Debian Bug report logs -
#742859
XSS vulnerability in open-flash-chart.swf (CVE-2013-1636)
Reported by: Thijs Kinkhorst <thijs@debian.org>
Date: Fri, 28 Mar 2014 07:21:02 UTC
Severity: important
Tags: security
Fixed in version biomaj-watcher/1.2.2-1
Done: Olivier Sallou <osallou@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#742859; Package biomaj-watcher.
(Fri, 28 Mar 2014 07:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>.
(Fri, 28 Mar 2014 07:21:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: biomaj-watcher
Severity: important
Tags: security
Hi,
the following vulnerability was published for biomaj-watcher.
CVE-2013-1636[0]:
| Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in
| Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link
| Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component
| 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through
| 4.3.3, allows remote attackers to inject arbitrary web script or HTML
| via the get-data parameter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1636
https://security-tracker.debian.org/tracker/CVE-2013-1636
Please adjust the affected versions in the BTS as needed.
Cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>:
Bug#742859; Package biomaj-watcher.
(Sun, 22 Jun 2014 08:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "olivier.sallou@codeless.fr" <olivier.sallou@codeless.fr>:
Extra info received and forwarded to list. Copy sent to Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>.
(Sun, 22 Jun 2014 08:09:04 GMT) (full text, mbox, link).
Message #10 received at 742859@bugs.debian.org (full text, mbox, reply):
file is included in source but not used in application.
I gonna remove it from upstream code.
--
gpg key id: 4096R/326D8438 (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
Reply sent
to Olivier Sallou <osallou@debian.org>:
You have taken responsibility.
(Mon, 23 Jun 2014 07:39:12 GMT) (full text, mbox, link).
Notification sent
to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer.
(Mon, 23 Jun 2014 07:39:13 GMT) (full text, mbox, link).
Message #15 received at 742859-close@bugs.debian.org (full text, mbox, reply):
Source: biomaj-watcher
Source-Version: 1.2.2-1
We believe that the bug you reported is fixed in the latest version of
biomaj-watcher, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742859@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Olivier Sallou <osallou@debian.org> (supplier of updated biomaj-watcher package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 22 Jun 2014 09:19:40 +0200
Source: biomaj-watcher
Binary: biomaj-watcher
Architecture: source all
Version: 1.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Med Packaging Team <debian-med-packaging@lists.alioth.debian.org>
Changed-By: Olivier Sallou <osallou@debian.org>
Description:
biomaj-watcher - biological data-bank updater - web interface
Closes: 742859 752223
Changes:
biomaj-watcher (1.2.2-1) unstable; urgency=medium
.
* New usptream release:
- remove generated GWT files from source (Closes: #752223), not used
by application, those files are regenerated by build process.
- remove unused Open Chart files with related secutiry issue CVE-2013-1636
Previous releases are not impacted by security issue as file was
not used (Closes: #742859).
* d/control: use Standards 3.9.5
Checksums-Sha1:
3026b6784ad1f809b2be5dcf393193a364749ec4 2294 biomaj-watcher_1.2.2-1.dsc
5470cdb94ec202930bd76a6aade16a669d035771 95073453 biomaj-watcher_1.2.2.orig.tar.gz
af40b423d83961910077568a81c94aaca2fe92f6 34552 biomaj-watcher_1.2.2-1.debian.tar.xz
c83eef379f6176139eee06a92eb5456d100cf515 17924136 biomaj-watcher_1.2.2-1_all.deb
Checksums-Sha256:
1d9c0f823f02e90f04785dcadcf919b43cece3c616015adb2921c5011c8759be 2294 biomaj-watcher_1.2.2-1.dsc
9936e817f0699ac9081d28f3d9ca383a0c93f55bb3aab70405eb4378c61ca624 95073453 biomaj-watcher_1.2.2.orig.tar.gz
d3e3ada876c68f1eb1da859a0e5b2b3a44529291df7c95d2bc2d9f4e67cba728 34552 biomaj-watcher_1.2.2-1.debian.tar.xz
bb32a1d54dbe455b933d96370ed48aeea09e60b6653e8749eccd8334f6189de6 17924136 biomaj-watcher_1.2.2-1_all.deb
Files:
4543a36032507380499ee41a37266328 17924136 contrib/science optional biomaj-watcher_1.2.2-1_all.deb
cb03dc9e85cc303b4d5a884ed95c459b 2294 contrib/science optional biomaj-watcher_1.2.2-1.dsc
de9f439ea0169d4980ba69352617558d 95073453 contrib/science optional biomaj-watcher_1.2.2.orig.tar.gz
d9e4ed19b682a577bfd708a671dcdee2 34552 contrib/science optional biomaj-watcher_1.2.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJTp9VOAAoJEHjcaNsybYQ4C2wQAJ3ugd6IG36VzW/i5ld2uIVA
VUAD/dR1ed7VVTsX19KoVj7mSWOSOAZ2+WdjJoSdYoEK1cm6TKU8nNZoQiTihlLA
YvWJzCUN6sFAUnQTwp9qZNnq6/VvzQTlh9unZUTn0c/qB0eizdGOcA6BXBzWCnsj
suL0Re5AsepEuczaXEkhEq9BFIl94fqX0vhqmi2F42XV1gqXSlu99viFdMw2u1FF
MAFfOzwLpR1c4uC4yyaOElekNgT+jOcyWztQefyzL+ClLRzxORVsQ5bLTptZxqEz
2w/EK8t4LLipjVV7LAqn5hGTGJXTkuFQIG+kfBHfiY+QWSvPFFzuMSdmYsmm5UPH
9QzNSwc/jlPLNI5avn6/d4WZFEiGr9Zl10L5p6eyHp3F2qStRDwjsFfWJPXQZjdg
E+g0goThmeHkGjKqV5mgPBwPVMDUz8VyhARK8dQvzSNdFN2WlfvGn7ns7TnGlPfb
LFbaZowqQSnwahxCBD0xzleq9SHnB4+bUuxskEEiMxVdLt7DrVluWdu3PRA3lL+n
wm/ln7unBu/WKnobwQiM9vwMx3M/jiEntUvTafmE2zMqTogto0rP6GIgK1tbC8hD
p40QOFZSh4t+N+jkGYj8ucgIDzmi/dqrUfXIq4al4IbAhsl4KkB5OW2oUSrsSsff
7bd1fhBgP5ExK5mGeCSK
=QHAK
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 26 Jul 2014 07:29:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:19:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon