Your message dated Sun, 26 Nov 2023 15:34:09 +0000 with message-id <e1r7h97-004uie...@fasolo.debian.org> and subject line Bug#1052572: fixed in hoteldruid 3.0.6-1 has caused the Debian Bug report #1052572, regarding hoteldruid: CVE-2023-43371 CVE-2023-43373 CVE-2023-43374 CVE-2023-43375 CVE-2023-43376 CVE-2023-43377 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1052572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052572 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: hoteldruid X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for hoteldruid. CVE-2023-43371[0]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the numcaselle parameter at | /hoteldruid/creaprezzi.php. CVE-2023-43373[1]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the n_utente_agg parameter at | /hoteldruid/interconnessioni.php. CVE-2023-43374[2]: | Hoteldruid v3.0.5 was discovered to contain a SQL injection | vulnerability via the id_utente_log parameter at | /hoteldruid/personalizza.php. CVE-2023-43375[3]: | Hoteldruid v3.0.5 was discovered to contain multiple SQL injection | vulnerabilities at /hoteldruid/clienti.php via the annonascita, | annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, | and mesescaddoc parameters. CVE-2023-43376[4]: | A cross-site scripting (XSS) vulnerability in | /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to | execute arbitrary web scripts or HTML via a crafted payload injected | into the nometipotariffa1 parameter. CVE-2023-43377[5]: | A cross-site scripting (XSS) vulnerability in | /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows | attackers to execute arbitrary web scripts or HTML via a crafted | payload injected into the destinatario_email1 parameter. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43371 https://www.cve.org/CVERecord?id=CVE-2023-43371 [1] https://security-tracker.debian.org/tracker/CVE-2023-43373 https://www.cve.org/CVERecord?id=CVE-2023-43373 [2] https://security-tracker.debian.org/tracker/CVE-2023-43374 https://www.cve.org/CVERecord?id=CVE-2023-43374 [3] https://security-tracker.debian.org/tracker/CVE-2023-43375 https://www.cve.org/CVERecord?id=CVE-2023-43375 [4] https://security-tracker.debian.org/tracker/CVE-2023-43376 https://www.cve.org/CVERecord?id=CVE-2023-43376 [5] https://security-tracker.debian.org/tracker/CVE-2023-43377 https://www.cve.org/CVERecord?id=CVE-2023-43377 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: hoteldruid Source-Version: 3.0.6-1 Done: Marco Maria Francesco De Santis <ma...@digitaldruid.net> We believe that the bug you reported is fixed in the latest version of hoteldruid, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1052...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marco Maria Francesco De Santis <ma...@digitaldruid.net> (supplier of updated hoteldruid package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 03 Nov 2023 10:09:42 +0000 Source: hoteldruid Architecture: source Version: 3.0.6-1 Distribution: unstable Urgency: low Maintainer: Marco Maria Francesco De Santis <ma...@digitaldruid.net> Changed-By: Marco Maria Francesco De Santis <ma...@digitaldruid.net> Closes: 1038251 1052572 1055772 Changes: hoteldruid (3.0.6-1) unstable; urgency=low . * New upstream release - Fixes multiple sql injection and XSS vulnerabilities. (Ref: CVE-2023-33817, CVE-2023-43371, CVE-2023-34537, CVE-2023-34854, CVE-2023-47164, CVE-2022-45592, CVE-2023-43373 CVE-2023-43374, CVE-2023-43375, CVE-2023-43376, CVE-2023-43377) (Closes: #1038251, #1052572, #1055772) Checksums-Sha1: bdd1a7ca9c1c144837adfcfae48e0fbcd7b9b0a9 2082 hoteldruid_3.0.6-1.dsc 16091f1880d2ed2682702be47ba17b774907c09f 2053229 hoteldruid_3.0.6.orig.tar.gz 784c4cd0e2d8cf165e52481e4e134040fff8bcca 833 hoteldruid_3.0.6.orig.tar.gz.asc bc8a6f420cdf8a8a546060d5e3bb0fe56624c9c8 43744 hoteldruid_3.0.6-1.debian.tar.xz Checksums-Sha256: df7453d9b48ed0f0061cc26234afa1b75bcc41ac6e0120475fd53a1a37b6abb8 2082 hoteldruid_3.0.6-1.dsc db2a58a08f3e87f66e0ed9e7f71bb92863ceaeab963e0c77e222c222e1b25d2e 2053229 hoteldruid_3.0.6.orig.tar.gz a44a946abc2cc7131b2e70b9776fe5718ee3c64a836eb10afe9983e15970ce46 833 hoteldruid_3.0.6.orig.tar.gz.asc a8a19002a3d0ebb2b8c0a428019ab60745b3eb8f9ee9dcafdcfd1e3cd60e890d 43744 hoteldruid_3.0.6-1.debian.tar.xz Files: d400c82a7ad293f64cd2ee03a44c42a7 2082 web optional hoteldruid_3.0.6-1.dsc 3e78ccaaa085686d5f191313fb9dbfdf 2053229 web optional hoteldruid_3.0.6.orig.tar.gz 314147d3f4fbc84c1786d91f2dba100b 833 web optional hoteldruid_3.0.6.orig.tar.gz.asc 09dec83c08951007ede846ec04759f9d 43744 web optional hoteldruid_3.0.6-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmVjYNIACgkQkWT6HRe9 XTbGHA/+Ph5LJFScTgaBqUAKVGC8o+0mYhlWJul69iyCL8l3BnKJmmamtgvjdFHa jXR3yUauHfQVaFB5So9fMARNLFYFXV25TRz/OJK3lsjeCk90Jrtrm9Y23Lke6MR/ Iw2zACX/pMKTQxI8158D/wwYhSrGSGN9hHO1bRqCziRdoiP/582ziN1vVnB56XzD i3xedpc6nckJkCCZ3Bp3R4sC/Fx8+ko/3ggTxGS20W5mltgPwc/f13hczvHLT4jI RIrjkEV0lnlxEMx9zAfxadHeyv/uRQq/79DKTzSQ/J0JnGyBzLVUubU8IARn/Ip+ 8TDBpc4lB3HUE+KGaKB3xiUMJ5WqxirLqRGz14fpaftNJx4j1a9q7IR9P3jkyQyI jsfKlD3Ce3MGmBlzodX1N7fQWFZ8AGvqnER91/8SV2CB5HhHDHcTlljWwnDXenbd qi26EOApCVuonf0PBKIZJEaz3eQZ2lAgLTyv5mzcrDoSeqYvNZHR7+WRNJ95uQHB p57jU+TT1HpLf0U9eEfZZqM90bzmDzqgg60yh4UNxGpbfuMz4XbD3eC+wBq6dt4w 8jhEmroZc3SiCZ3o0UHkK4nUpCrv9r0hU8EdF0BSmJ72EKzQheI8VHhyLheF9FMu 705u76Hz/5VD/F31KP1IxnzCMBfwqKAYD8cq21LpYdEREX/J6/w= =IGAx -----END PGP SIGNATURE-----
--- End Message ---
