdU
QmXGo9auNJAw8vPq9Snu+4Y=
=iHxe
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
