Debian Bug report logs - #575745
CVE-2009-4497: Cross-site scripting (XSS) vulnerability

version graph

Package: lxr-cvs; Maintainer for lxr-cvs is (unknown);

Reported by: Giuseppe Iuculano <iuculano@debian.org>

Date: Sun, 28 Mar 2010 21:18:08 UTC

Severity: important

Tags: security

Fixed in version lxr-cvs/0.9.5+cvs20071020-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#575745; Package lxr-cvs. (Sun, 28 Mar 2010 21:18:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Giacomo Catenazzi <cate@debian.org>. (Sun, 28 Mar 2010 21:18:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-4497: Cross-site scripting (XSS) vulnerability
Date: Sun, 28 Mar 2010 23:16:53 +0200
Package: lxr-cvs
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lxr-cvs.

CVE-2009-4497[0]:
| Cross-site scripting (XSS) vulnerability in LXR Cross Referencer 0.9.5
| and 0.9.6 allows remote attackers to inject arbitrary web script or
| HTML via the i parameter to the ident program.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4497
    http://security-tracker.debian.org/tracker/CVE-2009-4497


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuvx0QACgkQNxpp46476ar8MgCggoFk+awEsisniHAnk8xK6Pj7
ihEAoIICF1KfhDlSgYSFMsswvlZcGzng
=R6jp
-----END PGP SIGNATURE-----




Severity set to 'important' from 'serious' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 10 Jun 2010 12:12:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#575745; Package lxr-cvs. (Sat, 31 Jul 2010 14:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Sat, 31 Jul 2010 14:21:06 GMT) Full text and rfc822 format available.

Message #12 received at 575745@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 584671@bugs.debian.org, 588036@bugs.debian.org, 588137@bugs.debian.org, 575745@bugs.debian.org
Cc: 585412@bugs.debian.org
Subject: intent to NMU
Date: Sat, 31 Jul 2010 16:21:36 +0200
[Message part 1 (text/plain, inline)]
Hi,
I uploaded the debdiff at:
http://people.debian.org/~nion/nmu-diff/lxr-cvs-0.9.5+cvs20071020-1_0.9.5+cvs20071020-1.1.patch
to DELAYED/2. This is a cherry-picks upstream fixes from newer releases to 
0.9.5. Let me know if you want to delay this further.

Please note that I did not close 585412 (CVE-2010-1738) with this patch since
I believe this to be a duplicate of CVE-2010-1448. I checked back with mitre 
on this one.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Mon, 02 Aug 2010 15:06:10 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer. (Mon, 02 Aug 2010 15:06:10 GMT) Full text and rfc822 format available.

Message #17 received at 575745-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 575745-close@bugs.debian.org
Subject: Bug#575745: fixed in lxr-cvs 0.9.5+cvs20071020-1.1
Date: Mon, 02 Aug 2010 15:02:48 +0000
Source: lxr-cvs
Source-Version: 0.9.5+cvs20071020-1.1

We believe that the bug you reported is fixed in the latest version of
lxr-cvs, which is due to be installed in the Debian FTP archive:

lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
lxr-cvs_0.9.5+cvs20071020-1.1.dsc
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.dsc
lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575745@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated lxr-cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 31 Jul 2010 15:57:41 +0200
Source: lxr-cvs
Binary: lxr-cvs
Architecture: source all
Version: 0.9.5+cvs20071020-1.1
Distribution: unstable
Urgency: high
Maintainer: Giacomo Catenazzi <cate@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 lxr-cvs    - A general hypertext cross-referencing tool
Closes: 575745 584671 588036 588137
Changes: 
 lxr-cvs (0.9.5+cvs20071020-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Backported upstream security fixes from current release (Closes: #584671).
   * This update addresses the following security issues:
     - CVE-2010-1448: reflected XSS via title tag on search page (Closes: #588036).
     - CVE-2010-1625: reflected XSS in search results page (Closes: #588137).
     - CVE-2009-4497: XSS via the i parameter of the ident script (Closes: #575745).
Checksums-Sha1: 
 7492c59dd538b96b12bd44c40b63f04593abb23c 1042 lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 38f50b6fdd65a277319cc67ada39cb10ec515d8e 9601 lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 249ecfc78c981a9cb95b037aca2752ad20bf0651 72170 lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
Checksums-Sha256: 
 bd53ab6c4def0a7e740c36a6348a470f31fd0bd0046dc975ad7bb3d2bfa6efaf 1042 lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 ff8efd1d2d77bd6ab7937c3c5ae79fb9e876de3149ada951fb967ea736b9e3f6 9601 lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 ed77ffc0464e5da4917ad04efd77d8194ec163fd017c8b1fb106e13e10241b4f 72170 lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
Files: 
 9508cb537bd58d9d8f7139b9f8bdca34 1042 misc extra lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 7d096b0577c133d6c87b6e37db1425e8 9601 misc extra lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 977a60352cb067c67e34cebfdd781f08 72170 misc extra lxr-cvs_0.9.5+cvs20071020-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkxUNl8ACgkQHYflSXNkfP9ogACfSJx9m8qcCheb66P104uF9UQc
n/UAn0Rjs8t2zVoD53B5/QlIo8D/DI+8
=nc94
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 01 Sep 2010 07:36:13 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 02:05:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.