Debian Bug report logs - #328224
gforge: Possible security vulnerabilities

version graph

Package: gforge; Maintainer for gforge is Roland Mas <lolando@debian.org>; Source for gforge is src:fusionforge.

Reported by: Martin Pitt <mpitt@debian.org>

Date: Wed, 14 Sep 2005 08:48:02 UTC

Severity: important

Tags: fixed-in-experimental, security

Found in version gforge/3.1-31

Fixed in versions gforge/4.5.14-9, gforge/3.1-31sarge1

Done: Roland Mas <lolando@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Roland Mas <lolando@debian.org>:
Bug#328224; Package gforge. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to Roland Mas <lolando@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Debian BTS Submit <submit@bugs.debian.org>
Subject: gforge: Possible security vulnerabilities
Date: Wed, 14 Sep 2005 10:36:19 +0200
[Message part 1 (text/plain, inline)]
Package: gforge
Version: 3.1-31
Severity: important
Tags: security

Hi Roland!

http://marc.theaimsgroup.com/?l=bugtraq&m=112259845904350&w=2
describes two vulns in GForge 4.5: Multiple cross-site scripting
(CAN-2005-2430) and mail bomb (CAN-2005-2431).

Can you please check whether 3.1 is also affected by these? I left the
severity at important since I did not check myself. Please raise as
appropriate.

Please also add the CAN numbers to the changelog if you fix this.

Thanks and have a nice day,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed-in-experimental Request was from Roland Mas <lolando@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Roland Mas <lolando@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 328224-close@bugs.debian.org (full text, mbox):

From: Roland Mas <lolando@debian.org>
To: 328224-close@bugs.debian.org
Subject: Bug#328224: fixed in gforge 4.5.14-9
Date: Sat, 22 Jul 2006 08:02:10 -0700
Source: gforge
Source-Version: 4.5.14-9

We believe that the bug you reported is fixed in the latest version of
gforge, which is due to be installed in the Debian FTP archive:

