Processing commands for cont...@bugs.debian.org:
> severity 703294 important
Bug #703294 [src:davical] davical: fopen mess in caldav.php
Severity set to 'important' from 'grave'
> thanks
Stopping processing here.
Please contact me if you need assistance.
--
703294: http://bugs.debian.org/cgi-bin
Processing commands for cont...@bugs.debian.org:
> severity 703290 important
Bug #703290 [davical] davical: possible code insertion or XSS
Severity set to 'important' from 'grave'
> stop
Stopping processing here.
Please contact me if you need assistance.
--
703290: http://bugs.debian.org/cgi-bin
severity 703290 important
stop
On Tue, 2013-03-19 at 10:20 +1300, Andrew McMillan wrote:
> Is there any way to do an XSS exploit in 12 characters? If not, then I
> don't think this is 'grave'.
Unless someone from the security or release team complains I've set the
severity to important.
Some DD
On Mon, 2013-03-18 at 18:46 +0100, Moritz Muehlenhoff wrote:
> On Mon, Mar 18, 2013 at 07:43:09PM +1300, Andrew McMillan wrote:
> > I guess I'm listed as 'upstream' for DAViCal as well as being the DD
> > responsible for the package. Unfortunately I have no time to do either
> > job for the forese
Processing commands for cont...@bugs.debian.org:
> tags 703290 + patch
Bug #703290 [davical] davical: possible code insertion or XSS
Added tag(s) patch.
> stop
Stopping processing here.
Please contact me if you need assistance.
--
703290: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290
D
tags 703290 + patch
stop
Attached is a little patch for point (2) based on Andres idea, it uses
htmlentities() to masquerade any evil stuff.
a) Can someone check whether this is enough? (Guess so).
If someone NMUs, please don't close this bug though, just lower the
severity, as I currently abuse
On Mon, 2013-03-18 at 18:46 +0100, Moritz Muehlenhoff wrote:
> Should we rather drop davical from Wheezy, then?
I personally would say this is not necessary...
First let me repeat... I've only reported these things in the Debian
BTS, as the "upstream" BTS is not working and as I knew that
up
On Mon, Mar 18, 2013 at 07:43:09PM +1300, Andrew McMillan wrote:
> I guess I'm listed as 'upstream' for DAViCal as well as being the DD
> responsible for the package. Unfortunately I have no time to do either
> job for the foreseeable future.
Should we rather drop davical from Wheezy, then?
We
Hi.
On Mon, 2013-03-18 at 19:43 +1300, Andrew McMillan wrote:
> Also worth noting that there is a (non-default) configuration setting
> that restricts the availability of setup.php to only administrators.
Ok.. perhaps changing this to be the default is the solution...
> I guess I'm listed as '
Also worth noting that there is a (non-default) configuration setting
that restricts the availability of setup.php to only administrators.
I guess I'm listed as 'upstream' for DAViCal as well as being the DD
responsible for the package. Unfortunately I have no time to do either
job for the forese
Package: davical
Version: 1.1.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi.
Marking this as grave for now, so that the security team get's notified
and can have a look whether this is more serious.
I personally think it's not that serious and the checking secu
11 matches
Mail list logo
