Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

sks: CVE-2014-3207: non-persistent XSS

Related Vulnerabilities: CVE-2014-3207  

Source

Debian Bug report logs - #746626
sks: CVE-2014-3207: non-persistent XSS

version graph

Package: src:sks; Maintainer for src:sks is Christoph Martin <martin@uni-mainz.de>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 2 May 2014 04:15:01 UTC

Severity: important

Tags: fixed-upstream, security, upstream

Fixed in versions sks/1.1.5-1, sks/1.1.3-2+deb7u1

Done: Christoph Martin <christoph.martin@uni-mainz.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#746626; Package src:sks. (Fri, 02 May 2014 04:15:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>. (Fri, 02 May 2014 04:15:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sks: non-persistent XSS
Date: Fri, 02 May 2014 06:11:43 +0200
Source: sks
Severity: important
Tags: security upstream fixed-upstream

Hi

A non-persistent XSS vulnerability was found in sks. A CVE is not
(yet) assigned. See [0], [1] and [2] for details:

 [0] http://www.openwall.com/lists/oss-security/2014/05/01/16
 [1] https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss
 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=952077

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#746626; Package src:sks. (Mon, 05 May 2014 04:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. (Mon, 05 May 2014 04:51:05 GMT) (full text, mbox, link).

Message #10 received at 746626@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 746626@bugs.debian.org
Subject: Re: Bug#746626: sks: non-persistent XSS
Date: Mon, 5 May 2014 06:48:45 +0200
Control: retitle 746626 sks: CVE-2014-3207: non-persistent XSS

Hi,

On Fri, May 02, 2014 at 06:11:43AM +0200, Salvatore Bonaccorso wrote:
> A non-persistent XSS vulnerability was found in sks. A CVE is not
> (yet) assigned. See [0], [1] and [2] for details:
> 
>  [0] http://www.openwall.com/lists/oss-security/2014/05/01/16
>  [1] https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss
>  [2] https://bugzilla.mozilla.org/show_bug.cgi?id=952077

A CVE was assigned now for this issue: CVE-2014-3207. Could you please
include this for reference in your changelog when fixing the issue?

Regards,
Salvatore

Changed Bug title to 'sks: CVE-2014-3207: non-persistent XSS' from 'sks: non-persistent XSS' Request was from Salvatore Bonaccorso <carnil@debian.org> to 746626-submit@bugs.debian.org. (Mon, 05 May 2014 04:51:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Martin <christoph.martin@uni-mainz.de>:
Bug#746626; Package src:sks. (Tue, 06 May 2014 13:39:09 GMT) (full text, mbox, link).

Acknowledgement sent to "Jeremy T. Bouse" <jbouse@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Martin <christoph.martin@uni-mainz.de>. (Tue, 06 May 2014 13:39:09 GMT) (full text, mbox, link).

Message #17 received at 746626@bugs.debian.org (full text, mbox, reply):

From: "Jeremy T. Bouse" <jbouse@debian.org>
To: 746626@bugs.debian.org
Subject: re: sks: CVE-2014-3207: non-persistent XSS
Date: Tue, 06 May 2014 09:09:24 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	This is quickly going to be a major issue for anyone running a public
SKS server like myself. Due to the vulnerability fixed by 1.1.5 this
is now becoming the minimum version and hosts not running it will
begin to be dropped from the publicly available pools. Effective
immediately it is the minimum for subset.pool.sks-keyservers.net and
there is currently a 45-60 day grace to get hosts in the
hkps.pool.sks-keyservers.net SSL-enabled pool upgraded before it
becomes the minimum version.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQGcBAEBCAAGBQJTaN7+AAoJEGS5Wo1uIL0kFxcMAK65nOiW3Iev6erGCo5Z5WTc
ppjFfo+w8sRUDdxAT+Uk1GQP1Q9YHhwrz8e0N4cMsx6YdXBvJBaq3gxLG+P+Zkls
cF15vyUJuiS8qwwBblFpAwl0xZVMEZ/yQWgCITZaDtyaysJCvlAvXkn35gY9zcix
HVGMhBVSuZ5ecYhKUhjlpXbkkErqzuWBjPP+C0SVp96hDGXd1N6ruLSYYKoi7q4S
BZZKCZzh4Imk/4gcMB2LyR6ZjYYXqyqsY9ewhf0ueXuD+K5V1ozRQ9RvxHTtQtpv
j5SKoIwBSmCyibN3am/yMk/sXocNQEPzhXzUHzqr8vyeOCbOxnoVGFPTQZQx3bZO
xxm8nMuI/JnG2mqLV6pJTmXbuZcQ/O3l79yQ1f24S8GyBTP6Hd6nLAC43Gydgtvf
skK+KAE/WdJqCn1hV8/eSj9vV+Nie5Xb5gXBDPJiiVpf3VCY7rxSKm8gAgaMPnju
Ewx/j+gGfw1+zNWDh4a03TFazUCQAUx3ZOr6ZKXTRQ==
=SmoJ
-----END PGP SIGNATURE-----

Reply sent to Christoph Martin <christoph.martin@uni-mainz.de>:
You have taken responsibility. (Mon, 19 May 2014 13:06:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 19 May 2014 13:06:22 GMT) (full text, mbox, link).

