Debian Bug report logs - #604060
pootle: XSS via 'match_names' parameter

version graph

Package: pootle; Maintainer for pootle is (unknown);

Reported by: Luciano Bello <luciano@debian.org>

Date: Fri, 19 Nov 2010 22:06:01 UTC

Severity: grave

Tags: fixed-upstream, patch, security

Found in version pootle/2.0.5-0.2

Fixed in version pootle/2.0.5-0.3

Done: Alexander Reichle-Schmehl <tolimar@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
Bug#604060; Package pootle. (Fri, 19 Nov 2010 22:06:04 GMT) (full text, mbox, link).


Acknowledgement sent to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>. (Fri, 19 Nov 2010 22:06:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>
To: submit@bugs.debian.org
Subject: pootle: XSS via 'match_names' parameter
Date: Fri, 19 Nov 2010 18:57:54 -0300
Package: pootle
Version: 2.0.5-0.2

Severity: grave
Tags: patch, security, fixed-upstream

The security team had been notified by Friedel Wolff (pootle upstream) there is 
a XSS vulnerability in pootle. He provided a patch:
http://translate.svn.sourceforge.net/viewvc/translate/src/branches/Pootle-2.0/Pootle/local_apps/pootle_app/views/language/translate_page.py?view=patch&r1=16172&r2=16171&pathrev=16172

This bug doesn't affect stable. There is no CVE assigned.

Thanks, luciano




Severity set to 'grave' from 'normal' Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Fri, 19 Nov 2010 22:21:04 GMT) (full text, mbox, link).


Added tag(s) security, fixed-upstream, and patch. Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Fri, 19 Nov 2010 22:21:05 GMT) (full text, mbox, link).


Added tag(s) pending. Request was from Alexander Reichle-Schmehl <tolimar@debian.org> to control@bugs.debian.org. (Mon, 29 Nov 2010 17:00:05 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>:
Bug#604060; Package pootle. (Mon, 29 Nov 2010 17:09:08 GMT) (full text, mbox, link).


Acknowledgement sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
Extra info received and forwarded to list. Copy sent to Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>. (Mon, 29 Nov 2010 17:09:09 GMT) (full text, mbox, link).


Message #16 received at 604060@bugs.debian.org (full text, mbox, reply):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 604060@bugs.debian.org
Subject: pootle: diff for NMU version 2.0.5-0.3
Date: Mon, 29 Nov 2010 17:57:27 +0100
[Message part 1 (text/plain, inline)]
tags 604060 + patch
tags 604060 + pending
thanks

Dear maintainer,

I've prepared an NMU for pootle (versioned as 2.0.5-0.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
[pootle-2.0.5-0.3-nmu.diff (text/x-diff, attachment)]

Reply sent to Alexander Reichle-Schmehl <tolimar@debian.org>:
You have taken responsibility. (Wed, 01 Dec 2010 17:21:10 GMT) (full text, mbox, link).


Notification sent to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer. (Wed, 01 Dec 2010 17:21:10 GMT) (full text, mbox, link).


Message #21 received at 604060-close@bugs.debian.org (full text, mbox, reply):

From: Alexander Reichle-Schmehl <tolimar@debian.org>
To: 604060-close@bugs.debian.org
Subject: Bug#604060: fixed in pootle 2.0.5-0.3
Date: Wed, 01 Dec 2010 17:17:25 +0000
Source: pootle
Source-Version: 2.0.5-0.3

We believe that the bug you reported is fixed in the latest version of
pootle, which is due to be installed in the Debian FTP archive:

pootle_2.0.5-0.3.diff.gz
  to main/p/pootle/pootle_2.0.5-0.3.diff.gz
pootle_2.0.5-0.3.dsc
  to main/p/pootle/pootle_2.0.5-0.3.dsc
pootle_2.0.5-0.3_all.deb
  to main/p/pootle/pootle_2.0.5-0.3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 604060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Reichle-Schmehl <tolimar@debian.org> (supplier of updated pootle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 29 Nov 2010 17:47:31 +0100
Source: pootle
Binary: pootle
Architecture: source all
Version: 2.0.5-0.3
Distribution: unstable
Urgency: medium
Maintainer: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Changed-By: Alexander Reichle-Schmehl <tolimar@debian.org>
Description: 
 pootle     - Web-based translation and translation management tool
Closes: 604060
Changes: 
 pootle (2.0.5-0.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix XSS vulnerability with patch in
     local_apps/pootle_app/views/language/translate_page.py
     Thanks to Luciano Bello and Friedel Wolff for the notification
     (Closes: #604060)
   * Set urgency medium due to RC bug fix
Checksums-Sha1: 
 eb4cfb36611fecc85a08b9aa33d1e331a468872c 1938 pootle_2.0.5-0.3.dsc
 a2d0bd676053b9bb4be71368edd80efc05a3568e 21517 pootle_2.0.5-0.3.diff.gz
 382e16d8216e0b3c6470632a03463dec39952ec0 4436148 pootle_2.0.5-0.3_all.deb
Checksums-Sha256: 
 ee9a4a71d99be78767fb984ee6ec232241ece2e27015999554d1d9d9287f1a47 1938 pootle_2.0.5-0.3.dsc
 080080fa608b53848754bdcd2399c6bc0a7c48d37d30aad7d512b29c9028c857 21517 pootle_2.0.5-0.3.diff.gz
 dc041dd28bc73db2187ebd9c76a8f6ebfcada5950df224935588216c1a2a47ba 4436148 pootle_2.0.5-0.3_all.deb
Files: 
 59e4a05cc89ff921072bbe65c1312fdb 1938 python optional pootle_2.0.5-0.3.dsc
 f8395f60b05b5c30e0a4c8beec4a479c 21517 python optional pootle_2.0.5-0.3.diff.gz
 bf992d87148404259c66bba63cc02af5 4436148 python optional pootle_2.0.5-0.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJM89ubAAoJEMJLZaJnLIsSY7YP/3z35xMT/A6g9VQmn1dI/24M
IYlgXtCS2pGy56vKUXPKLiGrjiQ7EulYw8AJdOSlwjObMis2Vp7+cY8T3Ij6+AJi
tbUA5bI29eNqp4F7ZMm/qzbLvsp+MlEZR4+8ZBG8rWrmb7SFeMLc4RWn8tiVmKOh
vOPzEX5h7tS/RUPEmIC065lk4V/SmjcpDLmHIdXgoDKZRMrPlc1/ChOJJ5u+IPYN
0rjtYA2Z21s3ViMjBI4dKUW/MzCv660od3lNc6ge8D4KiX/xGFrdjmGc/4zuxWcs
/wvqlbSWVZs39BVSOESMNKH+E9SKig0L6nHHfjsawRO7dNisidZuWQ9V8sh9xldQ
WCf23ZfCl1OFST+zRZgdGpiPBvPF3ZOxfL7nq90+CqB8L/CtjY/wsFQSJwoOXK0s
ARgEuYu4UBQ7Qs0zPPYa6Pklf45DYofxkAo4oYo0RVEdFepuAgncwbbCW0OF/Ru6
Vd8x//fykBMJituDQtsP+PI/AkA7R0y7CF2rWyx6PHS6Jt/VrQNW6k+qeB6x+HIp
f1UIvNq0SNmhY2J9Wa23fglbMmio+MQ7vWQ20fBfJxtdfpyhq6UgkqOp5PUP2ra1
9nkGal+zjo26wtLYhHnPz2vTf0GbHXba/DXjhhKjNE1tOoaATIJD22b9K+NHqf+9
syADWphbMFcEmsaA2Jjs
=9SxA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 04 Jan 2011 07:35:27 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 01:39:30 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.