Debian Bug report logs - #583290
zonecheck: XSS security bug in the CGI

version graph

Package: zonecheck; Maintainer for zonecheck is Sebastien Delafond <seb@debian.org>; Source for zonecheck is src:zonecheck.

Reported by: Stephane Bortzmeyer <bortzmeyer@nic.fr>

Date: Wed, 26 May 2010 19:54:01 UTC

Severity: grave

Tags: security

Found in version zonecheck/2.0.4-13

Fixed in version zonecheck/2.1.1-1

Done: Sebastien Delafond <seb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastien Delafond <seb@debian.org>:
Bug#583290; Package zonecheck. (Wed, 26 May 2010 19:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephane Bortzmeyer <bortzmeyer@nic.fr>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastien Delafond <seb@debian.org>. (Wed, 26 May 2010 19:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zonecheck: XSS security bug in the CGI
Date: Wed, 26 May 2010 21:40:00 +0200
Package: zonecheck
Version: 2.0.4-13
Severity: grave
Tags: security
Justification: user security hole


There is XSS security bug in Zonecheck cgi up to version 2.1.0. Fixed
upstream in 2.1.1. 

The patch is simple and can probably be backported: 
http://cvs.savannah.gnu.org/viewvc/zonecheck/zc/publisher/html.rb?root=zonecheck&r1=1.79&r2=1.80

The bug has already been exploited in the wild:
http://www.xssed.com/mirror/61096/

The upstream bug report: https://savannah.nongnu.org/bugs/?29967

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages zonecheck depends on:
ii  iputils-ping                3:20071127-1 Tools to test the reachability of 
ii  ruby                        4.2          An interpreter of object-oriented 

zonecheck recommends no packages.

zonecheck suggests no packages.

-- no debconf information




Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Sat, 29 May 2010 13:03:13 GMT) Full text and rfc822 format available.

Notification sent to Stephane Bortzmeyer <bortzmeyer@nic.fr>:
Bug acknowledged by developer. (Sat, 29 May 2010 13:03:13 GMT) Full text and rfc822 format available.

Message #10 received at 583290-close@bugs.debian.org (full text, mbox):

From: Sebastien Delafond <seb@debian.org>
To: 583290-close@bugs.debian.org
Subject: Bug#583290: fixed in zonecheck 2.1.1-1
Date: Sat, 29 May 2010 13:02:46 +0000
Source: zonecheck
Source-Version: 2.1.1-1

We believe that the bug you reported is fixed in the latest version of
zonecheck, which is due to be installed in the Debian FTP archive:

zonecheck-cgi_2.1.1-1_all.deb
  to main/z/zonecheck/zonecheck-cgi_2.1.1-1_all.deb
zonecheck_2.1.1-1.debian.tar.gz
  to main/z/zonecheck/zonecheck_2.1.1-1.debian.tar.gz
zonecheck_2.1.1-1.dsc
  to main/z/zonecheck/zonecheck_2.1.1-1.dsc
zonecheck_2.1.1-1_all.deb
  to main/z/zonecheck/zonecheck_2.1.1-1_all.deb
zonecheck_2.1.1.orig.tar.gz
  to main/z/zonecheck/zonecheck_2.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 583290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated zonecheck package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 May 2010 14:27:37 +0200
Source: zonecheck
Binary: zonecheck zonecheck-cgi
Architecture: source all
Version: 2.1.1-1
Distribution: unstable
Urgency: high
Maintainer: Sebastien Delafond <seb@debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Description: 
 zonecheck  - DNS configuration checker
 zonecheck-cgi - DNS configuration checker (web interface)
Closes: 583290
Changes: 
 zonecheck (2.1.1-1) unstable; urgency=high
 .
   * New upstream release, that fixes XSS issue in the the CGI
     (Closes: #583290).
   * Bumped up Standards revision.
   * Switched to 3.0 quilt source format.
Checksums-Sha1: 
 5306a8539fff6d892784969c7d91cd50abe1a741 1077 zonecheck_2.1.1-1.dsc
 1b61fbd49d8f4f2580206de1af45e7054f835bca 254894 zonecheck_2.1.1.orig.tar.gz
 5df5224c6ad36e4085c9d4cdd757c829f080f43e 10687 zonecheck_2.1.1-1.debian.tar.gz
 5c25accae18088ea3716e53aec5016510b0db6ea 211896 zonecheck_2.1.1-1_all.deb
 02d12b2500cab645780bb7d3fa1aad8625275883 40350 zonecheck-cgi_2.1.1-1_all.deb
Checksums-Sha256: 
 36774aa565796ac302ac9aae5ff2201e32d52d4ae9ac65fe3227669a85952394 1077 zonecheck_2.1.1-1.dsc
 cef19fbbb6ebe3a9dde9f0f958edd3c415047d01f600959685e54e4f7a965fcb 254894 zonecheck_2.1.1.orig.tar.gz
 268b31cf117c195e5753fd08cad8f6a6b098ab4b2c1e1a99fa73803889fb92db 10687 zonecheck_2.1.1-1.debian.tar.gz
 71b15a28f7fc34e429b1e71b713c0473658633b20e3f5455c55e8512eb78c4f9 211896 zonecheck_2.1.1-1_all.deb
 ce21f953c2b5712413513dbcfd6cf47eb132db4ede64c9200202ded750274151 40350 zonecheck-cgi_2.1.1-1_all.deb
Files: 
 711fbb2d9b45530d84cfe58ec5b97796 1077 net optional zonecheck_2.1.1-1.dsc
 3efd01ca404fb03e0592f76ccdbc66f1 254894 net optional zonecheck_2.1.1.orig.tar.gz
 83b9db93ec0238962b5bf1befac76605 10687 net optional zonecheck_2.1.1-1.debian.tar.gz
 eb3d7a5d4e81c8db55a10999e7e8487c 211896 net optional zonecheck_2.1.1-1_all.deb
 f5564aa3b9af01890bea92a20ecef5af 40350 net optional zonecheck-cgi_2.1.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwBC/EACgkQiZgNKcDdyD/nCQCeJOWYosAe5iiUrnaFeYNcJ/pE
MgMAoNV5d5Uo8fza6G9vocrbZEnEoyxJ
=9xwm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 07 Mar 2011 10:18:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 15:15:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.