Message #22 received at 746626-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Martin <christoph.martin@uni-mainz.de>
To: 746626-close@bugs.debian.org
Subject: Bug#746626: fixed in sks 1.1.5-1
Date: Mon, 19 May 2014 13:03:55 +0000
Source: sks
Source-Version: 1.1.5-1

We believe that the bug you reported is fixed in the latest version of
sks, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 746626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <christoph.martin@uni-mainz.de> (supplier of updated sks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 16 May 2014 15:54:30 +0200
Source: sks
Binary: sks
Architecture: source amd64
Version: 1.1.5-1
Distribution: unstable
Urgency: low
Maintainer: Christoph Martin <christoph.martin@uni-mainz.de>
Changed-By: Christoph Martin <christoph.martin@uni-mainz.de>
Description: 
 sks        - Synchronizing OpenPGP Key Server
Closes: 600194 716838 741912 742916 746626
Changes: 
 sks (1.1.5-1) unstable; urgency=low
 .
   [ Christoph Martin ]
   * new upstream
     - fixes CVE-2014-3207: non-persistent XSS (closes: 746626)
     - correctly handle option max_matches (closes: 742916)
     - correct documentation of dump command (closes: 600194)
   * add pgp signature option to watch file
   * remove /var/lib/sks and /var/backup/sks on purge (closes: 716838)
   * note active Berkely DB on new install (closes: 741912)
Checksums-Sha1: 
 56b1ad71c487372ea96d5668128428225b465a86 2002 sks_1.1.5-1.dsc
 a353426e99de3fb02bf93b953f574335a9f2a590 362941 sks_1.1.5.orig.tar.gz
 5ce9df160f7cbb3e55edb8b7391a609fed0f0007 18952 sks_1.1.5-1.debian.tar.xz
 30f501f867421ae87a26b2ca827ecf6b2bb783e5 630930 sks_1.1.5-1_amd64.deb
Checksums-Sha256: 
 e652b611a6c7044cf55a624f3540e2c73733b39416c89118b55a43b50f8398f6 2002 sks_1.1.5-1.dsc
 92a7f113f0ba7a28d51d7ced60a984d042d8524c651dc3fcafe9d11cc32981a0 362941 sks_1.1.5.orig.tar.gz
 645ecdc9895e643305076d51d7f5df514ea18591c6dfaa7253dfd556ba339fb7 18952 sks_1.1.5-1.debian.tar.xz
 7e0010459c0022c7cd1b955eefac2e0e9fbfd6565ea9ac243de335416c833e05 630930 sks_1.1.5-1_amd64.deb
Files: 
 050ded5df33f02e6297040bfb8d1a21e 630930 net optional sks_1.1.5-1_amd64.deb
 3c0c4fb60e722332715efc3ed0968a53 2002 net optional sks_1.1.5-1.dsc
 60bb0ce429e5d223fd4662c286f46e7b 362941 net optional sks_1.1.5.orig.tar.gz
 b4389589109b565b4c213eb9de35ec73 18952 net optional sks_1.1.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJTefv1AAoJEPqBswqWsQmcnm8P/3b2tM/XcW38lYNilQobLJ59
vY3AC+makFQn3OtzQ5o8O1nXtJAViWaskn8CnYK+OErKG7KxPa0yJWml7gGJWFRs
QEEbVvrLI3nANIicnVTJSvP0Y3+NdNellmBZUb5nuq9rVmRZS/plbJLjnKTRChya
mmY8XmqOk1ELNKHw8dtGdQUNLyZre/qZbuPLUjcFI55t/IR0Sx3k3CdBjpSL42xO
tM8BRKAti5tptudk3YLB57RuqAvX5sdroayjpfi09Lj0lEspubJQyx6a5tXHMzEN
Ptm4h6rYGJ5CY2LB5K/1qQzB1Ji4J9PO/fYFyccUbgx6BXCQa2LYZfiZoGNx4Kt3
Qz7GNr9aqAwLLrzXGVBjH61kdquPoBRRH/Gp6Dm+bLw/eS0hjXuvUZzwyEBS55IJ
dQI8OFE715g7yu6OB6ruyW6a3foEfeUKVT5+CwdKq/skrF/1wS/ZKuXZ1Cz3vFTq
MXqCNJgSCS55Eo18meWlIqfKT6ERrRoS/aEIb626SbyOuKhQxlujpMQ8XZMcg+Zs
Wyj+g6UfS7/RXXkW8gv+ijbrZixNEsVyBakErmUcQIHoRBow339HXl0Y63UeIKuM
x+HDn0SNxxvi6UTqIvrVlvcjUX+8E9DFuyvUv9tGWFdtUXLDcx8DpG0ZyccRSOLA
d80HKpciOUQjsyA+IZ1L
=sldO
-----END PGP SIGNATURE-----

Reply sent to Christoph Martin <christoph.martin@uni-mainz.de>:
You have taken responsibility. (Tue, 24 Jun 2014 07:21:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 24 Jun 2014 07:21:10 GMT) (full text, mbox, link).

