Hosting Provided By

[SECURITY] [DSA 1486-1] New gnatsweb packages fix cross-site scripting

From: Steve Kemp <skx(at)debian.org>
Date: Tue Feb 05 2008 - 12:09:37 EST

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

------------------------------------------------------------------------ Debian Security Advisory DSA-1486-1 security@debian.org http://www.debian.org/security/ Steve Kemp February 04, 2008 http://www.debian.org/security/faq
------------------------------------------------------------------------

Package        : gnatsweb
Vulnerability  : cross-site scripting
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2007-2808
Debian Bug     : 427156

"r0t" discovered that gnatsweb, a web interface to GNU GNATS, did not correctly sanitize the database parameter in the main CGI script. This could allow the injection of arbitrary HTML, or javascript code.

For the stable distribution (etch), this problem has been fixed in version 4.00-1etch1.

We recommend that you upgrade your gnatsweb package.

Upgrade instructions

- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

Do you need help?

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch

- -------------------------------

Source archives:

  
http://security.debian.org/pool/updates/main/g/gnatsweb/gnatsweb_4.00-1etch1.dsc
    Size/MD5 checksum:      566 2f4db4f88a4018f68c19598e9b3781e1
  
http://security.debian.org/pool/updates/main/g/gnatsweb/gnatsweb_4.00.orig.tar.gz
    Size/MD5 checksum:    87656 1d715610ea05ad3aa498d20158b01667
  
http://security.debian.org/pool/updates/main/g/gnatsweb/gnatsweb_4.00-1etch1.diff.gz
    Size/MD5 checksum:     2396 82f3180801f111b682a8e94c41c2627c

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gnatsweb/gnatsweb_4.00-1etch1_all.deb Size/MD5 checksum: 56190 2decb55d6c8e571474b4375394fc14f0

These files will probably be moved into the stable distribution on its next update.

--------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHqJgOwM/Gs81MDZ0RAr5PAJ4qyIYx7LWxsBtH/wSd/mY9iffMPwCfSF1K DcDb53eqirDDP0JmknAt73Q=
=xmAs
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Tue Feb 5 12:16:38 2008

Do you need more help?

This message: [ Message body ]
Next message: Moritz Muehlenhoff: "[SECURITY] [DSA 1480-1] New poppler packages fix several vulnerabilities"
Previous message: dann frazier: "[SECURITY] [DSA 1479-1] New Linux 2.6.18 packages fix several vulnerabilities"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Mar 19 2008 - 06:53:51 EDT