Debian Bug report logs - #448690
CVE-2007-5695: possible security problem

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-5695: possible security problem

Date: Wed, 31 Oct 2007 17:44:52 +1100

Package: sitebar
Severity: normal
Tags: security

Hi

The following CVE[0] has been issued against sitebar.

CVE-2007-5695:

command.php in SiteBar 3.3.8 allows remote attackers to redirect users
to arbitrary web sites via the forward parameter in a Log In action.

Please remember to mention the CVE number in your changelog, when you
fix this bug.
Thanks for your efforts.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5695

Message #10 received at 448690@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: 447135@bugs.debian.org, 448690@bugs.debian.org, 448689@bugs.debian.org

Subject: patch

Date: Tue, 4 Dec 2007 19:04:23 +0100

[Message part 1 (text/plain, inline)]

Hi

Attached you will find a patch, which should address the sitebar security 
issues. Of course, just packaging the new upstream version should fix the 
problem, but I think I filtered all the stuff out.
I'll try to have a look over it tomorrow again and then maybe upload.
Feel free to check yourself and give some feedback :)

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 448690@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 448690@bugs.debian.org

Cc: 447135@bugs.debian.org, 448689@bugs.debian.org

Subject: Re: Bug#448690: patch

Date: Tue, 4 Dec 2007 19:42:04 +0100

[Message part 1 (text/plain, inline)]

Hi Steffen,
* Steffen Joeris <steffen.joeris@skolelinux.de> [2007-12-04 19:12]:
> Attached you will find a patch, which should address the sitebar security 
> issues. Of course, just packaging the new upstream version should fix the 
> problem, but I think I filtered all the stuff out.
> I'll try to have a look over it tomorrow again and then maybe upload.
> Feel free to check yourself and give some feedback :)

Could you please make seperate patches for each CVE or 
comment the source code? With a big patch like this its 
really hard to check the issues.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 448690-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 448690-close@bugs.debian.org

Subject: Bug#448690: fixed in sitebar 3.3.8-12.1

Date: Wed, 05 Dec 2007 16:17:12 +0000

Source: sitebar
Source-Version: 3.3.8-12.1

We believe that the bug you reported is fixed in the latest version of
sitebar, which is due to be installed in the Debian FTP archive:

sitebar_3.3.8-12.1.diff.gz
  to pool/main/s/sitebar/sitebar_3.3.8-12.1.diff.gz
sitebar_3.3.8-12.1.dsc
  to pool/main/s/sitebar/sitebar_3.3.8-12.1.dsc
sitebar_3.3.8-12.1_all.deb
  to pool/main/s/sitebar/sitebar_3.3.8-12.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated sitebar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  5 Dec 2007 16:58:25 +0100
Source: sitebar
Binary: sitebar
Architecture: source all
Version: 3.3.8-12.1
Distribution: unstable
Urgency: high
Maintainer: Kevin Coyner <kcoyner@debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 sitebar    - A web based bookmark manager written in PHP
Closes: 447135 448689 448690
Changes: 
 sitebar (3.3.8-12.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Fix multiple security issues in the translator module (translator.php)
     Fixes: CVE-2007-5491, CVE-2007-5492, CVE-2007-5693, CVE-2007-5694
     (Closes: #447135)
   * Fix possible redirect to other websites via the forward parameter in
     command.php
     Fixes: CVE-2007-5695 (Closes: #448690)
   * Fix multiple XSS by adding more checks for certain parameters
     Fixes: CVE-2007-5692 (Closes: #448689)
Files: 
 748cfcd112066e3be32be59d1f0a5b06 578 web optional sitebar_3.3.8-12.1.dsc
 2ae7e1e0872a2c03a9591a17ebacb2b6 24525 web optional sitebar_3.3.8-12.1.diff.gz
 9fc4fac487e1a606acc118278999c5c4 711326 web optional sitebar_3.3.8-12.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVs0v62zWxYk/rQcRAvZTAJ9OaKc4rEoJjp0+T99gCQkSKIFobwCguKg3
MtLPpxMxPzy4WanF4/h4fK8=
=pHG5
-----END PGP SIGNATURE-----

Message #25 received at 448690-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 448690-close@bugs.debian.org

Subject: Bug#448690: fixed in sitebar 3.3.8-7etch1

Date: Thu, 20 Dec 2007 19:54:46 +0000

Source: sitebar
Source-Version: 3.3.8-7etch1

We believe that the bug you reported is fixed in the latest version of
sitebar, which is due to be installed in the Debian FTP archive:

sitebar_3.3.8-7etch1.diff.gz
  to pool/main/s/sitebar/sitebar_3.3.8-7etch1.diff.gz
sitebar_3.3.8-7etch1.dsc
  to pool/main/s/sitebar/sitebar_3.3.8-7etch1.dsc
sitebar_3.3.8-7etch1_all.deb
  to pool/main/s/sitebar/sitebar_3.3.8-7etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448690@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated sitebar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  5 Dec 2007 20:06:26 +0100
Source: sitebar
Binary: sitebar
Architecture: source all
Version: 3.3.8-7etch1
Distribution: stable-security
Urgency: high
Maintainer: Kevin Coyner <kevin@rustybear.com>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 sitebar    - A web based bookmark manager written in PHP
Closes: 447135 448689 448690
Changes: 
 sitebar (3.3.8-7etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix multiple security issues in the translator module (translator.php)
     Fixes: CVE-2007-5491, CVE-2007-5492, CVE-2007-5693, CVE-2007-5694
     (Closes: #447135)
   * Fix possible redirect to other websites via the forward parameter in
     command.php
     Fixes: CVE-2007-5695 (Closes: #448690)
   * Fix multiple XSS by adding more checks for certain parameters
     Fixes: CVE-2007-5692 (Closes: #448689)
Files: 
 8af7750ff9a808798bf1b898c69b84d6 583 web optional sitebar_3.3.8-7etch1.dsc
 fa7b5367808966c8db6241f475f3ef2f 686944 web optional sitebar_3.3.8.orig.tar.gz
 cdc186193c2ad2d4e69f220dd8372ccd 22552 web optional sitebar_3.3.8-7etch1.diff.gz
 16eb8791acea7cf1c99ac61b7b47e4b1 709524 web optional sitebar_3.3.8-7etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVvlM62zWxYk/rQcRAkCFAJ4hjGacLh7HZM51uV2G3/dFYQOs1ACfT32n
ORg51pFyQkF8/eLjToY9k1I=
=Y9Dx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.