magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Debian Bug report logs - #611940
magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: submit@bugs.debian.org

Subject: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Thu, 3 Feb 2011 22:47:50 +0000

[Message part 1 (text/plain, inline)]

Package: magpierss
Version: 0.72-2
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for magpierss.

Although this description is for the WordPress plugin, the problem appears
to apply to scripts/magpie_slashbox.php in your package.

CVE-2011-0740[0]:
| Cross-site scripting (XSS) vulnerability in
| magpie/scripts/magpie_slashbox.php in RSS Feed Reader 0.1 for
| WordPress allows remote attackers to inject arbitrary web script or
| HTML via the rss_url parameter.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0740
    http://security-tracker.debian.org/tracker/CVE-2011-0740

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 611940-close@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira (metal) <metal@debian.org>

To: 611940-close@bugs.debian.org

Subject: Bug#611940: fixed in magpierss 0.72-10

Date: Tue, 15 Feb 2011 20:59:26 +0000

Source: magpierss
Source-Version: 0.72-10

We believe that the bug you reported is fixed in the latest version of
magpierss, which is due to be installed in the Debian FTP archive:

libphp-magpierss_0.72-10_all.deb
  to main/m/magpierss/libphp-magpierss_0.72-10_all.deb
magpierss_0.72-10.debian.tar.gz
  to main/m/magpierss/magpierss_0.72-10.debian.tar.gz
magpierss_0.72-10.dsc
  to main/m/magpierss/magpierss_0.72-10.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcelo Jorge Vieira (metal) <metal@debian.org> (supplier of updated magpierss package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 15 Feb 2011 17:51:14 -0200
Source: magpierss
Binary: libphp-magpierss
Architecture: source all
Version: 0.72-10
Distribution: unstable
Urgency: high
Maintainer: Marcelo Jorge Vieira (metal) <metal@debian.org>
Changed-By: Marcelo Jorge Vieira (metal) <metal@debian.org>
Description: 
 libphp-magpierss - provides an XML-based RSS parser in PHP
Closes: 611940
Changes: 
 magpierss (0.72-10) unstable; urgency=high
 .
   * Fixing CVE-2011-0740 (Closes: #611940)
 .
     Cross-site scripting (XSS) vulnerability in
     scripts/magpie_slashbox.php
Checksums-Sha1: 
 32c90edde2d9730c6c030fa1f135fa4115aeb8fa 1823 magpierss_0.72-10.dsc
 f7a326a1112dcc3294aafdd774b78f83d04c7c23 6013 magpierss_0.72-10.debian.tar.gz
 161d412aa9a674406576dbad261286a141fe7746 32522 libphp-magpierss_0.72-10_all.deb
Checksums-Sha256: 
 9b5a05b4b36b2f53d78562b31a4ea0b227ac2185c68536d9a8148e59aff5bd8a 1823 magpierss_0.72-10.dsc
 f160b798dd499ad88c2a62010543263851504048cef699eb9ed87bbe01ad5710 6013 magpierss_0.72-10.debian.tar.gz
 4262e53457d00dd2f1e5a14ac7e51688be24200cd8e81bfb9c647084ff0853d1 32522 libphp-magpierss_0.72-10_all.deb
Files: 
 6451559f3cc715b556195878544ef2ba 1823 php optional magpierss_0.72-10.dsc
 e2679a2d59e3006211ea5903d11ecc7c 6013 php optional magpierss_0.72-10.debian.tar.gz
 d78a8170dd78aa17383c12df9953550f 32522 php optional libphp-magpierss_0.72-10_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJNWuLVAAoJEAGffgcyZKXEp0YP/1Ca8SUCLKRHH/08CF5+AnHx
otiid0fcZ8Ezkb40D+/xT2xcKNaygfalwPVHMYZR7SUvHAgKrY1jm2b1FkW9fnbP
xpCL7IHXRyGV0AG/fBUNsJpfPiyMS4TfxBoLktGu0prqrd8pctM+eakFvfr+/aFn
mif4xUA7PFkS8AlzRbezMI8y2eW997rvzeAQWynCSCPxiLk7RM05fARICrPx85dU
zhZ4Oxnk0UMkuDUx9ZNkgFqonSA0SNf+jaxnp7h7XYmXXJU2Jut/vrsKQNW5Qglp
wfnb042uOXDjVEPCe2pHIcKecWbTldlbx2YbH9cFEQv4yWSCai+CoTooo1SQSLjC
m/uaLzRfj2E9dAa53Xtdc1TbqfWFzYXJn/rCVnYB28WLzuCsZV6EZxGqsrhBQIVg
u1Bb3lDZq4P0/n0jKrE0/0mRO+3KOV567pV5QHWVYExhhcnrpBxNNv8GJ+6GAQQB
amqjzdTM68YmVtXtHAZRj62y0Sjp9WXfM43U13kosrL2L15Nis3Cqqe66uWZyzR+
57Mwu25HhsTsK7UP+SyMhIEA75H8qCFCyxTBc8U6m/xC2NjZUH6VtRyduYDB2TBa
s7iyMLowfMJObYOvV6NYFuzL1YKbluAWUIjEf2EgW/Bux5lZU2C6zWbTallCYELc
06DuVmnlQbYWDFLNlAM8
=8I0U
-----END PGP SIGNATURE-----

