Your message dated Thu, 28 Jan 2010 12:44:44 -0800
with message-id <dd8c57a1001281244j244262d2x566dfe1c2549e...@mail.gmail.com>
and subject line Re: Bug#563542: gwt: CVE-2007-2378 and CVE-2007-6542
vulnerabilities
has caused the Debian Bug report #563542,
regarding gwt: CVE-2007-2378 and CVE-2007-6452 vulnerabilities
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
563542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563542
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gwt
Version: 1.6.4-1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for gwt. These may have been fixed upstream in the past
since these were issued a while ago, but since this is the initial
upload of the package, this needs to be checked. Please feel free to
close the bug if the problems have already been appropriately addressed.
CVE-2007-2378[0]:
| The Google Web Toolkit (GWT) framework exchanges data using JavaScript
| Object Notation (JSON) without an associated protection scheme, which
| allows remote attackers to obtain the data via a web page that
| retrieves the data through a URL in the SRC attribute of a SCRIPT
| element and captures the data using other JavaScript code, aka
| "JavaScript Hijacking."
CVE-2007-6542[1]:
| PHP remote file inclusion vulnerability in admin/frontpage_right.php
| in Arcadem LE 2.04 and earlier allows remote attackers to execute
| arbitrary PHP code via a URL in the loadadminpage parameter.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2378
http://security-tracker.debian.org/tracker/CVE-2007-2378
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6542
http://security-tracker.debian.org/tracker/CVE-2007-6542
--- End Message ---
--- Begin Message ---
CVE-2007-2378: This report describes a general problem related to
javascript and is not within the scope of what GWT addresses. That
is, GWT is primarily a compiler and runtime where addressing the
issues indicated in this CVE need to be handled out-of-band by the
developer. The authors of GWT suggest the following considerations
and best practices:
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications?pli=1
On Sun, Jan 3, 2010 at 9:49 AM, Michael Gilbert
<michael.s.gilb...@gmail.com> wrote:
> Package: gwt
> Version: 1.6.4-1
> Severity: serious
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for gwt. These may have been fixed upstream in the past
> since these were issued a while ago, but since this is the initial
> upload of the package, this needs to be checked. Please feel free to
> close the bug if the problems have already been appropriately addressed.
>
> CVE-2007-2378[0]:
> | The Google Web Toolkit (GWT) framework exchanges data using JavaScript
> | Object Notation (JSON) without an associated protection scheme, which
> | allows remote attackers to obtain the data via a web page that
> | retrieves the data through a URL in the SRC attribute of a SCRIPT
> | element and captures the data using other JavaScript code, aka
> | "JavaScript Hijacking."
>
> CVE-2007-6542[1]:
> | PHP remote file inclusion vulnerability in admin/frontpage_right.php
> | in Arcadem LE 2.04 and earlier allows remote attackers to execute
> | arbitrary PHP code via a URL in the loadadminpage parameter.
>
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2378
> http://security-tracker.debian.org/tracker/CVE-2007-2378
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6542
> http://security-tracker.debian.org/tracker/CVE-2007-6542
>
>
>
--- End Message ---