Message #27 received at 746626-close@bugs.debian.org (full text, mbox, reply):

From: Christoph Martin <christoph.martin@uni-mainz.de>
To: 746626-close@bugs.debian.org
Subject: Bug#746626: fixed in sks 1.1.3-2+deb7u1
Date: Tue, 24 Jun 2014 07:18:17 +0000
Source: sks
Source-Version: 1.1.3-2+deb7u1

We believe that the bug you reported is fixed in the latest version of
sks, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 746626@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christoph Martin <christoph.martin@uni-mainz.de> (supplier of updated sks package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 May 2014 13:36:04 +0200
Source: sks
Binary: sks
Architecture: source amd64
Version: 1.1.3-2+deb7u1
Distribution: stable
Urgency: high
Maintainer: Christoph Martin <christoph.martin@uni-mainz.de>
Changed-By: Christoph Martin <christoph.martin@uni-mainz.de>
Description: 
 sks        - Synchronizing OpenPGP Key Server
Closes: 709322 741912 746626
Changes: 
 sks (1.1.3-2+deb7u1) stable; urgency=high
 .
   [ Daniel Kahn Gillmor ]
   * avoid trying to upgrade DB_CONFIG (Closes: #709322)
 .
   [ Christoph Martin ]
   * fix crosssite scripting bug (CVE-2014-3207) (closes: 746626)
   * note active Berkely DB on new install (closes: 741912)
Checksums-Sha1: 
 def766a6acd74f13c8264c0fee54fdc4263304d9 2010 sks_1.1.3-2+deb7u1.dsc
 97010bb59783e7862a2cea54bc33584e51856de8 20225 sks_1.1.3-2+deb7u1.debian.tar.gz
 04e7e98f7208451ef29e1b2e8a5087ffe6a04dd0 830496 sks_1.1.3-2+deb7u1_amd64.deb
Checksums-Sha256: 
 09217d562a6c31691d24bea514e4304bc42a81acb2132e64455485ffa6f7248f 2010 sks_1.1.3-2+deb7u1.dsc
 0a2a218724c14c4bd47221bbeb43f16eb3b9d7a269b33e7550fda604fd75c631 20225 sks_1.1.3-2+deb7u1.debian.tar.gz
 d75a53fda4fdee4af4d0453db77129717589e15a6bbd19ed90e2a569acb25571 830496 sks_1.1.3-2+deb7u1_amd64.deb
Files: 
 ad33f8fee18017178507d4c517facd7d 2010 net optional sks_1.1.3-2+deb7u1.dsc
 e1f6e49be9f333da3ceacd4bbc22338b 20225 net optional sks_1.1.3-2+deb7u1.debian.tar.gz
 9c1554e800b221793199d40411e887cf 830496 net optional sks_1.1.3-2+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTp1lxAAoJEPqBswqWsQmcVHUP/iAKimG8uI4baenVYi3wxgcz
TMIc++yZt6c+J+SlmtBewAhKUFqqkEaMVK9aqbBiUBjdXrI0DKRcuiMO8PGBSUAQ
Y6RF1gArrAPBn1HUrMqKLlVpawejjyFJCl9oePACBmsNWqHgFtfpDMDIjDXV+xOr
pqc89e6WvlXfCMS26weyWCJaK+xgAIW6LHP4NT/OhdMpAcKAxxc6grQQ3kvp6dAX
dtQ1TC76AaAm223U+TXlCFStVTXaSCmWB2bZpHrnvpQfuQCAP/lbvVr4Qyu1EJOY
zFiK/eb19lGtJN5OVy2fink8TLyrIi03LNxSUCJ/q+V417Wb1D5PUOjKDxKNKAhd
/6BQM5Wc/L39OIu4f0FIkZWsCNbmB8AldDx6CIBeuXbrlGyr5WH0XWYiq8CRWbWx
tLXGJrQfI3+jy0kHLrGMBjL6dLdrWFs1FY6CcmK4VY/giFcapZgdkFQ7L2IBiseY
IKsmtOXY4gSmzM5HyIfLPaNLUEaSML4KofCxqrnb9veAh/HC9eCILALwLL1iqUqv
Lsy9PxCrdFWGwcQUDKmKy58LSL8Ak9yai6IOnO7F0XFVTo3bX1KO88Ji+DAn2PlC
mV3CoKI/kDDU27qEVt01xOq3FEKH2oaIHI+jpvM/K7l3mt2GoWYc708wPr3DtKmD
NjRQbYSYSM0eDDhKd4CJ
=JmXt
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 22 Jul 2014 07:28:32 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:47:35 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started