Debian Bug report logs - #585412
lxr-cvs: CVE-2010-1738 cross site scripting via title

version graph

Package: lxr-cvs; Maintainer for lxr-cvs is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 10 Jun 2010 12:06:02 UTC

Severity: important

Tags: patch, security

Found in version 0.9.5+cvs20071020-1.1~rm

Fixed in version 0.9.5+cvs20071020-1.1+rm

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#585411; Package lxr. (Thu, 10 Jun 2010 12:06:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Thu, 10 Jun 2010 12:06:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: lxr: CVE-2010-1738 cross site scripting via title in search
Date: Thu, 10 Jun 2010 14:03:09 +0200
[Message part 1 (text/plain, inline)]
Package: lxr
Severity: important
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for lxr.

CVE-2010-1738[0]:
| Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR
| Cross Referencer before 0.9.8 allows remote attackers to inject
| arbitrary web script or HTML via a title string.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch: 
http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64&view=patch

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1738
    http://security-tracker.debian.org/tracker/CVE-2010-1738

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug 585411 cloned as bug 585412. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 10 Jun 2010 12:12:01 GMT) Full text and rfc822 format available.

Bug reassigned from package 'lxr' to 'lxr-cvs'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 10 Jun 2010 12:12:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'lxr-cvs: CVE-2010-1738 cross site scripting via title' from 'lxr: CVE-2010-1738 cross site scripting via title in search' Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 10 Jun 2010 12:12:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Giacomo Catenazzi <cate@debian.org>:
Bug#585412; Package lxr-cvs. (Sat, 31 Jul 2010 14:21:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <cate@debian.org>. (Sat, 31 Jul 2010 14:21:09 GMT) Full text and rfc822 format available.

Message #16 received at 585412@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 584671@bugs.debian.org, 588036@bugs.debian.org, 588137@bugs.debian.org, 575745@bugs.debian.org
Cc: 585412@bugs.debian.org
Subject: intent to NMU
Date: Sat, 31 Jul 2010 16:21:36 +0200
[Message part 1 (text/plain, inline)]
Hi,
I uploaded the debdiff at:
http://people.debian.org/~nion/nmu-diff/lxr-cvs-0.9.5+cvs20071020-1_0.9.5+cvs20071020-1.1.patch
to DELAYED/2. This is a cherry-picks upstream fixes from newer releases to 
0.9.5. Let me know if you want to delay this further.

Please note that I did not close 585412 (CVE-2010-1738) with this patch since
I believe this to be a duplicate of CVE-2010-1448. I checked back with mitre 
on this one.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Thu, 05 Aug 2010 09:09:27 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Thu, 05 Aug 2010 09:09:27 GMT) Full text and rfc822 format available.

Message #21 received at 585412-done@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 585412-done@bugs.debian.org, 493033-done@bugs.debian.org, 584716-done@bugs.debian.org, 407921-done@bugs.debian.org, 584880-done@bugs.debian.org, 500227-done@bugs.debian.org
Subject: Package got removed
Date: Thu, 5 Aug 2010 11:07:18 +0200
Version: 0.9.5+cvs20071020-1.1~rm

Hi!

As the package got removed from the archive, I hereby close this bug
report.  Please see http://bugs.debian.org/591059 for details on the
removal.

Best Regards,
  Alexander




Bug Marked as found in versions 0.9.5+cvs20071020-1.1~rm; no longer marked as fixed in versions 0.9.5+cvs20071020-1.1~rm and reopened. Request was from Alexander Reichle-Schmehl <tolimar@debian.org> to control@bugs.debian.org. (Sat, 07 Aug 2010 11:54:03 GMT) Full text and rfc822 format available.

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Sat, 07 Aug 2010 12:03:51 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 07 Aug 2010 12:03:51 GMT) Full text and rfc822 format available.

Message #28 received at 585412-done@bugs.debian.org (full text, mbox):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 585412-done@bugs.debian.org, 493033-done@bugs.debian.org, 584716-done@bugs.debian.org, 407921-done@bugs.debian.org, 584880-done@bugs.debian.org, 500227-done@bugs.debian.org
Subject: Package got removed
Date: Sat, 7 Aug 2010 14:02:34 +0200
Version: 0.9.5+cvs20071020-1.1+rm

Hi!

As the package got removed from the archive, I hereby close this bug
report.  Please see http://bugs.debian.org/591059 for details on the
removal.

Best Regards,
  Alexander




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Sep 2010 07:30:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 17:00:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.