thanks a lot to have it sorted out ! should I prepare a security upload aimed to sarge ? or do the security team will handle it ? I must say I'm not very used to security uploads (this one beeing almost my first one).
I can have it ready in a couple of minutes if needed, as the patch is ready. Le Lun 16 Janvier 2006 18:31, Thijs Kinkhorst a écrit : > Hello Pierre & security team, > > While this issue has been addressed in unstable before the holidays, > CVE-2005-3334 (multiple xss in flyspray) is still open in sarge. I've > taken the liberty to prepare a patch and updated packages. > > In short: > Taken patch from sid(/upstream), updated it to match the style of the > similar checks in that file in 0.9.7 so it's minimally intrusive. > Verified that issue is solved. > > Patch: attached. > Packages: http://www.a-eskwadraat.nl/~kink/flyspray/ > > > Possible advistory text: > ===== > Package : flyspray > Vulnerability : missing input sanitising > Problem-Type : remote > Debian-specific: no > CVE ID : CVE-2005-3334 > Debian Bug : 335997 > > Lostmon has discovered cross site scripting vulnerabilities in > multiple parameters of flyspray, a lightweight bug tracking system, > which allows attackers to insert arbitary script code into the > index.php page. > > The old stable distribution (woody) does not contain flyspray. > > For the stable distribution (sarge) this problem has been fixed in > version 0.9.7-2.1. > > For the testing (etch) and unstable distribution (sid) this problem > has been fixed in version 0.9.8-6. > ====== > > Let me know if you need any more information. > > > bye, > Thijs -- ·O· Pierre Habouzit ··O [EMAIL PROTECTED] OOO http://www.madism.org
pgpfXJgyJO8qY.pgp
Description: PGP signature
