Your message dated Mon, 06 Sep 2010 12:47:15 +0000
with message-id <e1osb6r-0005mt...@franck.debian.org>
and subject line Bug#595248: fixed in nusoap 0.7.3-4
has caused the Debian Bug report #595248,
regarding Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
595248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nusoap
Version: 0.9.5-1
Owner: olivier.ber...@it-sudparis.eu
Tags: security
Bogdan Calin of Acunetix discovered some cross site scripting
vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of
PHP_SELF. This is an issue because of potentially malicious URLs being
constructed along the lines of:
http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E
In such an event, NuSOAP will print a WSDL output page (service
description) containing the maliciously crafted URL.
An upstream bug report exists at
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
and a preliminary patch has been provided by the MantisBT project (which
bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
--- End Message ---
--- Begin Message ---
Source: nusoap
Source-Version: 0.7.3-4
We believe that the bug you reported is fixed in the latest version of
nusoap, which is due to be installed in the Debian FTP archive:
libnusoap-php_0.7.3-4_all.deb
to main/n/nusoap/libnusoap-php_0.7.3-4_all.deb
nusoap_0.7.3-4.debian.tar.gz
to main/n/nusoap/nusoap_0.7.3-4.debian.tar.gz
nusoap_0.7.3-4.dsc
to main/n/nusoap/nusoap_0.7.3-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 595...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Goirand <z...@debian.org> (supplier of updated nusoap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 06 Sep 2010 18:57:35 +0800
Source: nusoap
Binary: libnusoap-php
Architecture: source all
Version: 0.7.3-4
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <z...@debian.org>
Changed-By: Thomas Goirand <z...@debian.org>
Description:
libnusoap-php - SOAP toolkit for PHP
Closes: 595248 595346 595561
Changes:
nusoap (0.7.3-4) unstable; urgency=high
.
* Adopting package (Closes: #595561).
* Fixes an XSS vulnerability using PHP_SELF (Closes: #595248).
* Fixes a "return new by reference" PHP 5.3 deprecation (Closes: #595346).
* Rewrote the debian/copyright that I found in a messy state.
* Added Vcs-Git and Vcs-Browser fields.
Checksums-Sha1:
ad4b33c58476ec33fdc6ba4d11af4763e54a1a4e 1132 nusoap_0.7.3-4.dsc
94c942b24f0a62e33c2834f9e560a73bda6a0beb 8361 nusoap_0.7.3-4.debian.tar.gz
24903cbc18517bc6948760da0d66372574547807 92960 libnusoap-php_0.7.3-4_all.deb
Checksums-Sha256:
474822bb6f7a45e2acd91651383097bb57687b5c7ee992c691847c7df61a8657 1132
nusoap_0.7.3-4.dsc
a44469fab620865d7328af124838d1bd069a67b1b197a7464fdb0e92d59690dc 8361
nusoap_0.7.3-4.debian.tar.gz
d9389946800df0e197fbc138e13a1a950e9a1acd44876e3954d37c52e1bbe5b8 92960
libnusoap-php_0.7.3-4_all.deb
Files:
caed64b890c977394679b68c0884b14e 1132 php optional nusoap_0.7.3-4.dsc
b85066a91dda82186b75f513ce82ad62 8361 php optional nusoap_0.7.3-4.debian.tar.gz
befa3aade591d4fdc19f20a65cd9a855 92960 php optional
libnusoap-php_0.7.3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkyE1eYACgkQl4M9yZjvmkk5WQCfdmF6RLerKO1qH8PMAli6gBnj
L9EAnAxeSFQhpjN63VkwC0+liKT+3cfw
=oEvC
-----END PGP SIGNATURE-----
--- End Message ---