gforge-common_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-common_4.5.14-9_all.deb
gforge-db-postgresql_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-db-postgresql_4.5.14-9_all.deb
gforge-dns-bind9_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-dns-bind9_4.5.14-9_all.deb
gforge-ftp-proftpd_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-ftp-proftpd_4.5.14-9_all.deb
gforge-ldap-openldap_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-ldap-openldap_4.5.14-9_all.deb
gforge-lists-mailman_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-lists-mailman_4.5.14-9_all.deb
gforge-mta-courier_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-mta-courier_4.5.14-9_all.deb
gforge-mta-exim4_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-mta-exim4_4.5.14-9_all.deb
gforge-mta-exim_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-mta-exim_4.5.14-9_all.deb
gforge-mta-postfix_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-mta-postfix_4.5.14-9_all.deb
gforge-shell-ldap_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-shell-ldap_4.5.14-9_all.deb
gforge-shell-postgresql_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-shell-postgresql_4.5.14-9_all.deb
gforge-web-apache_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge-web-apache_4.5.14-9_all.deb
gforge_4.5.14-9.diff.gz
  to pool/main/g/gforge/gforge_4.5.14-9.diff.gz
gforge_4.5.14-9.dsc
  to pool/main/g/gforge/gforge_4.5.14-9.dsc
gforge_4.5.14-9_all.deb
  to pool/main/g/gforge/gforge_4.5.14-9_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 328224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Mas <lolando@debian.org> (supplier of updated gforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 22 Jul 2006 16:43:57 +0200
Source: gforge
Binary: gforge-lists-mailman gforge-db-postgresql gforge-mta-postfix gforge-shell-ldap gforge gforge-common gforge-web-apache gforge-mta-exim gforge-mta-courier gforge-ftp-proftpd gforge-shell-postgresql gforge-mta-exim4 gforge-dns-bind9 gforge-ldap-openldap
Architecture: source all
Version: 4.5.14-9
Distribution: unstable
Urgency: low
Maintainer: Roland Mas <lolando@debian.org>
Changed-By: Roland Mas <lolando@debian.org>
Description: 
 gforge     - collaborative development tool - meta-package
 gforge-common - collaborative development tool - shared files
 gforge-db-postgresql - collaborative development tool - database (using PostgreSQL)
 gforge-dns-bind9 - collaborative development tool - DNS management (using Bind9)
 gforge-ftp-proftpd - collaborative development tool - FTP management (using ProFTPd)
 gforge-ldap-openldap - collaborative development tool - LDAP directory (using OpenLDAP)
 gforge-lists-mailman - collaborative development tool - mailing-lists (using Mailman)
 gforge-mta-courier - collaborative development tool - mail tools (using Courier)
 gforge-mta-exim - collaborative development tool - mail tools (using Exim)
 gforge-mta-exim4 - collaborative development tool - mail tools (using Exim 4)
 gforge-mta-postfix - collaborative development tool - mail tools (using Postfix)
 gforge-shell-ldap - collaborative development tool - shell accounts (using LDAP)
 gforge-shell-postgresql - collaborative development tool - shell accounts (using PostgreSQL
 gforge-web-apache - collaborative development tool - web part (using Apache)
Closes: 242186 311791 328224 331835 339646 339878 354591 358241 373554 374384 375529 375863 376155 376163 376284
Changes: 
 gforge (4.5.14-9) unstable; urgency=low
 .
   * [Roland] Uploading to unstable.  This means the bugs that were fixed
     during the experimental phase can now be closed (closes: #358241,
     #328224, #375863, #331835, #339646, #374384, #373554, #242186,
     #376155, #311791, #339878, #354591).
   * [Roland] fix-lists-url.dpatch: Fixed URL patterns for Mailman pages
     (closes: #375529).  By using the appropriate URLs, rather than messing
     with Mailman's configuration.  Adapted the Apache config accordingly.
   * [Roland] Fixed Postfix configuration (closes: #376284).
   * [Roland] Removed versioned dependencies on virtual packages, by
     keeping only the existing packages (closes: #376163).  If new
     alternatives appear (for new MTAs or mailing-list managers or anything
     else), I'll be glad to add them in the control file.
   * [Roland] Applied patch from Julien Cristau
     <julien.cristau@ens-lyon.org>, whereby sql2ldif.pl now uses the SQL
     views rather than duplicating their code.
Files: 
 18bbc743a64e6bcde536eb566c5acfaa 937 devel optional gforge_4.5.14-9.dsc
 31bd4e533c2f90d84396c1cd7b1cca54 36438 devel optional gforge_4.5.14-9.diff.gz
 52f4937f6b6f6c016fc5094280f5acdd 77918 devel optional gforge_4.5.14-9_all.deb
 09a25d9f1731d96b57287c65d80a9f68 1005164 devel optional gforge-common_4.5.14-9_all.deb
 cc68a6ea2fe810c4df5f11dc659195ca 693692 devel optional gforge-web-apache_4.5.14-9_all.deb
 d196e588a0878df8e2f8ab50d7d944e3 202238 devel optional gforge-db-postgresql_4.5.14-9_all.deb
 2b67a08cca93897d066accc1846046ad 84666 devel optional gforge-mta-exim4_4.5.14-9_all.deb
 4a5af62695a707e595600936e98ea64f 84160 devel optional gforge-mta-exim_4.5.14-9_all.deb
 63a38595f72503fd6b29f9d309b667da 84044 devel optional gforge-mta-postfix_4.5.14-9_all.deb
 6179b04e234c4a4f739b659a9a99b116 73716 devel optional gforge-mta-courier_4.5.14-9_all.deb
 611f29ff597563d5804d4e93b45217b7 82476 devel optional gforge-shell-ldap_4.5.14-9_all.deb
 f6c2ef330cb24b19858438380fcb3fff 83406 devel optional gforge-shell-postgresql_4.5.14-9_all.deb
 ba903047c72071ad7ca9c44b5a20b953 82654 devel optional gforge-ftp-proftpd_4.5.14-9_all.deb
 f775fe036cbf10e9c9b636e29233190f 91386 devel optional gforge-ldap-openldap_4.5.14-9_all.deb
 343baf4f4c0a4bddd2152e1d07062c86 92512 devel optional gforge-dns-bind9_4.5.14-9_all.deb
 ff25d7a365ce63c154c83747771ce9f2 79808 devel optional gforge-lists-mailman_4.5.14-9_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEwjv9DqdWtRRIQ/URAi0NAKCU9VPS8xvYOtuyn2CGutjdbb3pWgCgip0s
/T5I8v2Ja4UyBa/pvvDe1b4=
=SPZ7
-----END PGP SIGNATURE-----




