Debian Bug report logs -
#653966
yaws cross site scripting
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Sun, 1 Jan 2012 23:03:02 UTC
Severity: serious
Tags: security
Fixed in version yaws/1.92-1
Done: Sergei Golovan <sgolovan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>:
Bug#653966; Package yaws.
(Sun, 01 Jan 2012 23:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>.
(Sun, 01 Jan 2012 23:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: yaws
Severity: serious
Tags: security
Hi,
The following security issue has been reported against yaws:
Multiple cross-site scripting (XSS) vulnerabilities in the wiki application in
Yaws 1.88 allow remote attackers to inject arbitrary web script or HTML via
(1) the tag parameter to editTag.yaws, (2) the index parameter to
showOldPage.yaws, (3) the node parameter to allRefsToMe.yaws, or (4) the text
parameter to editPage.yaws.
This is tracked at:
http://security-tracker.debian.org/tracker/CVE-2011-5025
Can you please ensure that unstable is fixed for this issue and assert whether
squeeze and/or lenny need to be fixed aswell?
Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Sergei Golovan <sgolovan@debian.org>:
You have taken responsibility.
(Wed, 18 Jan 2012 06:21:07 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Wed, 18 Jan 2012 06:21:07 GMT) (full text, mbox, link).
Message #10 received at 653966-close@bugs.debian.org (full text, mbox, reply):
Source: yaws
Source-Version: 1.92-1
We believe that the bug you reported is fixed in the latest version of
yaws, which is due to be installed in the Debian FTP archive:
erlang-yaws_1.92-1_i386.deb
to main/y/yaws/erlang-yaws_1.92-1_i386.deb
yaws-chat_1.92-1_all.deb
to main/y/yaws/yaws-chat_1.92-1_all.deb
yaws-doc_1.92-1_all.deb
to main/y/yaws/yaws-doc_1.92-1_all.deb
yaws-mail_1.92-1_all.deb
to main/y/yaws/yaws-mail_1.92-1_all.deb
yaws-wiki_1.92-1_all.deb
to main/y/yaws/yaws-wiki_1.92-1_all.deb
yaws-yapp_1.92-1_all.deb
to main/y/yaws/yaws-yapp_1.92-1_all.deb
yaws_1.92-1.diff.gz
to main/y/yaws/yaws_1.92-1.diff.gz
yaws_1.92-1.dsc
to main/y/yaws/yaws_1.92-1.dsc
yaws_1.92-1_all.deb
to main/y/yaws/yaws_1.92-1_all.deb
yaws_1.92.orig.tar.gz
to main/y/yaws/yaws_1.92.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 653966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated yaws package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 18 Jan 2012 09:46:18 +0400
Source: yaws
Binary: yaws erlang-yaws yaws-doc yaws-chat yaws-mail yaws-wiki yaws-yapp
Architecture: source i386 all
Version: 1.92-1
Distribution: unstable
Urgency: low
Maintainer: Debian Erlang Packagers <pkg-erlang-devel@lists.alioth.debian.org>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Description:
erlang-yaws - Erlang application which implements HTTP webserver
yaws - High performance HTTP 1.1 webserver written in Erlang
yaws-chat - Chat application for Yaws web server
yaws-doc - Documentation and examples for Yaws web server
yaws-mail - Webmail application for Yaws web server
yaws-wiki - Wiki application for Yaws web server
yaws-yapp - Provides an easy way to deploy applications for Yaws web server
Closes: 653966
Changes:
yaws (1.92-1) unstable; urgency=low
.
* New upstream release.
* Removed patches which fix directory traversal bug and loading external
drivers for Erlang R15B because they are included into this upstream
release.
* Added a few more fixes for compatibility with Erlang R15B.
* Removed patch which uses external mime.types.
* Added a patch which fixes CVE-2011-5025 in the yaws-wiki package
(closes: #653966).
* Copied acceptor_pool_size option to yaws.conf from the upstream config.
