Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2016-1566

Source

Debian Bug report logs - #859136
CVE-2016-1566: XSS vulnerability in file browser

Package: guacamole-client; Maintainer for guacamole-client is Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>;

Reported by: Antoine Beaupre <anarcat@orangeseeds.org>

Date: Thu, 30 Mar 2017 18:48:01 UTC

Severity: important

Tags: pending, security, upstream

Found in version 0.9.9+dfsg-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>:
Bug#859136; Package guacamole-client. (Thu, 30 Mar 2017 18:48:04 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupre <anarcat@orangeseeds.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>. (Thu, 30 Mar 2017 18:48:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: guacamole-client
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: normal
Tags: security
Version: 0.9.9+dfsg-1

Hi,

the following vulnerability was published for guacamole.

CVE-2016-1566[0]:
| Cross-site scripting (XSS) vulnerability in the file browser in
| Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
| shared by multiple users, allows remote authenticated users to inject
| arbitrary web script or HTML via a crafted filename.  NOTE: this
| vulnerability was fixed in guacamole.war on 2016-01-13, but the
| version number was not changed.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1566
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566

[signature.asc (application/pgp-signature, inline)]

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 30 Mar 2017 19:30:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>:
Bug#859136; Package guacamole-client. (Mon, 02 Oct 2017 19:21:06 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>. (Mon, 02 Oct 2017 19:21:06 GMT) (full text, mbox, link).

Message #12 received at 859136@bugs.debian.org (full text, mbox, reply):

On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> Package: guacamole-client
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> Severity: normal
> Tags: security
> Version: 0.9.9+dfsg-1
> 
> Hi,
> 
> the following vulnerability was published for guacamole.
> 
> CVE-2016-1566[0]:
> | Cross-site scripting (XSS) vulnerability in the file browser in
> | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> | shared by multiple users, allows remote authenticated users to inject
> | arbitrary web script or HTML via a crafted filename.  NOTE: this
> | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> | version number was not changed.

What's the status? More than half a year has passed.

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>:
Bug#859136; Package guacamole-client. (Tue, 03 Oct 2017 18:57:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>. (Tue, 03 Oct 2017 18:57:06 GMT) (full text, mbox, link).

Message #17 received at 859136@bugs.debian.org (full text, mbox, reply):

Hi

On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > Package: guacamole-client
> > X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> > Severity: normal
> > Tags: security
> > Version: 0.9.9+dfsg-1
> > 
> > Hi,
> > 
> > the following vulnerability was published for guacamole.
> > 
> > CVE-2016-1566[0]:
> > | Cross-site scripting (XSS) vulnerability in the file browser in
> > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > | shared by multiple users, allows remote authenticated users to inject
> > | arbitrary web script or HTML via a crafted filename.  NOTE: this
> > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > | version number was not changed.
> 
> What's the status? More than half a year has passed.

Upstream commit, afaics 

https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367

Regards,
Salvatore

Severity set to 'important' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 03 Oct 2017 19:00:07 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Dominik George <nik@naturalnet.de> to control@bugs.debian.org. (Tue, 17 Oct 2017 14:03:10 GMT) (full text, mbox, link).

Message sent on to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug#859136. (Tue, 17 Oct 2017 14:03:12 GMT) (full text, mbox, link).

Message #24 received at 859136-submitter@bugs.debian.org (full text, mbox, reply):

tag 859136 pending
thanks

Hello,

Bug #859136 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/pkg-remote/packages/guacamole-client.git/commit/?id=e06c65f

---
commit e06c65fef15274ea8190e5b5e409dcfbecbe8708
Author: Dominik George <nik@naturalnet.de>
Date:   Tue Oct 17 15:58:58 2017 +0200

    Update control and changelog.

diff --git a/debian/changelog b/debian/changelog
index 8a3c08d..ff9b437 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+guacamole-client (0.9.13-1) UNRELEASED; urgency=medium
+
+  * New upstream version.
+    + Includes fix for CVE-2016-1566. (Closes: #859136)
+  * Update watch file for Apache Incubator. (Closes: #859373)
+  * Update Standards-Version to 4.1.1, no changes needed.
+
+ -- Dominik George <nik@naturalnet.de>  Tue, 17 Oct 2017 15:56:10 +0200
+
 guacamole-client (0.9.9+dfsg-1) unstable; urgency=medium
 
   [ Dominik George ]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:10:28 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2016-1566: XSS vulnerability in file browser

Debian Bug report logs - #859136
CVE-2016-1566: XSS vulnerability in file browser

Vulmon Search

About

Products

Connect

CVE-2016-1566: XSS vulnerability in file browser

Debian Bug report logs - #859136 CVE-2016-1566: XSS vulnerability in file browser

Vulmon Search

About

Products

Connect

Debian Bug report logs - #859136
CVE-2016-1566: XSS vulnerability in file browser