Message #15 received at 611940@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 611940@bugs.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Sat, 19 Feb 2011 22:14:29 +0000

[Message part 1 (text/plain, inline)]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

lenny (5.0.9)
squeeze (6.0.1)

Please arrange to backport your fix and liase with the release team for
permission to upload. I will happily assist you if the patch is
straightforward and you need help or lack time.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

1: <201101232332.11736.thijs@debian.org>
2: http://deb.li/prsc

Thanks,

with his security hat on:
-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 611940@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: Jonathan Wiltshire <jmw@debian.org>, 611940@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Sun, 20 Feb 2011 22:50:51 -0300

[Message part 1 (text/plain, inline)]

Hi Jonathan,

On Sat, 2011-02-19 at 22:14 +0000, Jonathan Wiltshire wrote:
> Dear maintainer,
> 
> Recently you fixed one or more security problems and as a result you closed
> this bug. These problems were not serious enough for a Debian Security
> Advisory, so they are now on my radar for fixing in the following suites
> through point releases:
> 
> lenny (5.0.9)
> squeeze (6.0.1)
> 
> Please arrange to backport your fix and liase with the release team for
> permission to upload. I will happily assist you if the patch is
> straightforward and you need help or lack time.
> 
> For details of this process and the rationale, please see the original
> announcement [1] and my blog post [2].
> 
> 1: <201101232332.11736.thijs@debian.org>
> 2: http://deb.li/prsc
> 
> Thanks,
> 
> with his security hat on:


I uploaded magpierss backport package to oldstable-proposed-updates,
only to fix the bug CVE-2011-0740, but can I use the magpierss package
from wheezy to backport it to squeeze? It's the same source with just
little changes.


Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 611940@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Marcelo Jorge Vieira <metal@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 611940@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 19:30:38 +0000

On Sun, 2011-02-20 at 22:50 -0300, Marcelo Jorge Vieira wrote:
> Hi Jonathan,
> 
> On Sat, 2011-02-19 at 22:14 +0000, Jonathan Wiltshire wrote:
> > 
> > Please arrange to backport your fix and liase with the release team for
> > permission to upload. I will happily assist you if the patch is
> > straightforward and you need help or lack time.
[...]
> > with his security hat on:
> 
> 
> I uploaded magpierss backport package to oldstable-proposed-updates,
> only to fix the bug CVE-2011-0740

<with SRM hat on>

The request in Jonathan's mail was that you liaise with us, not simply
to upload.  In this case the diff looks okay and I'll approve it for
oldstable-proposed-updates later, but please bear in mind that this
might not always be the case and the "liaise and get permission" step is
there for a reason.

> but can I use the magpierss package
> from wheezy to backport it to squeeze? It's the same source with just
> little changes.

Those "little changes" include switching to the "3.0 (quilt)" source
format, removing a package entirely and moving to a more minimal
debian/rules file.  Sorry, but none of those are appropriate for a
stable update.

If the diff for squeeze is the same as the diff for lenny then that
should be okay, but a mail to -release would still be appreciated.

Regards,

Adam

Message #30 received at 611940@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Jonathan Wiltshire <jmw@debian.org>, 611940@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 18:58:22 -0300

[Message part 1 (text/plain, inline)]

Hi Adam,


On Mon, 2011-02-21 at 19:30 +0000, Adam D. Barratt wrote:
> On Sun, 2011-02-20 at 22:50 -0300, Marcelo Jorge Vieira wrote:
> > Hi Jonathan,
> > 
> > On Sat, 2011-02-19 at 22:14 +0000, Jonathan Wiltshire wrote:
> > > 
> > > Please arrange to backport your fix and liase with the release team for
> > > permission to upload. I will happily assist you if the patch is
> > > straightforward and you need help or lack time.
> [...]
> > > with his security hat on:
> > 
> > 
> > I uploaded magpierss backport package to oldstable-proposed-updates,
> > only to fix the bug CVE-2011-0740
> 
> <with SRM hat on>
> 
> The request in Jonathan's mail was that you liaise with us, not simply
> to upload.  In this case the diff looks okay and I'll approve it for
> oldstable-proposed-updates later, but please bear in mind that this
> might not always be the case and the "liaise and get permission" step is
> there for a reason.

Sorry for that.


> > but can I use the magpierss package
> > from wheezy to backport it to squeeze? It's the same source with just
> > little changes.
> 
> Those "little changes" include switching to the "3.0 (quilt)" source
> format, removing a package entirely and moving to a more minimal
> debian/rules file.  Sorry, but none of those are appropriate for a
> stable update.

ok!


