Debian Bug report logs -
#563940
CVE-2009-4459: uses the title tag before defining the character encoding in a meta tag
Reported by: Giuseppe Iuculano <iuculano@debian.org>
Date: Wed, 6 Jan 2010 14:03:01 UTC
Severity: serious
Tags: security
Fixed in version redmine/0.9.1-1
Done: Jérémy Lal <kapouer@melix.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#563940; Package redmine.
(Wed, 06 Jan 2010 14:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jérémy Lal <kapouer@melix.org>.
(Wed, 06 Jan 2010 14:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: redmine
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for redmine.
CVE-2009-4459[0]:
| Redmine 0.8.7 and earlier uses the title tag before defining the
| character encoding in a meta tag, which allows remote attackers to
| conduct cross-site scripting (XSS) attacks and inject arbitrary script
| via UTF-7 encoded values in the title parameter to a new issue page,
| which may be interpreted as script by Internet Explorer 7 and 8.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4459
http://security-tracker.debian.org/tracker/CVE-2009-4459
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktEl4oACgkQNxpp46476arH6QCfZ8cbk6gPiNO9TwSNrS6PsESy
xCQAmgNQklC5IywBP46TBDELV+7qdbHE
=xnry
-----END PGP SIGNATURE-----
Added tag(s) pending.
Request was from Jérémy Lal <kapouer@melix.org>
to control@bugs.debian.org.
(Thu, 07 Jan 2010 19:42:09 GMT) (full text, mbox, link).
Reply sent
to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility.
(Mon, 01 Feb 2010 20:03:22 GMT) (full text, mbox, link).
Notification sent
to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Feb 2010 20:03:22 GMT) (full text, mbox, link).
Message #12 received at 563940-close@bugs.debian.org (full text, mbox, reply):
Source: redmine
Source-Version: 0.9.1-1
We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive:
redmine-mysql_0.9.1-1_all.deb
to main/r/redmine/redmine-mysql_0.9.1-1_all.deb
redmine-pgsql_0.9.1-1_all.deb
to main/r/redmine/redmine-pgsql_0.9.1-1_all.deb
redmine-sqlite_0.9.1-1_all.deb
to main/r/redmine/redmine-sqlite_0.9.1-1_all.deb
redmine_0.9.1-1.diff.gz
to main/r/redmine/redmine_0.9.1-1.diff.gz
redmine_0.9.1-1.dsc
to main/r/redmine/redmine_0.9.1-1.dsc
redmine_0.9.1-1_all.deb
to main/r/redmine/redmine_0.9.1-1_all.deb
redmine_0.9.1.orig.tar.gz
to main/r/redmine/redmine_0.9.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 563940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated redmine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 30 Jan 2010 16:48:26 +0100
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 0.9.1-1
Distribution: unstable
Urgency: low
Maintainer: Jérémy Lal <kapouer@melix.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
redmine - flexible project management web application
redmine-mysql - metapackage providing MySQL dependencies for Redmine
redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Closes: 551002 552736 553375 553376 554351 555693 555956 560999 563940 564086 566160 567512
Changes:
redmine (0.9.1-1) unstable; urgency=low
.
* Stop using deprecated dbfile param in database.yml.
* Use session.yml to store secret session key.
* Supports and documents running as unprivileged user. (Closes: #564086)
* Split debian/patches.
* Fix typo in po templates. (Closes: #553376)
* Adds pt, de, sv, ru, es, ja translations.
(Closes: #553375, #551002, #552736, #554351, #560999, #555693)
* Fixes CVE-2009-4459 : uses the title tag before defining
the character encoding in a meta tag. (Closes: #563940)
* Install does not fail if rake fails (Closes: #566160)
* Several rails 2.2 incompatibilities have been fixed,
patches are applied with greater care. (Closes: #555956, #567512)
Checksums-Sha1:
d4a55c6c054f07fb5f5dc964bf18de905c6982c6 1298 redmine_0.9.1-1.dsc
7aad575dcf35e5265fda40490704a6854ded2f80 4578461 redmine_0.9.1.orig.tar.gz
7dc159d9eadba41b0769cf6cbed2f61054e7e9e8 29051 redmine_0.9.1-1.diff.gz
52f89abafb13958bf4b6e1a3b02f75219d567b91 1394546 redmine_0.9.1-1_all.deb
7e8a18513944e3b4369a2a14fd9cc74d2542e71e 3904 redmine-mysql_0.9.1-1_all.deb
1dd0293ec4dc26675753f7030e0435a766833082 3892 redmine-pgsql_0.9.1-1_all.deb
cb5c9dae0926d0909658c13da65f38d0b021043d 3874 redmine-sqlite_0.9.1-1_all.deb
Checksums-Sha256:
29d101c52812aa78fed45e8c7447cbddca6c19ac73bf401196f9368ff4229e10 1298 redmine_0.9.1-1.dsc
5758c1525f1cd58748911ae5a8243ca56dcec80df769ecb59e07057703f6d598 4578461 redmine_0.9.1.orig.tar.gz
8d09f8e0a5fbe8130408c01f8729994cfdf7e51d8f39f024ee678e204d2f3a6c 29051 redmine_0.9.1-1.diff.gz
28145eb7b6e8555b1b1a8c4f20efbf1a0a86d79d7a78e6192dfe50b5f136cc07 1394546 redmine_0.9.1-1_all.deb
1f57d71d724a6cb4d2c5f235fa1a8886f522d8d70fe312eddecf6611ffb77c84 3904 redmine-mysql_0.9.1-1_all.deb
0678f3b13d4e7f5cb515a4da804f45b77220556100b8881fda285b90718d9e75 3892 redmine-pgsql_0.9.1-1_all.deb
880857b855ca4a5b82b9f55b3a6f3590fba5d5d5da79f78407c85c8334471f02 3874 redmine-sqlite_0.9.1-1_all.deb
Files:
203bbebd259ddf7ff78b7791b997c449 1298 web extra redmine_0.9.1-1.dsc
865b27624f072d714a5f6d12328116af 4578461 web extra redmine_0.9.1.orig.tar.gz
3c9973c6c96a3558e5dd64d9ea72935c 29051 web extra redmine_0.9.1-1.diff.gz
7233596c3e708ee8ca350934701e8316 1394546 web extra redmine_0.9.1-1_all.deb
52f2fefb85b3939dc34d02c4eb803b84 3904 web extra redmine-mysql_0.9.1-1_all.deb
2826417a8b54be30b53de31ad15bbd29 3892 web extra redmine-pgsql_0.9.1-1_all.deb
2f02bc21cd655b11b2f9fd280b9ab683 3874 web extra redmine-sqlite_0.9.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLZyst2hliNwI7P08RApBXAKCbc7xUb+uOki/xg/l1lVmtQYTyBgCgv7Br
i8IMKcTFUisvCYnyy/hwrmI=
=H+aY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 Mar 2010 07:34:16 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:23:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon