Bug#530271: marked as done (CVE-2009-1732, CVE-2009-1733)

[Debian Bug Tracking System]

Your message dated Fri, 04 Sep 2009 18:32:07 +0000
with message-id <e1mjdzv-00064q...@ries.debian.org>
and subject line Bug#530271: fixed in ipplan 4.86a-7+lenny1
has caused the Debian Bug report #530271,
regarding CVE-2009-1732, CVE-2009-1733
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
530271: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530271
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ipplan
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for ipplan.

CVE-2009-1732[0]:
| Cross-site scripting (XSS) vulnerability in admin/usermanager in IPlan
| 4.91a allows remote attackers to inject arbitrary web script or HTML
| via the grp parameter.

CVE-2009-1733[1]:
| Cross-site request forgery (CSRF) vulnerability in IPplan 4.91a allows
| remote attackers to hijack the authentication of administrators for
| requests that (1) change the password, (2) add users, or (3) delete
| users via unknown vectors.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1732
    http://security-tracker.debian.net/tracker/CVE-2009-1732
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1733
    http://security-tracker.debian.net/tracker/CVE-2009-1733

    http://holisticinfosec.org/content/view/113/45/
    

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoYFsYACgkQNxpp46476apd+gCgnDQjebQhF8gaVx/CkQG4Uh1j
uN0An1q5D7MPVsn5wkC4pxidK5uVTuG7
=AFso
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: ipplan
Source-Version: 4.86a-7+lenny1

We believe that the bug you reported is fixed in the latest version of
ipplan, which is due to be installed in the Debian FTP archive:

ipplan_4.86a-7+lenny1.diff.gz
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.diff.gz
ipplan_4.86a-7+lenny1.dsc
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1.dsc
ipplan_4.86a-7+lenny1_all.deb
  to pool/main/i/ipplan/ipplan_4.86a-7+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <wh...@debian.org> (supplier of updated ipplan package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 06 Jul 2009 09:40:57 +0000
Source: ipplan
Binary: ipplan
Architecture: source all
Version: 4.86a-7+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Jan Wagner <w...@cyconet.org>
Changed-By: Steffen Joeris <wh...@debian.org>
Description: 
 ipplan     - web-based IP address manager and tracker
Closes: 530271
Changes: 
 ipplan (4.86a-7+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix cross-site scripting vulnerability, which can be exploited via
     the userid, userdescrip, grp and grpdescrip parameters
     (Closes: #530271)
     Fixes: CVE-2009-1732
Checksums-Sha1: 
 4c8e55c5b87899fa07642a208adad5252ba33d66 1142 ipplan_4.86a-7+lenny1.dsc
 596a79a794fcd4d1570293b3dbb51652a22438dc 1463553 ipplan_4.86a.orig.tar.gz
 319801f9a8b1a1a687430a3cc861c4c55c11f943 24624 ipplan_4.86a-7+lenny1.diff.gz
 97f9fe5c7bf6886b20945708f0e4dfb70d987e23 755870 ipplan_4.86a-7+lenny1_all.deb
Checksums-Sha256: 
 968f38da6f2c6751b08848b7187b5d94a5e94dfa15334ddf4162cd0618653447 1142 
ipplan_4.86a-7+lenny1.dsc
 3b32edf016290ef319e1e9b5dc43def0c0f1224fe54ef427211d8b9944821bee 1463553 
ipplan_4.86a.orig.tar.gz
 3af9f5506cac4201f4e8c59ee6dc5d5c94bd7b368053a7358cbbbbbfa355e878 24624 
ipplan_4.86a-7+lenny1.diff.gz
 ecb64fe8d05feb264aefce758abc51ee021c7a8dd2c78af6da0f45152fcee3e8 755870 
ipplan_4.86a-7+lenny1_all.deb
Files: 
 37202f9941e647237b80853e536e11ef 1142 web optional ipplan_4.86a-7+lenny1.dsc
 04a5da8b7e08fcf5bfe0afc31bb7f711 1463553 web optional ipplan_4.86a.orig.tar.gz
 1337c00d254c8e9fe8ca1d7b0764c7d2 24624 web optional 
ipplan_4.86a-7+lenny1.diff.gz
 2a38517b8ad7b3e1371025a4e834effd 755870 web optional 
ipplan_4.86a-7+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpRyKYACgkQ62zWxYk/rQfxlwCeOcNy+vztrUEB5G5pZ6zpmUSJ
TdkAoLFD0nPYDX1Pnlzibkv5u5UStsYj
=ZBRB
-----END PGP SIGNATURE-----

--- End Message ---