Your message dated Fri, 14 Nov 2008 14:07:10 -0600
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#505732: SA32658: Interchange Cross-Site Scripting
Vulnerabilities
has caused the Debian Bug report #505732,
regarding SA32658: Interchange Cross-Site Scripting Vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
505732: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505732
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Source: interchange
Severity: grave
Version: 5.6.0-1
Tags: security
Hi,
The following SA (Secunia Advisory) id was published for interchange.
SA32658[1]:
> Some vulnerabilities have been reported in Interchange, which can be
> exploited by malicious people to conduct cross-site scripting attacks.
>
> 1) Unspecified input passed to the "country-select widget" is not properly
> sanitised before being returned to the user. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of an affected site.
>
> 2) Input passed to the "mv_order_item" CGI variable is not properly
> sanitised before being returned to the user. This can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of an affected site.
>
> The vulnerabilities are reported in versions prior to 5.4.3 and 5.6.1.
If you fix the vulnerability please also make sure to include the SA id (or
the CVE id when one is assigned) in the changelog entry.
[1]http://secunia.com/Advisories/32658/
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
Version: 5.6.1-1
2008/11/14 Stefan Hornburg (Racke) <[EMAIL PROTECTED]>:
[...]
>
> I already uploaded interchange 5.6.1-1 today before I was aware of this
> SA.
It didn't show up when I checked at packages.qa.d.o, thanks for the upload.
>
> Regards
> Racke
>
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Bob Hope - "I love to go to Washington - if only to be near my money."
--- End Message ---
