Your message dated Sun, 15 Oct 2006 11:17:42 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#392501: fixed in torrentflux 2.1-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: torrentflux
Version: 2.1-1
Severity: normal
Tags: patch
*** Please type your report below this line ***
As reported, torrentflux has a minor XSS vulnerability. Patch attached.
http://www.stevenroddis.com.au/2006/10/06/torrentflux-user-agent-xss-vulnerability/
diff -u torrentflux-2.1/debian/patches/00list
torrentflux-2.1/debian/patches/00list
--- torrentflux-2.1/debian/patches/00list
+++ torrentflux-2.1/debian/patches/00list
@@ -4,0 +5 @@
+05_sanitize_html_entities.dpatch
only in patch2:
unchanged:
--- torrentflux-2.1.orig/debian/patches/05_sanitize_html_entities.dpatch
+++ torrentflux-2.1/debian/patches/05_sanitize_html_entities.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 05_sanitize_html_entities.dpatch by Kees Cook <[EMAIL PROTECTED]>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP:
http://www.stevenroddis.com.au/2006/10/06/torrentflux-user-agent-xss-vulnerability/
+
[EMAIL PROTECTED]@
+diff -urNad torrentflux-2.1~/html/admin.php torrentflux-2.1/html/admin.php
+--- torrentflux-2.1~/html/admin.php 2006-04-05 21:30:09.000000000 -0700
++++ torrentflux-2.1/html/admin.php 2006-10-11 14:47:45.938332988 -0700
+@@ -322,7 +322,7 @@
+ $user_icon = "images/user.gif";
+ }
+
+- $ip_info = $ip_resolved."<br>".$user_agent;
++ $ip_info =
htmlentities($ip_resolved)."<br>".htmlentities($user_agent);
+
+ $output .= "<tr>";
+ if (IsUser($user_id))
+@@ -2164,4 +2164,4 @@
+ //****************************************************************************
+ //****************************************************************************
+
+-?>
+\ No newline at end of file
++?>
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-10-generic
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
--- End Message ---
--- Begin Message ---
Source: torrentflux
Source-Version: 2.1-4
We believe that the bug you reported is fixed in the latest version of
torrentflux, which is due to be installed in the Debian FTP archive:
torrentflux_2.1-4.diff.gz
to pool/main/t/torrentflux/torrentflux_2.1-4.diff.gz
torrentflux_2.1-4.dsc
to pool/main/t/torrentflux/torrentflux_2.1-4.dsc
torrentflux_2.1-4_all.deb
to pool/main/t/torrentflux/torrentflux_2.1-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Cameron Dale <[EMAIL PROTECTED]> (supplier of updated torrentflux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 14 Oct 2006 15:40:03 -0700
Source: torrentflux
Binary: torrentflux
Architecture: source all
Version: 2.1-4
Distribution: unstable
Urgency: medium
Maintainer: Cameron Dale <[EMAIL PROTECTED]>
Changed-By: Cameron Dale <[EMAIL PROTECTED]>
Description:
torrentflux - web based, feature-rich BitTorrent download manager
Closes: 392501 392601
Changes:
torrentflux (2.1-4) unstable; urgency=medium
.
* Fix minor XSS vulnerability in admin.php (Closes: #392501)
* Update the printed version number to match the website (Closes: #392601)
* Fix http_query_builder() error in SearchEngineBase.php
* Update the search engines from the forums
* Add new search engines from the forums
Files:
4d8b4c81f6823c60417c8ca27c7d57aa 629 web optional torrentflux_2.1-4.dsc
888a222bb634f0566954e878ebad6c4a 35702 web optional torrentflux_2.1-4.diff.gz
d0fdc29b83f52b08eb250c7563c2896a 429930 web optional torrentflux_2.1-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFMnqd9n4qXRzy1ioRAgVNAJ9ap44ZixRuVf9YhlIm70mua5faxwCePJuG
svuFfSkE58gzrfSM8NmJfx8=
=wFzB
-----END PGP SIGNATURE-----
--- End Message ---
