Debian Bug report logs - #472643
roundup: CVE-2008-1474 unspecified vulnerabilities

version graph

Package: roundup; Maintainer for roundup is Kai Storbeck <kai@xs4all.nl>; Source for roundup is src:roundup.

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 25 Mar 2008 14:21:01 UTC

Severity: important

Tags: patch, security

Fixed in versions roundup/1.3.3-3.1, roundup/1.4.4-1, roundup/1.2.1-5+etch1

Done: Toni Mueller <toni@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#472643; Package roundup. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Toni Mueller <toni@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: roundup: CVE-2008-1474 unspedicified vulnerabilities
Date: Tue, 25 Mar 2008 15:17:32 +0100
[Message part 1 (text/plain, inline)]
Package: roundup
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for roundup.

CVE-2008-1474[0]:
| Multiple unspecified vulnerabilities in Roundup before 1.4.4 have
| unknown impact and attack vectors.

Patches on:
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gf-J2%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gs-To%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins
http://sourceforge.net/mailarchive/forum.php?thread_name=E1JVMv3-0004gr-TW%40sc8-pr-cvs9.sourceforge.net&forum_name=roundup-checkins

This looks like some kind of cross-site-scripting to me.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1474

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `roundup: CVE-2008-1474 unspecified vulnerabilities' from `roundup: CVE-2008-1474 unspedicified vulnerabilities'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Tue, 25 Mar 2008 14:30:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#472643; Package roundup. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>. Full text and rfc822 format available.

Message #12 received at 472643@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 472643@bugs.debian.org
Subject: intent to NMU
Date: Wed, 2 Apr 2008 14:13:41 +0200
[Message part 1 (text/plain, inline)]
Hi,
the maintainer seems to be MIA,
attached is a patch extracted from the diff between the 
version we ship and the new upstream version.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/roundup-1.3.3-3_1.3.3-3.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[roundup-1.3.3-3_1.3.3-3.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 472643-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 472643-close@bugs.debian.org
Subject: Bug#472643: fixed in roundup 1.3.3-3.1
Date: Wed, 02 Apr 2008 12:32:06 +0000
Source: roundup
Source-Version: 1.3.3-3.1

We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:

roundup_1.3.3-3.1.diff.gz
  to pool/main/r/roundup/roundup_1.3.3-3.1.diff.gz
roundup_1.3.3-3.1.dsc
  to pool/main/r/roundup/roundup_1.3.3-3.1.dsc
roundup_1.3.3-3.1_all.deb
  to pool/main/r/roundup/roundup_1.3.3-3.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated roundup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 02 Apr 2008 13:29:23 +0200
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.3.3-3.1
Distribution: unstable
Urgency: high
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 roundup    - an issue-tracking system
Closes: 472643
Changes: 
 roundup (1.3.3-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add 10_CVE-2008-1474.dpatch to fix several cross-site scripting
     issues via unescaped user input (Closes: #472643).
Files: 
 49b162ec12b231f69d68cff1986e9a95 653 web optional roundup_1.3.3-3.1.dsc
 b567f8c0486b3e179d12eea270d702f7 31659 web optional roundup_1.3.3-3.1.diff.gz
 3cf04ca7928464d09a6c11811c59fa27 1251884 web optional roundup_1.3.3-3.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH83b5HYflSXNkfP8RAiLOAJ4j8LDgmrP9NMhLmOk9GhqUyx38OACgiflI
WpHNfDviAThjP00UH/BfYew=
=0LxU
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#472643; Package roundup. Full text and rfc822 format available.

Acknowledgement sent to Toni Mueller <toni@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 472643@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: Nico Golde <nion@debian.org>, 472643@bugs.debian.org
Cc: toni@debian.org
Subject: Re: Bug#472643: intent to NMU
Date: Thu, 3 Apr 2008 13:42:07 +0200

Hi Nico,

On Wed, 02.04.2008 at 14:13:41 +0200, Nico Golde <nion@debian.org> wrote:
> the maintainer seems to be MIA,

not quite... mail me directly if you need details.

> attached is a patch extracted from the diff between the 
> version we ship and the new upstream version.
> 
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/roundup-1.3.3-3_1.3.3-3.1.patch

I hoped to upload a 1.4.4 package this weekend, but if you can roll a
patched version of 1.3.3, feel free to go ahead with your NMU (I didn't
check the patch).

BTW, I didn't see that Lenny was frozen yet, so I expect 1.4.4 to make it.


Kind regards,
--Toni++





Information forwarded to debian-bugs-dist@lists.debian.org, Toni Mueller <toni@debian.org>:
Bug#472643; Package roundup. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Toni Mueller <toni@debian.org>. Full text and rfc822 format available.

Message #27 received at 472643@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 472643@bugs.debian.org
Subject: Re: Bug#472643: intent to NMU
Date: Thu, 3 Apr 2008 13:56:17 +0200
[Message part 1 (text/plain, inline)]
Hi Toni,
* Toni Mueller <toni@debian.org> [2008-04-03 13:43]:
> On Wed, 02.04.2008 at 14:13:41 +0200, Nico Golde <nion@debian.org> wrote:
> > the maintainer seems to be MIA,
> 
> not quite... mail me directly if you need details.

Ok.

> > attached is a patch extracted from the diff between the 
> > version we ship and the new upstream version.
> > 
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/roundup-1.3.3-3_1.3.3-3.1.patch
> 
> I hoped to upload a 1.4.4 package this weekend, but if you can roll a
> patched version of 1.3.3, feel free to go ahead with your NMU (I didn't
> check the patch).

Already uploaded :) I checked back with upstream that the 
new release just fixes these issues so I ripped anything off 
the diff that doesn't has to do with escaping the user 
supplied input. It should be ok.

> BTW, I didn't see that Lenny was frozen yet, so I expect 1.4.4 to make it.

Yep true.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Toni Mueller <toni@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #32 received at 472643-close@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: 472643-close@bugs.debian.org
Subject: Bug#472643: fixed in roundup 1.4.4-1
Date: Sat, 05 Apr 2008 19:17:03 +0000
Source: roundup
Source-Version: 1.4.4-1

We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:

roundup_1.4.4-1.dsc
  to pool/main/r/roundup/roundup_1.4.4-1.dsc
roundup_1.4.4-1.tar.gz
  to pool/main/r/roundup/roundup_1.4.4-1.tar.gz
roundup_1.4.4-1_all.deb
  to pool/main/r/roundup/roundup_1.4.4-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 01 Apr 2008 15:49:45 +0200
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Toni Mueller <toni@debian.org>
Changed-By: Toni Mueller <toni@debian.org>
Description: 
 roundup    - an issue-tracking system
Closes: 466381 472643
Changes: 
 roundup (1.4.4-1) unstable; urgency=medium
 .
   * new upstream
   * fixes security problem CVE-2008-1474 (Closes: #472643)
   * reworked postinst to conditionally use update-service (Closes:
     #466381)
Files: 
 487a763bf927bc87753d47a6fe1bbaea 577 web optional roundup_1.4.4-1.dsc
 93c3f5491d642563e976c1dab8101543 2896901 web optional roundup_1.4.4-1.tar.gz
 ccc496fb62c538aed6a7d377620157a2 1276396 web optional roundup_1.4.4-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH986dfoEUoHXLGtIRAtSVAJ4sRSa2p9k814uByqu0FQGZdmnuiQCgmQ7W
YWp2jhtPxsjS59WUJiTYXfQ=
=yXmf
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#472643; Package roundup. Full text and rfc822 format available.

Acknowledgement sent to Toni Mueller <toni@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #37 received at 472643@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: Nico Golde <nion@debian.org>
Cc: Toni Mueller <toni@debian.org>, 472643@bugs.debian.org
Subject: Re: Bug#472643: intent to NMU
Date: Sat, 12 Apr 2008 17:16:11 +0200
Hi,

On Thu, 03.04.2008 at 13:42:07 +0200, Toni Mueller <toni@debian.org> wrote:
> > attached is a patch extracted from the diff between the 
> > version we ship and the new upstream version.
> 
> I hoped to upload a 1.4.4 package this weekend, but if you can roll a
> patched version of 1.3.3, feel free to go ahead with your NMU (I didn't
> check the patch).

I wouldn't mind if you'd do the same for Etch. I'm "almost" there,
though quite swamped. It will probably take another few days, and, in
any case, I'll mark the 0.8.2 versioned bug as "wontfix" - Sarge
support has been terminated.


Kind regards,
--Toni++




Reply sent to Toni Mueller <toni@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 472643-close@bugs.debian.org (full text, mbox):

From: Toni Mueller <toni@debian.org>
To: 472643-close@bugs.debian.org
Subject: Bug#472643: fixed in roundup 1.2.1-5+etch1
Date: Sun, 04 May 2008 07:52:30 +0000
Source: roundup
Source-Version: 1.2.1-5+etch1

We believe that the bug you reported is fixed in the latest version of
roundup, which is due to be installed in the Debian FTP archive:

roundup_1.2.1-5+etch1.diff.gz
  to pool/main/r/roundup/roundup_1.2.1-5+etch1.diff.gz
roundup_1.2.1-5+etch1.dsc
  to pool/main/r/roundup/roundup_1.2.1-5+etch1.dsc
roundup_1.2.1-5+etch1_all.deb
  to pool/main/r/roundup/roundup_1.2.1-5+etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 472643@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Toni Mueller <toni@debian.org> (supplier of updated roundup package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 13 Apr 2008 23:01:55 +0200
Source: roundup
Binary: roundup
Architecture: source all
Version: 1.2.1-5+etch1
Distribution: stable-security
Urgency: high
Maintainer: noahm@debian.org
Changed-By: Toni Mueller <toni@debian.org>
Description: 
 roundup    - an issue-tracking system
Closes: 472643
Changes: 
 roundup (1.2.1-5+etch1) stable-security; urgency=high
 .
   * added patch for CVE-2008-1474 (closes: #472643)
Files: 
 2bf102c80abab65bf5b7d8804a29bc4d 690 web optional roundup_1.2.1-5+etch1.dsc
 61583ff7c94651b7380794b421fcc521 25739 web optional roundup_1.2.1-5+etch1.diff.gz
 38de336cf23d0dc20df17695b7c72806 1058595 web optional roundup_1.2.1.orig.tar.gz
 00f33566e9993e7aaa37f6b99c3d186e 1003008 web optional roundup_1.2.1-5+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFICMGKYrVLjBFATsMRAs3aAJ4skWiS6DgnMUeS8v3sAzy/JtA0CwCffjpy
PzPjeentM4DxjKdgBiMrQhE=
=6fPA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Jun 2008 07:32:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:54:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.