Debian Bug report logs -
#882543
tt-rss: CVE-2017-16896: SQL injection in classes/handler/public.php in the forgotpass component via login parameter
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 23 Nov 2017 20:30:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version tt-rss/17.1+git20170410+dfsg-2
Fixed in version tt-rss/17.4+git20180312+dfsg-1
Done: Sebastian Reichel <sre@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Reichel <sre@debian.org>:
Bug#882543; Package src:tt-rss.
(Thu, 23 Nov 2017 20:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sebastian Reichel <sre@debian.org>.
(Thu, 23 Nov 2017 20:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tt-rss
Version: 17.1+git20170410+dfsg-2
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for tt-rss.
CVE-2017-16896[0]:
| A SQL injection in classes/handler/public.php in the forgotpass
| component of Tiny Tiny RSS 17.4 exists via the login parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16896
[1] https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669
[2] https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815
Regards,
Salvatore
Reply sent
to Sebastian Reichel <sre@debian.org>:
You have taken responsibility.
(Tue, 13 Mar 2018 21:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 13 Mar 2018 21:39:04 GMT) (full text, mbox, link).
Message #10 received at 882543-close@bugs.debian.org (full text, mbox, reply):
Source: tt-rss
Source-Version: 17.4+git20180312+dfsg-1
We believe that the bug you reported is fixed in the latest version of
tt-rss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 882543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Reichel <sre@debian.org> (supplier of updated tt-rss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Mar 2018 21:51:13 +0100
Source: tt-rss
Binary: tt-rss
Architecture: source all
Version: 17.4+git20180312+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Sebastian Reichel <sre@debian.org>
Changed-By: Sebastian Reichel <sre@debian.org>
Description:
tt-rss - Tiny Tiny RSS - web-based news feed (RSS/Atom) aggregator
Closes: 882543 891210
Changes:
tt-rss (17.4+git20180312+dfsg-1) unstable; urgency=high
.
* New upstream snapshot (Closes: #891210)
- Contains Security Fix for CVE-2017-16896 (Closes: #882543):
A SQL injection in classes/handler/public.php in the forgotpass
component of Tiny Tiny RSS 17.4 exists via the login parameter.
* Update compat to 11
* Update Debian Standards Version to 4.1.3
* Switch VCS urls to salsa
* Drop DISABLED functionality from init.d script. Please use
'update-rc.d tt-rss disable' instead.
Checksums-Sha1:
9d0046cff181b3315b324834198b8638503d537f 2004 tt-rss_17.4+git20180312+dfsg-1.dsc
eb9a37f2d9fbf5118ccd36d5c9a97719290cbe0d 1056052 tt-rss_17.4+git20180312+dfsg.orig.tar.xz
ac05a8911289190b8e26b9e225039747b23a8cdb 28972 tt-rss_17.4+git20180312+dfsg-1.debian.tar.xz
5272c222b78c5eead102ece492380e41ed6400e0 877768 tt-rss_17.4+git20180312+dfsg-1_all.deb
691ad44416118e630f210e7d4303a9ee2d9445eb 5620 tt-rss_17.4+git20180312+dfsg-1_amd64.buildinfo
Checksums-Sha256:
52b393d95b6c0e2778a37b2f73f6f893cb29c5d3b172c69d17f8b97e92d26505 2004 tt-rss_17.4+git20180312+dfsg-1.dsc
641d401dc5d2afb6ff54b5580e61130baf06148f68911627728119e8ca96a3d1 1056052 tt-rss_17.4+git20180312+dfsg.orig.tar.xz
c898c3dbacc351d5c0fb964b0581165055236e330070c61418debedc748bfea1 28972 tt-rss_17.4+git20180312+dfsg-1.debian.tar.xz
a69706977eb11d83bff8a29a61662ff7266b6c7ee4958dd6256ad28857b13089 877768 tt-rss_17.4+git20180312+dfsg-1_all.deb
2bc60a40d4a8052d0d17f3f8fb7007409ee98c7c35d515bcb35691240c787f25 5620 tt-rss_17.4+git20180312+dfsg-1_amd64.buildinfo
Files:
537ce739aacd0224a8987e5cd5537614 2004 web optional tt-rss_17.4+git20180312+dfsg-1.dsc
9eb7ca05f87968afa59cfff3060cbdb0 1056052 web optional tt-rss_17.4+git20180312+dfsg.orig.tar.xz
dfa5dfc2675fa1a6906d96c104bb0f75 28972 web optional tt-rss_17.4+git20180312+dfsg-1.debian.tar.xz
c3761ca44ff87f16dfa3009af4a348ad 877768 web optional tt-rss_17.4+git20180312+dfsg-1_all.deb
7758c5cda828ae70051597fe21b022e7 5620 web optional tt-rss_17.4+git20180312+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCAAtFiEE72YNB0Y/i3JqeVQT2O7X88g7+poFAlqoP/cPHHNyZUBkZWJp
YW4ub3JnAAoJENju1/PIO/qa+1gP/33KQDZJiQ7kPxNpg24FhU0l1zz26On8skG5
0X1VYcdU9jdRHv/X3g4bA7KiZn2r2Yt0wuU7qWntJLFfK4wsQtAqpTiEv0r1/jwT
WHUp8FJVxJ3Dh9++J+FG3E/T81wnEphNY7nbmWpn4amLjrOwVrhyWQLQgnq+z6BD
qArzcTdckIx466yx1w9REid7YSQ1YVimLwczvHYRXV0M6Ob20+SDzu4iTWtbqJ9J
HTC/wr5SD28W1vIKGAcYicuorhOPCDTWc1vdcg2gXfQsXFsp9ekswuOuykmi+btW
pC7Qdld/Q5VXJD2BymE8RwEIyUPotRzwrSv1CwjKzTHTgvRcyO/xIiIpekugDvej
vBX05LK6HjSm/bmsJG89UBSjERfZwLNNDI3LfQNbGgKRzE3fbKLcWEyjCyYWeWg7
ZvqK1cHQf577JkIGZgW7CV6o7RGAf2dLR87/QI3PvXQyHTiPXNBpJtB+3+IowFHE
o+VCjqd/X4vX4q9I/rv/SWb7nE8xvxIFZuO46yUFw9jW2yJXocRZf3gYmNowijB2
lhVc6XpYM7ADy8UdimOxgGUhmTrhvH2K2R/mF+N/zuqbU02QVQyNhYHVCPAqot0k
XmeR4UcPo9KavKEgqNHT1UUhy+mfg4J+eNkN1IM28kA35q2S7CqboG9+Ro0T7WMG
pFTurg9X
=Hntj
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Apr 2018 07:28:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:49:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon