Bug#646865: marked as done (backuppc: [PATCH] fix related issue to CVE-2011-3361 in CGI/View.pm)

Thu, 03 Nov 2011 03:34:00 -0700 

Your message dated Thu, 03 Nov 2011 10:32:10 +0000
with message-id <e1rluag-0000wx...@franck.debian.org>
and subject line Bug#646865: fixed in backuppc 3.2.1-2
has caused the Debian Bug report #646865,
regarding backuppc: [PATCH] fix related issue to CVE-2011-3361 in CGI/View.pm
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
646865: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646865
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: backuppc
Version: 3.2.1-1
Severity: grave
Tags: patch security
Justification: user security hole
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch


In Ubuntu, the attached patch was applied to achieve the following:

  * SECURITY UPDATE: XSS in CGI/View.pm
    - lib/BackupPC/CGI/View.pm: update to verify backup number is numeric
    - CVE-2011-XXXX

A CVE was requested on oss-security:
http://www.openwall.com/lists/oss-security/2011/10/27/8

Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers oneiric-updates
  APT policy: (500, 'oneiric-updates'), (500, 'oneiric-security'), (500, 
'oneiric')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u backuppc-3.2.1/debian/changelog backuppc-3.2.1/debian/changelog
diff -u backuppc-3.2.1/lib/BackupPC/CGI/View.pm backuppc-3.2.1/lib/BackupPC/CGI/View.pm
--- backuppc-3.2.1/lib/BackupPC/CGI/View.pm
+++ backuppc-3.2.1/lib/BackupPC/CGI/View.pm
@@ -46,7 +46,7 @@
     my $compress = 0;
     my $fh;
     my $host = $In{host};
-    my $num  = $In{num};
+    my $num  = ${EscHTML($In{num})};
     my $type = $In{type};
     my $linkHosts = 0;
     my($file, $comment);

--- End Message ---
--- Begin Message --- 
Source: backuppc
Source-Version: 3.2.1-2

We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:

backuppc_3.2.1-2.diff.gz
  to main/b/backuppc/backuppc_3.2.1-2.diff.gz
backuppc_3.2.1-2.dsc
  to main/b/backuppc/backuppc_3.2.1-2.dsc
backuppc_3.2.1-2_i386.deb
  to main/b/backuppc/backuppc_3.2.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 646...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldro...@debian.org> (supplier of updated backuppc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 02 Nov 2011 11:03:38 +0100
Source: backuppc
Binary: backuppc
Architecture: source i386
Version: 3.2.1-2
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldro...@debian.org>
Changed-By: Ludovic Drolez <ldro...@debian.org>
Description: 
 backuppc   - high-performance, enterprise-grade system for backing up PCs
Closes: 646865
Changes: 
 backuppc (3.2.1-2) unstable; urgency=high
 .
   * Really fix CVE-2011-3361. Closes: #646865
Checksums-Sha1: 
 efdfc7a2591b42e3db7cdb292dbc4a5f2876eb17 1029 backuppc_3.2.1-2.dsc
 2eb5ba2b52d140363db00197cf6d5d75a0bfbdc0 27724 backuppc_3.2.1-2.diff.gz
 b14c9785b6a9323f80ba14f4e98fbbaf8c411207 603826 backuppc_3.2.1-2_i386.deb
Checksums-Sha256: 
 452d56fbfbb0bc7edbedaeaaa30d3507f8c12c74887e1e78f17eb0cd09e21949 1029 
backuppc_3.2.1-2.dsc
 950b74e879c5cd0845e4d7a46c3726f68ae5c9c61b86658c4febdef2a48fe9c2 27724 
backuppc_3.2.1-2.diff.gz
 8f64b27b3c169b1e5bf41ec1d1f62f4d25c5c370ee4c943fcd80f5faca290fa4 603826 
backuppc_3.2.1-2_i386.deb
Files: 
 7df2bb61792692c0acfab9da5c8f0544 1029 utils optional backuppc_3.2.1-2.dsc
 dcb69c88217cc4b82ca7e987776ee25d 27724 utils optional backuppc_3.2.1-2.diff.gz
 6e6f7469c9b18c4cfdc5dbe5fb6325f8 603826 utils optional 
backuppc_3.2.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk6yaQEACgkQsRlQAP1Gppi51wCcDMxfQteSt79AvscvQBnoUrh0
MucAn2kpKwFflQEF6+X+tgSzNXfP+Wqj
=dk5B
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to