Debian Bug report logs -
#435935
[CVE-2007-4048] XSS vulnerability
Reported by: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 4 Aug 2007 11:03:01 UTC
Severity: normal
Tags: fixed-upstream, patch, security
Found in version phpsysinfo/2.5.1-6
Fixed in versions phpsysinfo/3.0~rc3-1, phpsysinfo/2.5.1-6.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Frederik Schüler <fs@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpsysinfo
Version: 2.5.1-6
Tags: security
A XSS vulnerability in phpsysinfo has been disclosed:
<http://example.com/phpsysinfo-path/index.php/XSS>
This is CVE-2007-4048. Please mention this name in the changelog when
fixing this bug.
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(full text, mbox, link).
Message #10 received at 435935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 435935 +patch +fixed-upstream
tags 435936 +patch +fixed-upstream
tags 435937 +patch
tags
thanks
Hi,
Please find attached a quite trivial patch for this issue, extracted from the
new upstream 2.5.4 release. Please apply, and mention the CVE id
CVE-2007-4048 in the changelog when uploading. Thanks!
Thijs
[CVE-2007-4048.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Tags added: patch
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Tue, 28 Aug 2007 23:39:04 GMT) (full text, mbox, link).
Tags added: fixed-upstream
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(Wed, 29 Aug 2007 00:33:06 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #19 received at 435935-close@bugs.debian.org (full text, mbox, reply):
Source: phpsysinfo
Source-Version: 2.5.1-6.1
We believe that the bug you reported is fixed in the latest version of
phpsysinfo, which is due to be installed in the Debian FTP archive:
phpsysinfo_2.5.1-6.1.diff.gz
to pool/main/p/phpsysinfo/phpsysinfo_2.5.1-6.1.diff.gz
phpsysinfo_2.5.1-6.1.dsc
to pool/main/p/phpsysinfo/phpsysinfo_2.5.1-6.1.dsc
phpsysinfo_2.5.1-6.1_all.deb
to pool/main/p/phpsysinfo/phpsysinfo_2.5.1-6.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 435935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated phpsysinfo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 02 Sep 2007 13:29:49 +0200
Source: phpsysinfo
Binary: phpsysinfo
Architecture: source all
Version: 2.5.1-6.1
Distribution: unstable
Urgency: high
Maintainer: Frederik Schüler <fs@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
phpsysinfo - PHP based host information
Closes: 435935
Changes:
phpsysinfo (2.5.1-6.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included cve-2007-4048.diff to fix a cross-site-scripting
vulnerability in system_footer.php (CVE-2007-4048) (Closes: #435935).
Files:
34606e2fa2981de0a8e96850ae284a17 585 web optional phpsysinfo_2.5.1-6.1.dsc
4d2cb0f2facd3de32c11a88084d63dfd 14593 web optional phpsysinfo_2.5.1-6.1.diff.gz
023720a799a7f0675d9d130042587f17 204618 web optional phpsysinfo_2.5.1-6.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG2qcwHYflSXNkfP8RAkmBAKCG8EpYKGEY69X9ThofiAYVbGUuzQCfb4ls
4v1ue/AOy8fyNbiVW5Oa6Vs=
=9Jwo
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(full text, mbox, link).
Message #24 received at 435935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
First sent to the wrong bug number :(
I intend to 0-day NMU this bug.
I attached a patch for the NMU, it will be also archived on:
http://people.debian.org/~nion/nmu-diff/phpsysinfo_2.5.1-6-2.5.1-6.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 04 Oct 2007 07:30:29 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net>
to controlbugs.debian.org.
(Sat, 09 Aug 2008 18:02:32 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(Sat, 07 Mar 2009 13:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bjoern Boschman <bjoern@boschman.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(Sat, 07 Mar 2009 13:03:02 GMT) (full text, mbox, link).
Message #33 received at 435935@bugs.debian.org (full text, mbox, reply):
Hi Lucas,
you're right that this bug has never been meantioned in the changelog.
The fix came up by Nion but never made it the way into eighter
unstable/testing NOR debian-security for etch at that time.
