Debian Bug report logs - #469667
serendipity: CVE-2008-0124 XSS via crafted account settings in multiuser setups

version graph

Package: serendipity; Maintainer for serendipity is Jean-Marc Roth <>;

Reported by: Nico Golde <>

Date: Thu, 6 Mar 2008 12:30:02 UTC

Severity: important

Tags: security

Fixed in version serendipity/1.3~b1-1

Done: Thijs Kinkhorst <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Thijs Kinkhorst <>:
Bug#469667; Package serendipity. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Nico Golde <>
Subject: serendipity: CVE-2008-0124 XSS via crafted account settings in multiuser setups
Date: Thu, 6 Mar 2008 13:19:29 +0100
[Message part 1 (text/plain, inline)]
Package: serendipity
Severity: important
Tags: security

the following CVE (Common Vulnerabilities & Exposures) id was
published for serendipity.

| Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before
| 1.3-beta1 allows remote authenticated users to inject arbitrary web
| script or HTML via (1) the "Real name" field in Personal Settings,
| which is presented to readers of articles; or (2) a file upload, as
| demonstrated by a .htm, .html, or .js file.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:

Kind regards

Nico Golde - - - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Thijs Kinkhorst <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Thijs Kinkhorst <>
Subject: Bug#469667: fixed in serendipity 1.3~b1-1
Date: Mon, 10 Mar 2008 16:17:23 +0000
Source: serendipity
Source-Version: 1.3~b1-1

We believe that the bug you reported is fixed in the latest version of
serendipity, which is due to be installed in the Debian FTP archive:

  to pool/main/s/serendipity/serendipity_1.3~b1-1.diff.gz
  to pool/main/s/serendipity/serendipity_1.3~b1-1.dsc
  to pool/main/s/serendipity/serendipity_1.3~b1-1_all.deb
  to pool/main/s/serendipity/serendipity_1.3~b1.orig.tar.gz

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Thijs Kinkhorst <> (supplier of updated serendipity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Mon, 10 Mar 2008 17:02:51 +0100
Source: serendipity
Binary: serendipity
Architecture: source all
Version: 1.3~b1-1
Distribution: unstable
Urgency: medium
Maintainer: Thijs Kinkhorst <>
Changed-By: Thijs Kinkhorst <>
 serendipity - Weblog manager with extensive theming and plugin support
Closes: 469667
 serendipity (1.3~b1-1) unstable; urgency=medium
   * New upstream beta release.
   * Addresses cross site scripting between authenticated users on a multi-
     user blog (CVE-2008-0124, closes: #469667).
   * Default Apache AllowOverride setting to "All", to make URL rewriting
     without mod_rewrite work out of the box.
 585941d8366a935226646d5e176ea905 1041 web optional serendipity_1.3~b1-1.dsc
 5e6761bafae252d633a20c83c12bd3e5 4479204 web optional serendipity_1.3~b1.orig.tar.gz
 10cce0c0cb2ac6a8fd72d2ba545675a7 21580 web optional serendipity_1.3~b1-1.diff.gz
 876176073eb151953f6b0a9d2234b55a 4173926 web optional serendipity_1.3~b1-1_all.deb

Version: GnuPG v1.4.6 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Mon, 14 Apr 2008 07:32:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Fri Apr 18 21:01:11 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.