Reply sent to Roland Mas <lolando@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Martin Pitt <mpitt@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 328224-close@bugs.debian.org (full text, mbox):

From: Roland Mas <lolando@debian.org>
To: 328224-close@bugs.debian.org
Subject: Bug#328224: fixed in gforge 3.1-31sarge1
Date: Wed, 30 Aug 2006 23:02:03 -0700
Source: gforge
Source-Version: 3.1-31sarge1

We believe that the bug you reported is fixed in the latest version of
gforge, which is due to be installed in the Debian FTP archive:

gforge-common_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-common_3.1-31sarge1_all.deb
gforge-cvs_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-cvs_3.1-31sarge1_all.deb
gforge-db-postgresql_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-db-postgresql_3.1-31sarge1_all.deb
gforge-dns-bind9_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-dns-bind9_3.1-31sarge1_all.deb
gforge-ftp-proftpd_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge1_all.deb
gforge-ldap-openldap_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-ldap-openldap_3.1-31sarge1_all.deb
gforge-lists-mailman_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-lists-mailman_3.1-31sarge1_all.deb
gforge-mta-exim4_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-mta-exim4_3.1-31sarge1_all.deb
gforge-mta-exim_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-mta-exim_3.1-31sarge1_all.deb
gforge-mta-postfix_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-mta-postfix_3.1-31sarge1_all.deb
gforge-shell-ldap_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-shell-ldap_3.1-31sarge1_all.deb
gforge-sourceforge-transition_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge1_all.deb
gforge-web-apache_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge-web-apache_3.1-31sarge1_all.deb
gforge_3.1-31sarge1.diff.gz
  to pool/main/g/gforge/gforge_3.1-31sarge1.diff.gz
gforge_3.1-31sarge1.dsc
  to pool/main/g/gforge/gforge_3.1-31sarge1.dsc
gforge_3.1-31sarge1_all.deb
  to pool/main/g/gforge/gforge_3.1-31sarge1_all.deb
sourceforge_3.1-31sarge1_all.deb
  to pool/main/g/gforge/sourceforge_3.1-31sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 328224@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Mas <lolando@debian.org> (supplier of updated gforge package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 30 May 2006 20:50:53 +0200
Source: gforge
Binary: gforge-lists-mailman gforge-db-postgresql sourceforge gforge-mta-postfix gforge-sourceforge-transition gforge-shell-ldap gforge gforge-common gforge-web-apache gforge-mta-exim gforge-cvs gforge-ftp-proftpd gforge-mta-exim4 gforge-dns-bind9 gforge-ldap-openldap
Architecture: source all
Version: 3.1-31sarge1
Distribution: stable-security
Urgency: high
Maintainer: Roland Mas <lolando@debian.org>
Changed-By: Roland Mas <lolando@debian.org>
Description: 
 gforge     - Collaborative development tool - meta-package
 gforge-common - Collaborative development tool - shared files
 gforge-cvs - Collaborative development tool - CVS management