It was a bad timing at all, because two days after Nions NMU I asked fs
to sponsor the upload of a complete new upstream release where the bug
already has been fixed and I ahdn't even been aware of that bug.
From my point of view there are currently two issues to deal with.
First and more important: Why is this fix not in debian-security for
oldstable?
Secondly how to handle the missing changelog entry?
BR
Bjoern
Information forwarded
to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(Sat, 07 Mar 2009 13:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(Sat, 07 Mar 2009 13:39:02 GMT) (full text, mbox, link).
Message #38 received at 435935@bugs.debian.org (full text, mbox, reply):
On 07/03/09 at 14:01 +0100, Bjoern Boschman wrote:
> Hi Lucas,
>
> you're right that this bug has never been meantioned in the changelog.
> The fix came up by Nion but never made it the way into eighter
> unstable/testing NOR debian-security for etch at that time.
>
> It was a bad timing at all, because two days after Nions NMU I asked fs
> to sponsor the upload of a complete new upstream release where the bug
> already has been fixed and I ahdn't even been aware of that bug.
>
>
> From my point of view there are currently two issues to deal with.
>
> First and more important: Why is this fix not in debian-security for
> oldstable?
not sure. was it fixed in unstable only, or also in stable (at the
time)?
> Secondly how to handle the missing changelog entry?
just manually version-close it with the version it was fixed:
<-------
To: nnn-done@bugs.debian.org
Version: 1.1.1.1-1
This bug was fixed in version 1.1.1.1-1
-------->
--
| Lucas Nussbaum
| lucas@lucas-nussbaum.net http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr GPG: 1024D/023B3F4F |
Information forwarded
to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(Sat, 07 Mar 2009 14:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(Sat, 07 Mar 2009 14:57:02 GMT) (full text, mbox, link).
Message #43 received at 435935@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Lucas Nussbaum <lucas@lucas-nussbaum.net> [2009-03-07 15:43]:
> On 07/03/09 at 14:01 +0100, Bjoern Boschman wrote:
[...]
> > From my point of view there are currently two issues to deal with.
> >
> > First and more important: Why is this fix not in debian-security for
> > oldstable?
>
> not sure. was it fixed in unstable only, or also in stable (at the
> time)?
At the time of doing this update I did not work on security
issues affecting stable, we still don't have one security
team for both.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Frederik Schüler <fs@debian.org>:
Bug#435935; Package phpsysinfo.
(Sat, 07 Mar 2009 15:03:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Bjoern Boschman <bjoern@boschman.de>:
Extra info received and forwarded to list. Copy sent to Frederik Schüler <fs@debian.org>.
(Sat, 07 Mar 2009 15:03:13 GMT) (full text, mbox, link).
Message #48 received at 435935@bugs.debian.org (full text, mbox, reply):
Hi Lucas,
Lucas Nussbaum schrieb:
>> First and more important: Why is this fix not in debian-security for
>> oldstable?
>
> not sure. was it fixed in unstable only, or also in stable (at the
> time)?
it was only fixed in unstable that time. The version currently available
via oldstable/etch is still vulnerable.
>
>> Secondly how to handle the missing changelog entry?
>
> just manually version-close it with the version it was fixed:
Ok, I'll do this as soon as an DSA will be available for oldstable.
BR
Bjoern
Message #49 received at 435935-done@bugs.debian.org (full text, mbox, reply):
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#435935; Package phpsysinfo.
(Tue, 19 Apr 2011 11:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bjoern Boschman <bjoern@boschman.de>:
Extra info received and forwarded to list.
(Tue, 19 Apr 2011 11:30:04 GMT) (full text, mbox, link).
Message #54 received at 435935@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
close 435935 3.0~rc3-1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2tcCgACgkQABMWRpwdNunYnwCgidFEib4+BCA3AxcMNKg9QK5o
XkEAoJcMq+FbetdeBrjVZ3UDJ/CwwR+6
=1XTu
-----END PGP SIGNATURE-----
Marked as fixed in versions phpsysinfo/3.0~rc3-1.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org.
(Sat, 02 Nov 2013 15:57:46 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 Dec 2013 07:33:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:53:50 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon