Bug#594301: marked as done (CVE-2010-2809: The default configuration does not properly use the @SELECTED_URI feature)

Debian Bug Tracking System Fri, 27 Aug 2010 09:33:08 -0700

Your message dated Fri, 27 Aug 2010 16:02:16 +0000
with message-id <e1op1ng-0004ki...@franck.debian.org>
and subject line Bug#594301: fixed in uzbl 0.0.0~git.20100403-3
has caused the Debian Bug report #594301,
regarding CVE-2010-2809: The default configuration does not properly use the 
@SELECTED_URI feature
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
594301: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594301
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: uzbl
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for uzbl.

CVE-2010-2809[0]:
| The default configuration of the &lt;Button2&gt; binding in Uzbl before
| 2010.08.05 does not properly use the @SELECTED_URI feature, which
| allows user-assisted remote attackers to execute arbitrary commands
| via a crafted HREF attribute of an A element in an HTML document.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2809
    http://security-tracker.debian.org/tracker/CVE-2010-2809

Cheers,
Giuseppe

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx0xHAACgkQNxpp46476aqC0QCgkuktJJZdbPH34bU2eD9I4CRi
ai8An25seVAEQUkJk6iX5SJG21XSPjNP
=SpKj
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: uzbl
Source-Version: 0.0.0~git.20100403-3

We believe that the bug you reported is fixed in the latest version of
uzbl, which is due to be installed in the Debian FTP archive:

uzbl_0.0.0~git.20100403-3.diff.gz
  to main/u/uzbl/uzbl_0.0.0~git.20100403-3.diff.gz
uzbl_0.0.0~git.20100403-3.dsc
  to main/u/uzbl/uzbl_0.0.0~git.20100403-3.dsc
uzbl_0.0.0~git.20100403-3_amd64.deb
  to main/u/uzbl/uzbl_0.0.0~git.20100403-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 594...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Luca Bruno <lu...@debian.org> (supplier of updated uzbl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 27 Aug 2010 16:26:30 +0200
Source: uzbl
Binary: uzbl
Architecture: source amd64
Version: 0.0.0~git.20100403-3
Distribution: unstable
Urgency: high
Maintainer: Stefan Ritter <x...@thehappy.de>
Changed-By: Luca Bruno <lu...@debian.org>
Description: 
 uzbl       - Lightweight Webkit browser following the UNIX philosophy
Closes: 594301
Changes: 
 uzbl (0.0.0~git.20100403-3) unstable; urgency=high
 .
   * Fix unsafe URI handling in default config, may lead to arbitrary commands
     execution, CVE-2010-2809 (Closes: #594301)
   * Added NEWS.Debian suggesting how to fix user customized config in home
     directory
Checksums-Sha1: 
 ac4c2e79983a4ff49bd3e4ba84bae9dffa952f9d 1348 uzbl_0.0.0~git.20100403-3.dsc
 89b8cc6ff81fa029290b762a1b21c7771d4c70d4 9934 uzbl_0.0.0~git.20100403-3.diff.gz
 ee77a80da82aec6175a3d2bcd99db6d9f1e82454 149102 
uzbl_0.0.0~git.20100403-3_amd64.deb
Checksums-Sha256: 
 9dfdf329407170e0e961a92853941a719608c889b165d73ca65cc86dd912f851 1348 
uzbl_0.0.0~git.20100403-3.dsc
 3b495cb0bbe3ce1bf691dc329ba310191ce16645aa0944fc2bc9c9607b649015 9934 
uzbl_0.0.0~git.20100403-3.diff.gz
 90311bfbefc489d3af261d32c843646517c2c388a974e95e2e5086211d199e24 149102 
uzbl_0.0.0~git.20100403-3_amd64.deb
Files: 
 a21ff0b0f4052868b82b7b18d57b3d29 1348 web extra uzbl_0.0.0~git.20100403-3.dsc
 a16bd16c3ace91e8015399de16562df9 9934 web extra 
uzbl_0.0.0~git.20100403-3.diff.gz
 7ce3a371445f3bdf714d46b1a5e791fc 149102 web extra 
uzbl_0.0.0~git.20100403-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx33zQACgkQRqobajv7n7M+lACfcKVfHHlJMgd9Ad/zlPsCyOOu
MkMAoKeFYLIs+83LeHovqcqAZUsdYGcZ
=8P+m
-----END PGP SIGNATURE-----

--- End Message ---

Bug#594301: marked as done (CVE-2010-2809: The default configuration does not properly use the @SELECTED_URI feature)

Reply via email to