Debian Bug report logs - #678737
[CVE-2012-3362] extplorer CSRF

version graph

Package: extplorer; Maintainer for extplorer is Thomas Goirand <zigo@debian.org>; Source for extplorer is src:extplorer.

Reported by: Thomas Goirand <zigo@debian.org>

Date: Sun, 24 Jun 2012 08:03:05 UTC

Severity: grave

Tags: security

Fixed in versions 2.1.0b6+dfsg.2-1+squeeze1, extplorer/2.1.0b6+dfsg.3-3

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#678737; Package extplorer. (Sun, 24 Jun 2012 08:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
New Bug report received and forwarded. (Sun, 24 Jun 2012 08:03:08 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Cross site request forgery
Date: Sun, 24 Jun 2012 16:01:26 +0800
Package: extplorer
Severity: grave

As per:
http://www.autosectools.com/Advisories/eXtplorer.2.1.RC3_Cross-site.Request.Forgery_174.html

there's a CSRF security issue in eXtplorer.
Patch is on its way, I'm just opening a bug report to track it.

Thomas




Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Sun, 24 Jun 2012 10:05:10 GMT) Full text and rfc822 format available.

Notification sent to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer. (Sun, 24 Jun 2012 10:05:11 GMT) Full text and rfc822 format available.

Message #10 received at 678737-close@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: 678737-close@bugs.debian.org
Subject: Bug#678737: fixed in extplorer 2.1.0b6+dfsg.3-3
Date: Sun, 24 Jun 2012 09:47:34 +0000
Source: extplorer
Source-Version: 2.1.0b6+dfsg.3-3

We believe that the bug you reported is fixed in the latest version of
extplorer, which is due to be installed in the Debian FTP archive:

extplorer_2.1.0b6+dfsg.3-3.debian.tar.gz
  to main/e/extplorer/extplorer_2.1.0b6+dfsg.3-3.debian.tar.gz
extplorer_2.1.0b6+dfsg.3-3.dsc
  to main/e/extplorer/extplorer_2.1.0b6+dfsg.3-3.dsc
extplorer_2.1.0b6+dfsg.3-3_all.deb
  to main/e/extplorer/extplorer_2.1.0b6+dfsg.3-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated extplorer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jun 2012 13:48:15 +0000
Source: extplorer
Binary: extplorer
Architecture: source all
Version: 2.1.0b6+dfsg.3-3
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 extplorer  - web file explorer and manager using Ext JS
Closes: 678737
Changes: 
 extplorer (2.1.0b6+dfsg.3-3) unstable; urgency=high
 .
   * Fixes an Cross Site Request forgery security problem if user is logged
   by applyting upstream patch (Closes: #678737).
   * Bumps to compat level 8 and debhelper 8.
   * Added build-arch and build-indep targets in debian/rules.
   * Standards-Version is now 3.9.3.
   * Now uses format 1.0 for debian/copyright.
   * Removed leading article in short desc.
Checksums-Sha1: 
 8c2a02dcf59b09d428594b08f65bb9f289587005 1259 extplorer_2.1.0b6+dfsg.3-3.dsc
 6d711f234f04ef6cbe35bf7de0f23ef97f390df5 10398 extplorer_2.1.0b6+dfsg.3-3.debian.tar.gz
 442d15ef192f4499b2634d6ad1458422ce276e4e 351832 extplorer_2.1.0b6+dfsg.3-3_all.deb
Checksums-Sha256: 
 3b05132d27335b7f087438f098e223c4325728e3f58f5de4d0d0364ee9647ed1 1259 extplorer_2.1.0b6+dfsg.3-3.dsc
 2701fddb0cce5890853601caab57adb05797392d472159f06b802633da47989e 10398 extplorer_2.1.0b6+dfsg.3-3.debian.tar.gz
 47f622f6b237b472a33295fdba53286bf8bc14b6200fc7fd377bbad4a862f4eb 351832 extplorer_2.1.0b6+dfsg.3-3_all.deb
Files: 
 96c4fdb9f7882cbdeebcff96b5124e75 1259 web optional extplorer_2.1.0b6+dfsg.3-3.dsc
 bec2a803aa70695a4fd30a971942bf10 10398 web optional extplorer_2.1.0b6+dfsg.3-3.debian.tar.gz
 8b9d4538cee113c0a00dc2d8ffa53d07 351832 web optional extplorer_2.1.0b6+dfsg.3-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/m4NAACgkQl4M9yZjvmkkw+gCeJSjW9/vgpTznQEAStz0z0PfI
6n8AoI2HOpYXJ6H4wBfYOwHvxmjHtgJW
=TmU+
-----END PGP SIGNATURE-----





Added tag(s) security. Request was from Touko Korpela <touko.korpela@iki.fi> to control@bugs.debian.org. (Sun, 24 Jun 2012 15:24:11 GMT) Full text and rfc822 format available.

Marked as fixed in versions 2.1.0b6+dfsg.2-1+squeeze1. Request was from Thomas Goirand <zigo@debian.org> to control@bugs.debian.org. (Sun, 24 Jun 2012 16:09:46 GMT) Full text and rfc822 format available.

Changed Bug title to '[CVE-2012-3362] extplorer CSRF' from 'Cross site request forgery' Request was from Luciano Bello <luciano@debian.org> to control@bugs.debian.org. (Wed, 04 Jul 2012 19:00:10 GMT) Full text and rfc822 format available.

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Fri, 13 Jul 2012 00:05:57 GMT) Full text and rfc822 format available.

Notification sent to Thomas Goirand <zigo@debian.org>:
Bug acknowledged by developer. (Fri, 13 Jul 2012 00:07:24 GMT) Full text and rfc822 format available.

Message #21 received at 678737-close@bugs.debian.org (full text, mbox):

From: Thomas Goirand <zigo@debian.org>
To: 678737-close@bugs.debian.org
Subject: Bug#678737: fixed in extplorer 2.1.0b6+dfsg.2-1+squeeze1
Date: Fri, 13 Jul 2012 00:02:07 +0000
Source: extplorer
Source-Version: 2.1.0b6+dfsg.2-1+squeeze1

We believe that the bug you reported is fixed in the latest version of
extplorer, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 678737@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Goirand <zigo@debian.org> (supplier of updated extplorer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 22 Jun 2012 18:24:34 +0800
Source: extplorer
Binary: extplorer
Architecture: source all
Version: 2.1.0b6+dfsg.2-1+squeeze1
Distribution: stable-security
Urgency: low
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: Thomas Goirand <zigo@debian.org>
Description: 
 extplorer  - a web file explorer and manager using Ext JS
Closes: 678737
Changes: 
 extplorer (2.1.0b6+dfsg.2-1+squeeze1) stable-security; urgency=low
 .
   * CVE-2012-3362: fixes a CSRF (Closes: #678737).
Checksums-Sha1: 
 0fad4cbe6dd668375d1e67817c9ee525c9ad83c8 1252 extplorer_2.1.0b6+dfsg.2-1+squeeze1.dsc
 9c05b7034c634fb416d26e83404c6bdf7c0fdc3d 333040 extplorer_2.1.0b6+dfsg.2.orig.tar.gz
 1a4cde601eb50c7488893363b8b44954ad79116c 10763 extplorer_2.1.0b6+dfsg.2-1+squeeze1.debian.tar.gz
 dc47360f15d7041dbfb9374ba1923155c787f710 346084 extplorer_2.1.0b6+dfsg.2-1+squeeze1_all.deb
Checksums-Sha256: 
 084e91c13f0d3a7acf58493a43d3b63201b1e63adad4c5ab0d00b078e8168c5d 1252 extplorer_2.1.0b6+dfsg.2-1+squeeze1.dsc
 b886c4f99728c3b7a65c5311f16c2d0a27f020eb66639074afd94a0e1fe362c9 333040 extplorer_2.1.0b6+dfsg.2.orig.tar.gz
 ed628fb0a89b321dcdfe4858fc42009476e150d7afdc1949701ebaa23fe5cd0a 10763 extplorer_2.1.0b6+dfsg.2-1+squeeze1.debian.tar.gz
 b9f3a7d87d1bd6ff492c38e0d7778973f6a3fc95ad4d3154717e3877287f6141 346084 extplorer_2.1.0b6+dfsg.2-1+squeeze1_all.deb
Files: 
 b897499495d6cc9919efefe22ad5f6e3 1252 web optional extplorer_2.1.0b6+dfsg.2-1+squeeze1.dsc
 6fe5661a344c163a9755d190f93f18e0 333040 web optional extplorer_2.1.0b6+dfsg.2.orig.tar.gz
 3319f2d7ac76823891efd7141c299c31 10763 web optional extplorer_2.1.0b6+dfsg.2-1+squeeze1.debian.tar.gz
 f45d54cbbcb1c23cf88f547b33c7b7d4 346084 web optional extplorer_2.1.0b6+dfsg.2-1+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk/4zuoACgkQl4M9yZjvmkljRQCgsFfkvfO5/BMycfmE9PrhbZ09
WQAAn1aCi4k8+KNyvuruJRTmQqDctKvS
=CQc6
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:28:44 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:50:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.