Debian Bug report logs -
#858379
pcs: CVE-2017-2661: Improper node name field validation when creating clusters leads to XSS
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 21 Mar 2017 18:09:04 UTC
Severity: important
Tags: security, upstream
Found in version pcs/0.9.155+dfsg-1
Fixed in version pcs/0.9.155+dfsg-2
Done: Valentin Vidic <Valentin.Vidic@CARNet.hr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>:
Bug#858379; Package src:pcs.
(Tue, 21 Mar 2017 18:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>.
(Tue, 21 Mar 2017 18:09:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: pcs
Version: 0.9.155+dfsg-1
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for pcs.
CVE-2017-2661[0]:
Improper node name field validation when creating clusters leads to XSS
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-2661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2661
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1428948
Regards,
Salvatore
Reply sent
to Valentin Vidic <Valentin.Vidic@CARNet.hr>:
You have taken responsibility.
(Wed, 22 Mar 2017 07:36:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 22 Mar 2017 07:36:07 GMT) (full text, mbox, link).
Message #10 received at 858379-close@bugs.debian.org (full text, mbox, reply):
Source: pcs
Source-Version: 0.9.155+dfsg-2
We believe that the bug you reported is fixed in the latest version of
pcs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 858379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Valentin Vidic <Valentin.Vidic@CARNet.hr> (supplier of updated pcs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 21 Mar 2017 20:37:55 +0100
Source: pcs
Binary: pcs
Architecture: source
Version: 0.9.155+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian HA Maintainers <debian-ha-maintainers@lists.alioth.debian.org>
Changed-By: Valentin Vidic <Valentin.Vidic@CARNet.hr>
Description:
pcs - Pacemaker Configuration System
Closes: 858379
Changes:
pcs (0.9.155+dfsg-2) unstable; urgency=medium
.
* Add upstream fix for CVE-2017-2661 (Closes: #858379)
Checksums-Sha1:
372af5565d20185b3bf5544b20759f6c961b4b25 2213 pcs_0.9.155+dfsg-2.dsc
2e4e5ed29a0572eed06be7c425aede8f356ee770 168388 pcs_0.9.155+dfsg-2.debian.tar.xz
4c7a01d64ccc006d89fb5cca3cccebcca75486b6 5383 pcs_0.9.155+dfsg-2_amd64.buildinfo
Checksums-Sha256:
fdef612a5b7fc4bb49ca3b5c80e8a04d9598bb7e41c1ba08241059c1c6414ecf 2213 pcs_0.9.155+dfsg-2.dsc
adbf9767fac392fbee94d3f2a0dff8bbaa6dc3a3a583a07236b0c5d41deb5251 168388 pcs_0.9.155+dfsg-2.debian.tar.xz
1bd49e6767e20afbb8198c8df5c15ced1cac6473a5898c002dcf3d323f738f55 5383 pcs_0.9.155+dfsg-2_amd64.buildinfo
Files:
7c39007ca6815bcbee87458081662171 2213 admin extra pcs_0.9.155+dfsg-2.dsc
ad4ced877ffb51906b6be2ee70a828dd 168388 admin extra pcs_0.9.155+dfsg-2.debian.tar.xz
95370825a114976c682bfd5be03f49e3 5383 admin extra pcs_0.9.155+dfsg-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEIznqOD6ZG1g01Vr2YfeYXbhOCwQFAljSJNsACgkQYfeYXbhO
CwQdSw/+IHdX1/bpGJJtBM3jEtqbKVaGU71NLF+snkKUY0U6D3I3BmtR9sGzL+/V
XELeJIpHnZ0nhGsy168t/+gROJ3SR0I5xImjQ6BFtgCYi/h/EbCfKBKMt//lQucp
OkbANkLFblSJMP6LFn0dFJ1lEJUJDo0/7HqzM+hVkMdlFKlKNaDnDlp5leVy6zil
D7kURYAkHpQuXzt8ThBKZz1CQnQhmO00h4b42a5vgacE/+4KDsXfA507n/Zop3jx
45yVfq2cUGH4qJtMUatnXqvzvhF5bxm5mxzwa2BwCu0/ZqP4iq5tWG1YtW73MoVb
T/kAMtT7+nnoBiXe8RA9zulsZHCwSNJ5qltmzLMxqi2ZyLoU1/X7reNQUcn7Us57
jHwKYMKd48pHtGEYMiF9V8q/Pe9l5YRQu75oc+MXXTQV3bwZJGNvm4+YL7fujS/2
8esgJ2rofbEoGKRjWbU2i7ARerRWcLpcZ+y1zz7zWafufyMfx0bQd1IM1ws9MBRK
T193S8YIlQw6Y+mHmL6OlWJoqGCsGrhPXzCRO/SflGknU8L+3194hoC15ehlrWYy
6/WBau9UmvuIYZzwFBYAZOycKoKnQrCUJH0c9hiiAMlBBeLsHvpi2ZgGbLJ1lLSS
M2zcazwkcsuyPusu3njIhScNLsSYds27udyrwo7DVS/RUB7UhBk=
=hPgl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 21 Apr 2017 07:31:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:14:27 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon