Debian Bug report logs - #469667
serendipity: CVE-2008-0124 XSS via crafted account settings in multiuser setups

version graph

Package: serendipity; Maintainer for serendipity is Jean-Marc Roth <jmroth@iip.lu>;

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 6 Mar 2008 12:30:02 UTC

Severity: important

Tags: security

Fixed in version serendipity/1.3~b1-1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#469667; Package serendipity. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: serendipity: CVE-2008-0124 XSS via crafted account settings in multiuser setups
Date: Thu, 6 Mar 2008 13:19:29 +0100
[Message part 1 (text/plain, inline)]
Package: serendipity
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for serendipity.

CVE-2008-0124[0]:
| Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before
| 1.3-beta1 allows remote authenticated users to inject arbitrary web
| script or HTML via (1) the "Real name" field in Personal Settings,
| which is presented to readers of articles; or (2) a file upload, as
| demonstrated by a .htm, .html, or .js file.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0124

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 469667-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 469667-close@bugs.debian.org
Subject: Bug#469667: fixed in serendipity 1.3~b1-1
Date: Mon, 10 Mar 2008 16:17:23 +0000
Source: serendipity
Source-Version: 1.3~b1-1

We believe that the bug you reported is fixed in the latest version of
serendipity, which is due to be installed in the Debian FTP archive:

serendipity_1.3~b1-1.diff.gz
  to pool/main/s/serendipity/serendipity_1.3~b1-1.diff.gz
serendipity_1.3~b1-1.dsc
  to pool/main/s/serendipity/serendipity_1.3~b1-1.dsc
serendipity_1.3~b1-1_all.deb
  to pool/main/s/serendipity/serendipity_1.3~b1-1_all.deb
serendipity_1.3~b1.orig.tar.gz
  to pool/main/s/serendipity/serendipity_1.3~b1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 469667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated serendipity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 10 Mar 2008 17:02:51 +0100
Source: serendipity
Binary: serendipity
Architecture: source all
Version: 1.3~b1-1
Distribution: unstable
Urgency: medium
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 serendipity - Weblog manager with extensive theming and plugin support
Closes: 469667
Changes: 
 serendipity (1.3~b1-1) unstable; urgency=medium
 .
   * New upstream beta release.
   * Addresses cross site scripting between authenticated users on a multi-
     user blog (CVE-2008-0124, closes: #469667).
   * Default Apache AllowOverride setting to "All", to make URL rewriting
     without mod_rewrite work out of the box.
Files: 
 585941d8366a935226646d5e176ea905 1041 web optional serendipity_1.3~b1-1.dsc
 5e6761bafae252d633a20c83c12bd3e5 4479204 web optional serendipity_1.3~b1.orig.tar.gz
 10cce0c0cb2ac6a8fd72d2ba545675a7 21580 web optional serendipity_1.3~b1-1.diff.gz
 876176073eb151953f6b0a9d2234b55a 4173926 web optional serendipity_1.3~b1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9VcoGz0hbPcukPfAQLpzQf+LWmA8DkuI6YF+dCEZz1LOYve4sDdyaeA
eurhNTq/9v6JLYvVnmSHVAD50gEwMiZ/VbaeHrkiCFx+s8Wo+KvcyMYdEbezkewM
AqZfWvJg34SgdSyXwbsK5uuVd7FWbeMDoC06Xct5g0PBh2SN1Ygs87s94TifbACx
A47yNVEfXs9/aRZttNi8VMyMoJX9uv9uLPqWZaDysrheuVjRbcYZUXTcEn9p9njb
ALRO/wFROTrCGGDM61A4M9HTAos1VFq78HRA6xnJR0LDi5YrgFw4nVS0AJlCtlr+
B87Vinw3MH44TnNAJDE/DLaV/29um7Hc5pgbjAilFfSB/BEkrJ6lBg==
=1NjI
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 14 Apr 2008 07:32:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 21:01:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.