 gforge-db-postgresql - Collaborative development tool - database (using PostgreSQL)
 gforge-dns-bind9 - Collaborative development tool - DNS management (using Bind9)
 gforge-ftp-proftpd - Collaborative development tool - FTP management (using ProFTPd)
 gforge-ldap-openldap - Collaborative development tool - LDAP directory (using OpenLDAP)
 gforge-lists-mailman - Collaborative development tool - mailing-lists (using Mailman)
 gforge-mta-exim - Collaborative development tool - mail tools (using Exim)
 gforge-mta-exim4 - Collaborative development tool - mail tools (using Exim 4)
 gforge-mta-postfix - Collaborative development tool - mail tools (using Postfix)
 gforge-shell-ldap - Collaborative development tool - shell accounts (using LDAP)
 gforge-sourceforge-transition - Sourceforge to Gforge data transition
 gforge-web-apache - Collaborative development tool - web part (using Apache)
 sourceforge - Empty package to help with Sourceforge to Gforge transition
Closes: 328224
Changes: 
 gforge (3.1-31sarge1) stable-security; urgency=high
 .
   * Backported XSS vulnerabilities (CVE-2005-2430) fix from the upstream
     4.5 to 4.5.0.1 diff (Closes: #328224).
Files: 
 0452baf77a8669801e5c218405eb4c9e 868 devel optional gforge_3.1-31sarge1.dsc
 c723b3a9efc016fd5449c4765d5de29c 1409879 devel optional gforge_3.1.orig.tar.gz
 97f88bfe5581a40469e05ed66fc54568 288414 devel optional gforge_3.1-31sarge1.diff.gz
 318db8262b47625a9b356ff366743035 56332 devel optional gforge_3.1-31sarge1_all.deb
 ede5618a181e461a406de2dc50b6170a 92806 devel optional gforge-common_3.1-31sarge1_all.deb
 7a7901b7a5561c81fa46791cbab68cb3 1104456 devel optional gforge-web-apache_3.1-31sarge1_all.deb
 ae5600b12938d8bc47c947c48d408752 146398 devel optional gforge-db-postgresql_3.1-31sarge1_all.deb
 a9e7b482891a637d92eb73e44f5b9550 64966 devel optional gforge-mta-exim4_3.1-31sarge1_all.deb
 408e9f6f06dbfbcb766285a8dfc42d6c 64490 devel optional gforge-mta-exim_3.1-31sarge1_all.deb
 16a2613639daa916d669cc376085e78a 64580 devel optional gforge-mta-postfix_3.1-31sarge1_all.deb
 5f9bd90fa83c17088fe250c5cd82b251 60932 devel optional gforge-shell-ldap_3.1-31sarge1_all.deb
 927bada7cf4d87f0963b6a0d4dbfb683 98282 devel optional gforge-cvs_3.1-31sarge1_all.deb
 6e357bc18e5265c2f3ac302859a00892 59784 devel optional gforge-ftp-proftpd_3.1-31sarge1_all.deb
 973ded7bd24d7aaa1dfd9cdc0d931ad5 70378 devel optional gforge-ldap-openldap_3.1-31sarge1_all.deb
 7408e95a4db4353731eacd8bf274e8bc 72456 devel optional gforge-dns-bind9_3.1-31sarge1_all.deb
 1a6a3a1970ebc40751620f7eb9496143 58032 devel optional gforge-lists-mailman_3.1-31sarge1_all.deb
 1614549a1d31c8f6054858c94043efa6 59046 devel optional gforge-sourceforge-transition_3.1-31sarge1_all.deb
 7797f135a0456ee0366afe249ffdd4ce 55784 devel extra sourceforge_3.1-31sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEh0WzXm3vHE4uyloRAvtrAJ9M/RYMw7XYrPuGunjS9xooEqjxdwCfW++E
vBX1apoRjJ1rH95qcza08W4=
=LAJE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 22:32:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:03:22 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.