Bug#588137: marked as done (CVE-2010-1625: Cross-site scripting (XSS) vulnerability)

Debian Bug Tracking System Mon, 02 Aug 2010 08:06:49 -0700

Your message dated Mon, 02 Aug 2010 15:02:48 +0000
with message-id <e1ofwxq-0001ka...@franck.debian.org>
and subject line Bug#588137: fixed in lxr-cvs 0.9.5+cvs20071020-1.1
has caused the Debian Bug report #588137,
regarding CVE-2010-1625: Cross-site scripting (XSS) vulnerability
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
588137: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588137
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: lxr-cvs
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lxr-cvs.

CVE-2010-1625[0]:
| Cross-site scripting (XSS) vulnerability in LXR Cross Referencer
| before 0.9.7 allows remote attackers to inject arbitrary web script or
| HTML via vectors related to the search body and the results page for a
| search, a different vulnerability than CVE-2009-4497 and
| CVE-2010-1448.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1625
    http://security-tracker.debian.org/tracker/CVE-2010-1625


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwxuk8ACgkQNxpp46476aqJAACdHXCgsE0TCu5IzDnbciemz6cA
848An2OoZ/YiLbTXA+23xTP2u6U6xaWx
=qvMg
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: lxr-cvs
Source-Version: 0.9.5+cvs20071020-1.1

We believe that the bug you reported is fixed in the latest version of
lxr-cvs, which is due to be installed in the Debian FTP archive:

lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
lxr-cvs_0.9.5+cvs20071020-1.1.dsc
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.dsc
lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 588...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated lxr-cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 31 Jul 2010 15:57:41 +0200
Source: lxr-cvs
Binary: lxr-cvs
Architecture: source all
Version: 0.9.5+cvs20071020-1.1
Distribution: unstable
Urgency: high
Maintainer: Giacomo Catenazzi <c...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 lxr-cvs    - A general hypertext cross-referencing tool
Closes: 575745 584671 588036 588137
Changes: 
 lxr-cvs (0.9.5+cvs20071020-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Backported upstream security fixes from current release (Closes: #584671).
   * This update addresses the following security issues:
     - CVE-2010-1448: reflected XSS via title tag on search page (Closes: 
#588036).
     - CVE-2010-1625: reflected XSS in search results page (Closes: #588137).
     - CVE-2009-4497: XSS via the i parameter of the ident script (Closes: 
#575745).
Checksums-Sha1: 
 7492c59dd538b96b12bd44c40b63f04593abb23c 1042 lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 38f50b6fdd65a277319cc67ada39cb10ec515d8e 9601 
lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 249ecfc78c981a9cb95b037aca2752ad20bf0651 72170 
lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
Checksums-Sha256: 
 bd53ab6c4def0a7e740c36a6348a470f31fd0bd0046dc975ad7bb3d2bfa6efaf 1042 
lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 ff8efd1d2d77bd6ab7937c3c5ae79fb9e876de3149ada951fb967ea736b9e3f6 9601 
lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 ed77ffc0464e5da4917ad04efd77d8194ec163fd017c8b1fb106e13e10241b4f 72170 
lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
Files: 
 9508cb537bd58d9d8f7139b9f8bdca34 1042 misc extra 
lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 7d096b0577c133d6c87b6e37db1425e8 9601 misc extra 
lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 977a60352cb067c67e34cebfdd781f08 72170 misc extra 
lxr-cvs_0.9.5+cvs20071020-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxUNl8ACgkQHYflSXNkfP9ogACfSJx9m8qcCheb66P104uF9UQc
n/UAn0Rjs8t2zVoD53B5/QlIo8D/DI+8
=nc94
-----END PGP SIGNATURE-----

--- End Message ---

Bug#588137: marked as done (CVE-2010-1625: Cross-site scripting (XSS) vulnerability)

Reply via email to