Bug#970633: marked as done (tt-rss: CVE-2020-25787 CVE-2020-25788 CVE-2020-25789)

Debian Bug Tracking System Tue, 09 Feb 2021 11:21:18 -0800

Your message dated Tue, 9 Feb 2021 21:20:31 +0200
with message-id <20210209192031.GA31839@localhost>
and subject line Fixed in 20~git20201216.e48beee+dfsg-1
has caused the Debian Bug report #970633,
regarding tt-rss: CVE-2020-25787 CVE-2020-25788 CVE-2020-25789
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
970633: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970633
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: tt-rss
Version: 19.8+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for tt-rss.

CVE-2020-25787[0]:
| An issue was discovered in Tiny Tiny RSS (aka tt-rss) before
| 2020-09-16. It does not validate all URLs before requesting them.


CVE-2020-25788[1]:
| An issue was discovered in Tiny Tiny RSS (aka tt-rss) before
| 2020-09-16. imgproxy in plugins/af_proxy_http/init.php mishandles
| $_REQUEST["url"] in an error message.


CVE-2020-25789[2]:
| An issue was discovered in Tiny Tiny RSS (aka tt-rss) before
| 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG
| document.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-25787
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25787
[1] https://security-tracker.debian.org/tracker/CVE-2020-25788
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25788
[2] https://security-tracker.debian.org/tracker/CVE-2020-25789
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25789

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Version: 20~git20201216.e48beee+dfsg-1

tt-rss (20~git20201216.e48beee+dfsg-1) unstable; urgency=high

  * new upstream snapshot (Closes: #970633)
   - Fixes: CVE-2020-25787, CVE-2020-25788, CVE-2020-25789
...
 -- Sebastian Reichel <s...@debian.org>  Thu, 17 Dec 2020 10:42:00 +0100

--- End Message ---

Bug#970633: marked as done (tt-rss: CVE-2020-25787 CVE-2020-25788 CVE-2020-25789)

Reply via email to