Your message dated Mon, 08 Nov 2010 14:50:50 +0000
with message-id <e1pft3a-00004s...@franck.debian.org>
and subject line Bug#602589: Removed package(s) from unstable
has caused the Debian Bug report #598743,
regarding hypermail: XSS vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
598743: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598743
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: hypermail
Version: 2.2.0.dfsg-2
Severity: grave
Tags: security
Justification: user security hole
Hypermail has a cross-site scripting vulnerability in the way it
indexes mails.
Eg: send a mail with this From address:
"<iframe src=//debian.org>" em...@debian.org
All the pages indexing this email will have the iframe interprated as
html, the message listing under a specific message is also affected.
This was discovered by Eduardo Abril who sent <b>pepelotas</b> here:
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/index.html
Regards
-- System Information:
Debian Release: 5.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32.23-grsec (SMP w/2 CPU cores)
Locale: lang=fr_fr.ut...@euro, lc_ctype=fr_fr.ut...@euro (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages hypermail depends on:
ii libc6 2.7-18lenny4 GNU C Library: Shared libraries
ii libgdbm3 1.8.3-3 GNU dbm database routines (runtime
ii libpcre3 7.6-2.1 Perl 5 Compatible Regular Expressi
ii python 2.5.2-3 An interactive high-level object-o
hypermail recommends no packages.
hypermail suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.2.0.dfsg-2+rm
Dear submitter,
as the package hypermail has just been removed from the Debian archive
unstable we hereby close the assiciated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see http://bugs.debian.org/602589
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@debian.org.
Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl (the ftpmaster behind the curtain)
--- End Message ---
