Your message dated Tue, 21 Jun 2016 22:31:19 +0200
with message-id <6cd7e653-b5f6-2d44-66d3-3fdbce671...@debian.org>
and subject line cherokee was removed from Debian in 2012
has caused the Debian Bug report #661993,
regarding CVE-2011-2191: persistent CSRF on admin interface
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
661993: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661993
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cherokee
Version: 1.2.101-1
Severity: serious
Tags: security
References:
CVE-2011-2191
https://bugs.launchpad.net/ubuntu/+source/cherokee/+bug/784632
https://bugzilla.redhat.com/show_bug.cgi?id=713304
Please verify whether the issue is still present in the package. A quick
look at admin/PageVServers.py suggests that this is the case, because
the Commit function stores new_nick without any validation. Even though
the value is escaped on some accesses admin/PageStatus.py Render_Content
does not perform escaping.
Helmut
--- End Message ---
--- Begin Message ---
Version: 1.2.101-1+rm
cherokee was last released with Debian 6.0 (squeeze) in
February 2011 and removed from Debian sid/unstable in 2012 (see
http://bugs.debian.org/670298 for details on the removal). Since
support for squeeze and squeeze-LTS has now ended, I'm closing all the
remaining bugs reported against this package.
Andreas
--- End Message ---
