Debian Bug report logs - #588036
CVE-2010-1448: Cross-site scripting (XSS) vulnerability

version graph

Package: lxr-cvs; Maintainer for lxr-cvs is (unknown);

Reported by: Giuseppe Iuculano <>

Date: Sun, 4 Jul 2010 11:03:03 UTC

Severity: serious

Tags: security

Fixed in version lxr-cvs/0.9.5+cvs20071020-1.1

Done: Nico Golde <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,, Giacomo Catenazzi <>:
Bug#588036; Package lxr-cvs. (Sun, 04 Jul 2010 11:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <>:
New Bug report received and forwarded. Copy sent to,, Giacomo Catenazzi <>. (Sun, 04 Jul 2010 11:03:06 GMT) Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Giuseppe Iuculano <>
To: Debian Bug Tracking System <>
Subject: CVE-2010-1448: Cross-site scripting (XSS) vulnerability
Date: Sun, 04 Jul 2010 13:01:55 +0200
Package: lxr-cvs
Severity: serious
Tags: security

Hash: SHA1

Ciao Giacomo,

the following CVE (Common Vulnerabilities & Exposures) id was
published for lxr-cvs.

| Cross-site scripting (XSS) vulnerability in lib/LXR/ in LXR
| Cross Referencer before 0.9.8 allows remote attackers to inject
| arbitrary web script or HTML via vectors related to a string in the
| search page's TITLE element, a different vulnerability than
| CVE-2009-4497 and CVE-2010-1625.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:



Version: GnuPG v1.4.10 (GNU/Linux)


Information forwarded to, Giacomo Catenazzi <>:
Bug#588036; Package lxr-cvs. (Sat, 31 Jul 2010 14:21:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <>:
Extra info received and forwarded to list. Copy sent to Giacomo Catenazzi <>. (Sat, 31 Jul 2010 14:21:11 GMT) Full text and rfc822 format available.

Message #10 received at (full text, mbox):

From: Nico Golde <>
Subject: intent to NMU
Date: Sat, 31 Jul 2010 16:21:36 +0200
[Message part 1 (text/plain, inline)]
I uploaded the debdiff at:
to DELAYED/2. This is a cherry-picks upstream fixes from newer releases to 
0.9.5. Let me know if you want to delay this further.

Please note that I did not close 585412 (CVE-2010-1738) with this patch since
I believe this to be a duplicate of CVE-2010-1448. I checked back with mitre 
on this one.


Nico Golde - - - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <>:
You have taken responsibility. (Mon, 02 Aug 2010 15:06:32 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <>:
Bug acknowledged by developer. (Mon, 02 Aug 2010 15:06:32 GMT) Full text and rfc822 format available.

Message #15 received at (full text, mbox):

From: Nico Golde <>
Subject: Bug#588036: fixed in lxr-cvs 0.9.5+cvs20071020-1.1
Date: Mon, 02 Aug 2010 15:02:48 +0000
Source: lxr-cvs
Source-Version: 0.9.5+cvs20071020-1.1

We believe that the bug you reported is fixed in the latest version of
lxr-cvs, which is due to be installed in the Debian FTP archive:

  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1.dsc
  to main/l/lxr-cvs/lxr-cvs_0.9.5+cvs20071020-1.1_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Nico Golde <> (supplier of updated lxr-cvs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Sat, 31 Jul 2010 15:57:41 +0200
Source: lxr-cvs
Binary: lxr-cvs
Architecture: source all
Version: 0.9.5+cvs20071020-1.1
Distribution: unstable
Urgency: high
Maintainer: Giacomo Catenazzi <>
Changed-By: Nico Golde <>
 lxr-cvs    - A general hypertext cross-referencing tool
Closes: 575745 584671 588036 588137
 lxr-cvs (0.9.5+cvs20071020-1.1) unstable; urgency=high
   * Non-maintainer upload by the Security Team.
   * Backported upstream security fixes from current release (Closes: #584671).
   * This update addresses the following security issues:
     - CVE-2010-1448: reflected XSS via title tag on search page (Closes: #588036).
     - CVE-2010-1625: reflected XSS in search results page (Closes: #588137).
     - CVE-2009-4497: XSS via the i parameter of the ident script (Closes: #575745).
 7492c59dd538b96b12bd44c40b63f04593abb23c 1042 lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 38f50b6fdd65a277319cc67ada39cb10ec515d8e 9601 lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 249ecfc78c981a9cb95b037aca2752ad20bf0651 72170 lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
 bd53ab6c4def0a7e740c36a6348a470f31fd0bd0046dc975ad7bb3d2bfa6efaf 1042 lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 ff8efd1d2d77bd6ab7937c3c5ae79fb9e876de3149ada951fb967ea736b9e3f6 9601 lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 ed77ffc0464e5da4917ad04efd77d8194ec163fd017c8b1fb106e13e10241b4f 72170 lxr-cvs_0.9.5+cvs20071020-1.1_all.deb
 9508cb537bd58d9d8f7139b9f8bdca34 1042 misc extra lxr-cvs_0.9.5+cvs20071020-1.1.dsc
 7d096b0577c133d6c87b6e37db1425e8 9601 misc extra lxr-cvs_0.9.5+cvs20071020-1.1.diff.gz
 977a60352cb067c67e34cebfdd781f08 72170 misc extra lxr-cvs_0.9.5+cvs20071020-1.1_all.deb

Version: GnuPG v1.4.10 (GNU/Linux)


Bug archived. Request was from Debbugs Internal Request <> to (Sun, 05 Sep 2010 07:34:48 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Sat Apr 19 20:44:54 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.