Checksums-Sha1:
59c253143c01cb5c2a90de9c1f9efc7eae971bb9 1647 yaws_1.92-1.dsc
5c3f566de15142520c3dee0080cc34c87e103bf2 892543 yaws_1.92.orig.tar.gz
efd92fbc062824b9c7185f591e86c0d9f1571970 31736 yaws_1.92-1.diff.gz
e5579738ea39c8c67b54b921dd6099f0e688a8ed 410256 erlang-yaws_1.92-1_i386.deb
04cc7bc2aec01bc076128afe8bb0bcc43a3074c7 73972 yaws_1.92-1_all.deb
dd76555de90cd4e2d2598f323cb2f4cd8ca38898 628998 yaws-doc_1.92-1_all.deb
adafb7e4f43e68fdfe3d1fc0ddacca5301e5f89a 67318 yaws-chat_1.92-1_all.deb
056853c9c722acdbfc31009608aff72a132fd9d7 168060 yaws-mail_1.92-1_all.deb
0b87c0c71cc25207fb75458325aa574f4de9dfd5 211532 yaws-wiki_1.92-1_all.deb
33a2601dfb8725407011b8cd85c98ff1f71978d2 70274 yaws-yapp_1.92-1_all.deb
Checksums-Sha256:
31271f400047ed257533b7e4b36fea312132e490715f5b56a2519a80f60de53e 1647 yaws_1.92-1.dsc
b694f14e0cd4fd8f8cc6876b2304c1c4b449443dcfabc66ed099181639e9296f 892543 yaws_1.92.orig.tar.gz
ff13aac7c5abdda4e44b7896d3cbbc9a4db10b89a2a470bb8e3a2081b7ab5cf1 31736 yaws_1.92-1.diff.gz
16e5c2daa9b2f3fd863e4855ca2995cc856efd6e5f8eb68982458abb444884a7 410256 erlang-yaws_1.92-1_i386.deb
b4a5d7d6db59e3a4f184b0b90d2bc75927864ebac637eedb5cd2084c8cf9b775 73972 yaws_1.92-1_all.deb
6b30f54fc11f87aeeafb806e1c971fc5cbaeeef611d86e3957a9ad216598f0b8 628998 yaws-doc_1.92-1_all.deb
dd1f3a7c9e6314d7190421e9510f85765aae4b18f593f7ce0dfb92e49f88c3db 67318 yaws-chat_1.92-1_all.deb
2ba9519745376579cc70480c7a7cbca79f3c6131d82922ea913565e809827c95 168060 yaws-mail_1.92-1_all.deb
dbfcdeb9fbca9584fa67a147f4b9c00a98073925eb7a9742d84f24789e42d95e 211532 yaws-wiki_1.92-1_all.deb
9434fd2e7cb2b0af5216851ac35404f14ec61797fdbf0d203cafc47aaf809cfd 70274 yaws-yapp_1.92-1_all.deb
Files:
65511b42a846b0fe41369b8f592b01a4 1647 httpd optional yaws_1.92-1.dsc
944bf64f53b84f665f8d1873ef11fc04 892543 httpd optional yaws_1.92.orig.tar.gz
b91717307c775d87bc602abe800b0394 31736 httpd optional yaws_1.92-1.diff.gz
042eb66536983bb76724d0b34d6878da 410256 httpd optional erlang-yaws_1.92-1_i386.deb
782151326423e7c903bdfec47c30ad18 73972 httpd optional yaws_1.92-1_all.deb
a722c88d4cd267f312e7c8ec7f02fccd 628998 doc optional yaws-doc_1.92-1_all.deb
20533fad10fc33540149584f932b9ed3 67318 web optional yaws-chat_1.92-1_all.deb
2456648927971130fe98de7724b164e6 168060 web optional yaws-mail_1.92-1_all.deb
e320901df584ed08c2b506aadcd488eb 211532 web optional yaws-wiki_1.92-1_all.deb
e74c4eabdf703c572bca72d7cb88175a 70274 web optional yaws-yapp_1.92-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFPFmACIcdH02pGEFIRAi7lAJ9iv72J4ccWCXcdi+LUW5F5j6CoAQCggfgo
Ayfs2NvHz9Dq/ZfQDIb1Nq8=
=UHc4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 30 Sep 2012 07:30:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:20:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon