Bug#583290: marked as done (zonecheck: XSS security bug in the CGI)

Sat, 29 May 2010 08:16:56 -0700 

Your message dated Sat, 29 May 2010 13:02:46 +0000
with message-id <e1oilgc-0003d9...@ries.debian.org>
and subject line Bug#583290: fixed in zonecheck 2.1.1-1
has caused the Debian Bug report #583290,
regarding zonecheck: XSS security bug in the CGI
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
583290: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: zonecheck
Version: 2.0.4-13
Severity: grave
Tags: security
Justification: user security hole


There is XSS security bug in Zonecheck cgi up to version 2.1.0. Fixed
upstream in 2.1.1. 

The patch is simple and can probably be backported: 
http://cvs.savannah.gnu.org/viewvc/zonecheck/zc/publisher/html.rb?root=zonecheck&r1=1.79&r2=1.80

The bug has already been exploited in the wild:
http://www.xssed.com/mirror/61096/

The upstream bug report: https://savannah.nongnu.org/bugs/?29967

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages zonecheck depends on:
ii  iputils-ping                3:20071127-1 Tools to test the reachability of 
ii  ruby                        4.2          An interpreter of object-oriented 

zonecheck recommends no packages.

zonecheck suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: zonecheck
Source-Version: 2.1.1-1

We believe that the bug you reported is fixed in the latest version of
zonecheck, which is due to be installed in the Debian FTP archive:

zonecheck-cgi_2.1.1-1_all.deb
  to main/z/zonecheck/zonecheck-cgi_2.1.1-1_all.deb
zonecheck_2.1.1-1.debian.tar.gz
  to main/z/zonecheck/zonecheck_2.1.1-1.debian.tar.gz
zonecheck_2.1.1-1.dsc
  to main/z/zonecheck/zonecheck_2.1.1-1.dsc
zonecheck_2.1.1-1_all.deb
  to main/z/zonecheck/zonecheck_2.1.1-1_all.deb
zonecheck_2.1.1.orig.tar.gz
  to main/z/zonecheck/zonecheck_2.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 583...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <s...@debian.org> (supplier of updated zonecheck package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 May 2010 14:27:37 +0200
Source: zonecheck
Binary: zonecheck zonecheck-cgi
Architecture: source all
Version: 2.1.1-1
Distribution: unstable
Urgency: high
Maintainer: Sebastien Delafond <s...@debian.org>
Changed-By: Sebastien Delafond <s...@debian.org>
Description: 
 zonecheck  - DNS configuration checker
 zonecheck-cgi - DNS configuration checker (web interface)
Closes: 583290
Changes: 
 zonecheck (2.1.1-1) unstable; urgency=high
 .
   * New upstream release, that fixes XSS issue in the the CGI
     (Closes: #583290).
   * Bumped up Standards revision.
   * Switched to 3.0 quilt source format.
Checksums-Sha1: 
 5306a8539fff6d892784969c7d91cd50abe1a741 1077 zonecheck_2.1.1-1.dsc
 1b61fbd49d8f4f2580206de1af45e7054f835bca 254894 zonecheck_2.1.1.orig.tar.gz
 5df5224c6ad36e4085c9d4cdd757c829f080f43e 10687 zonecheck_2.1.1-1.debian.tar.gz
 5c25accae18088ea3716e53aec5016510b0db6ea 211896 zonecheck_2.1.1-1_all.deb
 02d12b2500cab645780bb7d3fa1aad8625275883 40350 zonecheck-cgi_2.1.1-1_all.deb
Checksums-Sha256: 
 36774aa565796ac302ac9aae5ff2201e32d52d4ae9ac65fe3227669a85952394 1077 
zonecheck_2.1.1-1.dsc
 cef19fbbb6ebe3a9dde9f0f958edd3c415047d01f600959685e54e4f7a965fcb 254894 
zonecheck_2.1.1.orig.tar.gz
 268b31cf117c195e5753fd08cad8f6a6b098ab4b2c1e1a99fa73803889fb92db 10687 
zonecheck_2.1.1-1.debian.tar.gz
 71b15a28f7fc34e429b1e71b713c0473658633b20e3f5455c55e8512eb78c4f9 211896 
zonecheck_2.1.1-1_all.deb
 ce21f953c2b5712413513dbcfd6cf47eb132db4ede64c9200202ded750274151 40350 
zonecheck-cgi_2.1.1-1_all.deb
Files: 
 711fbb2d9b45530d84cfe58ec5b97796 1077 net optional zonecheck_2.1.1-1.dsc
 3efd01ca404fb03e0592f76ccdbc66f1 254894 net optional 
zonecheck_2.1.1.orig.tar.gz
 83b9db93ec0238962b5bf1befac76605 10687 net optional 
zonecheck_2.1.1-1.debian.tar.gz
 eb3d7a5d4e81c8db55a10999e7e8487c 211896 net optional zonecheck_2.1.1-1_all.deb
 f5564aa3b9af01890bea92a20ecef5af 40350 net optional 
zonecheck-cgi_2.1.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwBC/EACgkQiZgNKcDdyD/nCQCeJOWYosAe5iiUrnaFeYNcJ/pE
MgMAoNV5d5Uo8fza6G9vocrbZEnEoyxJ
=9xwm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to