Debian Bug report logs -
#859136
CVE-2016-1566: XSS vulnerability in file browser
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#859136
; Package guacamole-client
.
(Thu, 30 Mar 2017 18:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Thu, 30 Mar 2017 18:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: guacamole-client
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: normal
Tags: security
Version: 0.9.9+dfsg-1
Hi,
the following vulnerability was published for guacamole.
CVE-2016-1566[0]:
| Cross-site scripting (XSS) vulnerability in the file browser in
| Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
| shared by multiple users, allows remote authenticated users to inject
| arbitrary web script or HTML via a crafted filename. NOTE: this
| vulnerability was fixed in guacamole.war on 2016-01-13, but the
| version number was not changed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1566
[signature.asc (application/pgp-signature, inline)]
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 30 Mar 2017 19:30:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#859136
; Package guacamole-client
.
(Mon, 02 Oct 2017 19:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Mon, 02 Oct 2017 19:21:06 GMT) (full text, mbox, link).
Message #12 received at 859136@bugs.debian.org (full text, mbox, reply):
On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> Package: guacamole-client
> X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> Severity: normal
> Tags: security
> Version: 0.9.9+dfsg-1
>
> Hi,
>
> the following vulnerability was published for guacamole.
>
> CVE-2016-1566[0]:
> | Cross-site scripting (XSS) vulnerability in the file browser in
> | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> | shared by multiple users, allows remote authenticated users to inject
> | arbitrary web script or HTML via a crafted filename. NOTE: this
> | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> | version number was not changed.
What's the status? More than half a year has passed.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
:
Bug#859136
; Package guacamole-client
.
(Tue, 03 Oct 2017 18:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Remote Maintainers <pkg-remote-team@lists.alioth.debian.org>
.
(Tue, 03 Oct 2017 18:57:06 GMT) (full text, mbox, link).
Message #17 received at 859136@bugs.debian.org (full text, mbox, reply):
Hi
On Mon, Oct 02, 2017 at 09:19:17PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Mar 30, 2017 at 02:45:21PM -0400, Antoine Beaupre wrote:
> > Package: guacamole-client
> > X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
> > Severity: normal
> > Tags: security
> > Version: 0.9.9+dfsg-1
> >
> > Hi,
> >
> > the following vulnerability was published for guacamole.
> >
> > CVE-2016-1566[0]:
> > | Cross-site scripting (XSS) vulnerability in the file browser in
> > | Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location
> > | shared by multiple users, allows remote authenticated users to inject
> > | arbitrary web script or HTML via a crafted filename. NOTE: this
> > | vulnerability was fixed in guacamole.war on 2016-01-13, but the
> > | version number was not changed.
>
> What's the status? More than half a year has passed.
Upstream commit, afaics
https://github.com/glyptodon/guacamole-client/commit/7da13129c432d1c0a577342a9bf23ca2bde9c367
Regards,
Salvatore
Severity set to 'important' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 03 Oct 2017 19:00:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Dominik George <nik@naturalnet.de>
to control@bugs.debian.org
.
(Tue, 17 Oct 2017 14:03:10 GMT) (full text, mbox, link).
Message sent on
to Antoine Beaupre <anarcat@orangeseeds.org>
:
Bug#859136.
(Tue, 17 Oct 2017 14:03:12 GMT) (full text, mbox, link).
Message #24 received at 859136-submitter@bugs.debian.org (full text, mbox, reply):
tag 859136 pending
thanks
Hello,
Bug #859136 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:
https://anonscm.debian.org/cgit/pkg-remote/packages/guacamole-client.git/commit/?id=e06c65f
---
commit e06c65fef15274ea8190e5b5e409dcfbecbe8708
Author: Dominik George <nik@naturalnet.de>
Date: Tue Oct 17 15:58:58 2017 +0200
Update control and changelog.
diff --git a/debian/changelog b/debian/changelog
index 8a3c08d..ff9b437 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+guacamole-client (0.9.13-1) UNRELEASED; urgency=medium
+
+ * New upstream version.
+ + Includes fix for CVE-2016-1566. (Closes: #859136)
+ * Update watch file for Apache Incubator. (Closes: #859373)
+ * Update Standards-Version to 4.1.1, no changes needed.
+
+ -- Dominik George <nik@naturalnet.de> Tue, 17 Oct 2017 15:56:10 +0200
+
guacamole-client (0.9.9+dfsg-1) unstable; urgency=medium
[ Dominik George ]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:10:28 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.