Debian Bug report logs -
#726284
xhprof: CVE-2013-4433: XSS
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 14 Oct 2013 05:27:02 UTC
Severity: grave
Tags: security
Fixed in version xhprof/0.9.4-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#726284; Package xhprof.
(Mon, 14 Oct 2013 05:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(Mon, 14 Oct 2013 05:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xhprof
Severity: grave
Tags: security
Justification: user security hole
Hi,
fixed in 0.9.4: http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4
http://www.openwall.com/lists/oss-security/2013/10/14/1
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#726284; Package xhprof.
(Wed, 16 Oct 2013 06:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
(Wed, 16 Oct 2013 06:12:05 GMT) (full text, mbox, link).
Message #10 received at 726284@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 xhprof: CVE-2013-4433: XSS
Hi
On Mon, Oct 14, 2013 at 07:18:21AM +0200, Moritz Muehlenhoff wrote:
> Package: xhprof
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
> fixed in 0.9.4: http://pecl.php.net/package-changelog.php?package=xhprof&release=0.9.4
> http://www.openwall.com/lists/oss-security/2013/10/14/1
A CVE was now assigned to this issue, retitling the bugreport
accordingly.
(Please include the CVE in the changelog when fixing this issue).
Regards,
Salvatore
Changed Bug title to 'xhprof: CVE-2013-4433: XSS' from 'xhprof: XSS (no CVE yet)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 726284-submit@bugs.debian.org.
(Wed, 16 Oct 2013 06:12:05 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Wed, 16 Oct 2013 17:36:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 16 Oct 2013 17:36:06 GMT) (full text, mbox, link).
Message #17 received at 726284-close@bugs.debian.org (full text, mbox, reply):
Source: xhprof
Source-Version: 0.9.4-1
We believe that the bug you reported is fixed in the latest version of
xhprof, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 726284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated xhprof package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Oct 2013 08:03:30 +0000
Source: xhprof
Binary: php5-xhprof
Architecture: source amd64
Version: 0.9.4-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
php5-xhprof - Hierarchical Profiler for PHP5
Closes: 726284 726496
Changes:
xhprof (0.9.4-1) unstable; urgency=high
.
* New upstream release, fixing CVE-2013-4433 (closes: #726284).
.
[ Colin Watson <cjwatson@ubuntu.com> ]
* Build with -g on aarch64-linux-gnu, not (pre-DWARF) -gstabs
(closes: #726496).
Checksums-Sha1:
fa2f7530cc8fdfac6444bc209f60271cc9cb539f 1109 xhprof_0.9.4-1.dsc
a7f2d9d744dfe005f5122ad00b91dbcb57c81055 841044 xhprof_0.9.4.orig.tar.gz
a59ccc2c056ab439bad996eb078426d170ab4bb7 3523 xhprof_0.9.4-1.debian.tar.gz
210a267a21ca241e461d0cfd19286b70b127d287 24000 php5-xhprof_0.9.4-1_amd64.deb
Checksums-Sha256:
c8c5652e8931ef35c85e0541033f99262a8549df2ef18b1c284d1c941b96c1aa 1109 xhprof_0.9.4-1.dsc
ddd0f32017bfdab1a61691bb34a60bcf26963c3b77274e3f0cab4236db9b24e0 841044 xhprof_0.9.4.orig.tar.gz
7637c820c9cef041ef3617ed5149b6591c208698b42bcf6b06572614da07b59c 3523 xhprof_0.9.4-1.debian.tar.gz
ef32872dc319a4701ccf2e0217512465f7882bef9af60454d10444fb87bdd011 24000 php5-xhprof_0.9.4-1_amd64.deb
Files:
396dc2eef311ccc2468ea91ef3547368 1109 devel optional xhprof_0.9.4-1.dsc
d20943b9349d89aa06f537130664b1ac 841044 devel optional xhprof_0.9.4.orig.tar.gz
459cf5b32bd30830dc45c68c056fa756 3523 devel optional xhprof_0.9.4-1.debian.tar.gz
2555c9b1c985de9a4e22268b89391fe5 24000 devel optional php5-xhprof_0.9.4-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iEYEARECAAYFAlJey0AACgkQMDatjqUaT91+9QCfaZ2rbviuDcQJF74NMGnxYRBq
/ykAn3PnJH8zIHg98COZAd5pXchiDlSX
=mbZ4
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 16 Nov 2013 07:33:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon