Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2013-7351

Source

Debian Bug report logs - #743252
Multiples XSS in index.php (CVE-2013-7351)

Package: shaarli; Maintainer for shaarli is Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>; Source for shaarli is src:shaarli (PTS, buildd, popcon).

Reported by: David Prévot <taffit@debian.org>

Date: Mon, 31 Mar 2014 22:42:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version shaarli/0.0.41~beta~dfsg2-3

Fixed in version shaarli/0.0.41~beta~dfsg2-4

Done: Emilien Klein <emilien+debian@klein.st>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/sebsauvage/Shaarli/issues/134

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Emilien Klein <emilien+debian@klein.st>:
Bug#743252; Package shaarli. (Mon, 31 Mar 2014 22:42:06 GMT) (full text, mbox, link).

Acknowledgement sent to David Prévot <taffit@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Emilien Klein <emilien+debian@klein.st>. (Mon, 31 Mar 2014 22:42:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: shaarli
Version: 0.0.41~beta~dfsg2-3
Severity: grave
Tags: security patch upstream
Control: forward -1 https://github.com/sebsauvage/Shaarli/issues/134
Control: tag -1 fixed-upstream

Hi,

A security issue has been fixed a few months ago:

https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a

Thanks in advance for updating the Debian package.

Regards

David

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (100, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-rc7-amd64 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[signature.asc (application/pgp-signature, inline)]

Added tag(s) fixed-upstream. Request was from David Prévot <taffit@debian.org> to submit@bugs.debian.org. (Mon, 31 Mar 2014 22:42:06 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/sebsauvage/Shaarli/issues/134'. Request was from David Prévot <taffit@debian.org> to control@bugs.debian.org. (Mon, 31 Mar 2014 23:18:08 GMT) (full text, mbox, link).

Changed Bug title to 'Multiples XSS in index.php (CVE-2013-7351)' from 'Multiples XSS in index.php' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 01 Apr 2014 18:24:21 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Emilien Klein <emilien+debian@klein.st>:
Bug#743252; Package shaarli. (Tue, 01 Apr 2014 18:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Emilien Klein <emilien+debian@klein.st>. (Tue, 01 Apr 2014 18:27:05 GMT) (full text, mbox, link).

Message #16 received at 743252@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

On Mon, Mar 31, 2014 at 06:38:55PM -0400, David Prévot wrote:
> Package: shaarli
> Version: 0.0.41~beta~dfsg2-3
> Severity: grave
> Tags: security patch upstream
> Control: forward -1 https://github.com/sebsauvage/Shaarli/issues/134
> Control: tag -1 fixed-upstream
> 
> Hi,
> 
> A security issue has been fixed a few months ago:
> 
> https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a
> 
> Thanks in advance for updating the Debian package.

A CVE was assigned for these XSS issues: CVE-2013-7351. Please include
this reference also in your changelog when fixing the issue.

Thanks a lot in advance,

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#743252; Package shaarli. (Tue, 01 Apr 2014 19:51:10 GMT) (full text, mbox, link).

Acknowledgement sent to Emilien Klein <emilien+debian@klein.st>:
Extra info received and forwarded to list. (Tue, 01 Apr 2014 19:51:10 GMT) (full text, mbox, link).

Message #21 received at 743252@bugs.debian.org (full text, mbox, reply):

Hi David, Salvatore and Georges,

2014-04-01 20:24 GMT+02:00 Salvatore Bonaccorso <carnil@debian.org>:
> Hi,
>
> On Mon, Mar 31, 2014 at 06:38:55PM -0400, David Prévot wrote:
>> Package: shaarli
>> Version: 0.0.41~beta~dfsg2-3
>> Severity: grave
>> Tags: security patch upstream
>> Control: forward -1 https://github.com/sebsauvage/Shaarli/issues/134
>> Control: tag -1 fixed-upstream
>>
>> Hi,
>>
>> A security issue has been fixed a few months ago:
>>
>> https://github.com/sebsauvage/Shaarli/commit/53da201749f8f362323ef278bf338f1d9f7a925a
>>
>> Thanks in advance for updating the Debian package.
>
> A CVE was assigned for these XSS issues: CVE-2013-7351. Please include
> this reference also in your changelog when fixing the issue.

I have prepared the new package with the fix for the security
vulnerability in Shaarli's collab-maint git repo [0].
As I don't have upload rights (I'm a Debian maintainer, Georges did
the upload of the previous versions), can one of you take care of
uploading the package?

I suppose this would work (see file debian/README.source)

  $ git clone ssh://<user>@git.debian.org/git/collab-maint/shaarli.git
  $ cd shaarli
  $ git checkout -b pristine-tar remotes/origin/pristine-tar
  $ git checkout -b upstream remotes/origin/upstream
  $ git checkout -b dfsg_clean remotes/origin/dfsg_clean
  $ git checkout master

From this point on you should be able to build the package with:
  $ git-buildpackage

And then upload it to the archive.

Let me know how I can help further.
Note: I will be out of the country for the next 3 days starting
tomorrow 06:30, email response might be delayed. In case an NMU or
other action would be required on your side to fix this security
issue, I preemptively approve it.
   +Emilien
[0] http://anonscm.debian.org/gitweb/?p=collab-maint/shaarli.git

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#743252; Package shaarli. (Wed, 02 Apr 2014 20:36:05 GMT) (full text, mbox, link).

Acknowledgement sent to Emilien Klein <emilien+debian@klein.st>:
Extra info received and forwarded to list. (Wed, 02 Apr 2014 20:36:05 GMT) (full text, mbox, link).

Message #26 received at 743252@bugs.debian.org (full text, mbox, reply):

I have been granted upload rights for Shaarli by Georges, and have
uploaded the package to ftp-master.
Should anything in particular be done (e.g. pushing directly to
testing?) or does this follow the regular upload process?

   +Emilien

Reply sent to Emilien Klein <emilien+debian@klein.st>:
You have taken responsibility. (Wed, 02 Apr 2014 21:24:18 GMT) (full text, mbox, link).

Notification sent to David Prévot <taffit@debian.org>:
Bug acknowledged by developer. (Wed, 02 Apr 2014 21:24:18 GMT) (full text, mbox, link).

Message #31 received at 743252-close@bugs.debian.org (full text, mbox, reply):

Source: shaarli
Source-Version: 0.0.41~beta~dfsg2-4

We believe that the bug you reported is fixed in the latest version of
shaarli, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 743252@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilien Klein <emilien+debian@klein.st> (supplier of updated shaarli package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 01 Apr 2014 21:26:06 +0200
Source: shaarli
Binary: shaarli
Architecture: source all
Version: 0.0.41~beta~dfsg2-4
Distribution: unstable
Urgency: low
Maintainer: Emilien Klein <emilien+debian@klein.st>
Changed-By: Emilien Klein <emilien+debian@klein.st>
Description: 
 shaarli    - Personal, minimalist, super-fast and no-database Delicious clone
Closes: 743252
Changes: 
 shaarli (0.0.41~beta~dfsg2-4) unstable; urgency=low
 .
   * Fix multiple XSS in index.php (CVE-2013-7351) (Closes: #743252)
       This is already fixed upstream:
       https://github.com/sebsauvage/Shaarli/issues/134
   * Update Standards-Version to 3.9.5
Checksums-Sha1: 
 0f02cd00d1026e8be617b852bc0a2ec9ccb7f2df 1972 shaarli_0.0.41~beta~dfsg2-4.dsc
 9dbc6aa1ee54f2ce0a37fdf81f166b77bf2c2022 8760 shaarli_0.0.41~beta~dfsg2-4.debian.tar.xz
 c2a28ca5d5b73306ac5c82e1105892fa4605d303 251518 shaarli_0.0.41~beta~dfsg2-4_all.deb
Checksums-Sha256: 
 278977598cb73c65111bffb4a40ef3ba26c0bb0dc69c61f8e1a66f9df8474d86 1972 shaarli_0.0.41~beta~dfsg2-4.dsc
 b3dcac156a6184b9cd8e560e3e07e18153fc1572421c306f0a81fccb5e35a37a 8760 shaarli_0.0.41~beta~dfsg2-4.debian.tar.xz
 512dd7da83ae242e1101939708fb6b98e0acc6ba3306dc249305812a2c29133b 251518 shaarli_0.0.41~beta~dfsg2-4_all.deb
Files: 
 7ac13baeb69192e54caaf056bfe721e5 1972 web optional shaarli_0.0.41~beta~dfsg2-4.dsc
 b1936c813c1e41d12dcc5a41e984c95c 8760 web optional shaarli_0.0.41~beta~dfsg2-4.debian.tar.xz
 a81b0bf99cd4d9a34b446f771f179b18 251518 web optional shaarli_0.0.41~beta~dfsg2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTPGy5AAoJEK4MhLsKI2jwy7EQAIz9vq9DrvRsaN0TYAHXgJpH
J+C76IAZFYRzRelHN5bVMeNbvvYjcjjWgAkM1lnY0Dw1sWQsJgxTR1Y6/omJpxpc
c+JEaP5Z7r6MI8nA2FQ8Tti4TcvvQYCYPpLfqZA6NlYVsewtOvt3bFjAGxqih4I8
KGBlKRjD+EzZEjsA8+Iz+ECJ4IOEQudLcuTGyDrJE5x20m+MoRQ244GiVtjH3rUP
cBYX7fxZyOXJHgWjph6tkVEA7HYEtOIa+RpG4DA3WYg2BPjpVgcJsWXwZKoCu4wZ
UtKyn4hthst8jT7Mt7PpjHPkqQhWiIFZUguoSVSYCBKXJ7nKyvYphAjcnuPNwECn
wIbkBGWbBWi0WcTZISsO9MqICQhnSvhqvoR29p2XRX1qS5LV+vLr0uH0P+uM9+qQ
AExJy48i59yafM/Ak98a31X/NhJElNgHREsFoieutbT6nQwkdqo4g3gOpcy36KF/
s2q1tWSzlDhXzrzPFzhkFoMex4QulyB5SPxQWyvELib6cEO87AnsfaZO4TABMzkC
JRD6mbgSAPmcvUWmalVDkW5AAtjgc1JBie6LEsjTmKvYxePVASDdB4lVHmiZruU9
iLZ/Zy1FqCPgy3gxx8q8EtU4Bpm58LuU6hB32F3XLMq5p1XpXZ+wgW0iRNynB0wK
BW0XEArigoRhiMO1kjB+
=dFxj
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 06 May 2014 07:32:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jan 25 06:53:03 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Multiples XSS in index.php (CVE-2013-7351)

Debian Bug report logs - #743252
Multiples XSS in index.php (CVE-2013-7351)

Vulmon Search

About

Products

Connect

Multiples XSS in index.php (CVE-2013-7351)

Debian Bug report logs - #743252 Multiples XSS in index.php (CVE-2013-7351)

Vulmon Search

About

Products

Connect

Debian Bug report logs - #743252
Multiples XSS in index.php (CVE-2013-7351)