> If the diff for squeeze is the same as the diff for lenny then that
> should be okay, but a mail to -release would still be appreciated.


Here [0] you will found the diff for squeeze.

[0] http://people.debian.org/~metal/magpierss/



Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 611940@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Marcelo Jorge Vieira <metal@debian.org>

Cc: Jonathan Wiltshire <jmw@debian.org>, 611940@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 22:21:22 +0000

Hi,

On Mon, 2011-02-21 at 18:58 -0300, Marcelo Jorge Vieira wrote:
> On Mon, 2011-02-21 at 19:30 +0000, Adam D. Barratt wrote:
[...]
> > If the diff for squeeze is the same as the diff for lenny then that
> > should be okay, but a mail to -release would still be appreciated.
> 
> 
> Here [0] you will found the diff for squeeze.
> 
> [0] http://people.debian.org/~metal/magpierss/

Thanks.  The patch itself looks okay, but it doesn't appear to have been
added to debian/patches/series, so isn't applied in the resulting binary
package.

I've just spotted that the same is true for the lenny package.  Would
you like to upload 0.72-5+lenny2 adding the patch to series, or prefer
that I reject +lenny1 so that you can upload a fixed package using that
version number?

Regards,

Adam

Message #40 received at 611940@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 611940@bugs.debian.org

Cc: Jonathan Wiltshire <jmw@debian.org>, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 19:59:01 -0300

[Message part 1 (text/plain, inline)]

Hi Adam,

On Mon, 2011-02-21 at 22:21 +0000, Adam D. Barratt wrote:
> Hi,
> 
> On Mon, 2011-02-21 at 18:58 -0300, Marcelo Jorge Vieira wrote:
> > On Mon, 2011-02-21 at 19:30 +0000, Adam D. Barratt wrote:
> [...]
> > > If the diff for squeeze is the same as the diff for lenny then that
> > > should be okay, but a mail to -release would still be appreciated.
> > 
> > 
> > Here [0] you will found the diff for squeeze.
> > 
> > [0] http://people.debian.org/~metal/magpierss/
> 
> Thanks.  The patch itself looks okay, but it doesn't appear to have been
> added to debian/patches/series, so isn't applied in the resulting binary
> package.

Wow, my bad.


> I've just spotted that the same is true for the lenny package.  Would
> you like to upload 0.72-5+lenny2 adding the patch to series, or prefer
> that I reject +lenny1 so that you can upload a fixed package using that
> version number?

The lenny version uses cdbs + simple-patchsys, so there is no
series file. Only squeeze version is wrong. I fixed it and
uploaded it here [0] again.

[0] http://people.debian.org/~metal/magpierss/


Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #45 received at 611940@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Marcelo Jorge Vieira <metal@debian.org>

Cc: 611940@bugs.debian.org, Jonathan Wiltshire <jmw@debian.org>, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 23:18:30 +0000

On Mon, 2011-02-21 at 19:59 -0300, Marcelo Jorge Vieira wrote:
> On Mon, 2011-02-21 at 22:21 +0000, Adam D. Barratt wrote:
> > On Mon, 2011-02-21 at 18:58 -0300, Marcelo Jorge Vieira wrote:
> > > [0] http://people.debian.org/~metal/magpierss/
> > 
> > Thanks.  The patch itself looks okay, but it doesn't appear to have been
> > added to debian/patches/series, so isn't applied in the resulting binary
> > package.
[...]
> > I've just spotted that the same is true for the lenny package.  Would
> > you like to upload 0.72-5+lenny2 adding the patch to series, or prefer
> > that I reject +lenny1 so that you can upload a fixed package using that
> > version number?
> 
> The lenny version uses cdbs + simple-patchsys, so there is no
> series file.

Ah, yes; sorry for not checking that.

> Only squeeze version is wrong. I fixed it and
> uploaded it here [0] again.
> 
> [0] http://people.debian.org/~metal/magpierss/

That looks much better :-)  Thanks.

Regards,

Adam

Message #50 received at 611940@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira <metal@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: 611940@bugs.debian.org, Jonathan Wiltshire <jmw@debian.org>, team@security.debian.org

Subject: Re: Bug#611940: magpierss: CVE-2011-0740 Cross-site scripting vulnerability in scripts/magpie_slashbox.php

Date: Mon, 21 Feb 2011 20:30:36 -0300

[Message part 1 (text/plain, inline)]

Hi Adam,

On Mon, 2011-02-21 at 23:18 +0000, Adam D. Barratt wrote:
> > Only squeeze version is wrong. I fixed it and
> > uploaded it here [0] again.
> > 
> > [0] http://people.debian.org/~metal/magpierss/
> 
> That looks much better :-)  Thanks.

I uploaded magpierss package to s-p-u, thanks!


Cheers,

-- 
Marcelo Jorge Vieira
xmpp:metal@jabber-br.org
http://metaldot.alucinados.com

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 611940-close@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira (metal) <metal@alucinados.com>

To: 611940-close@bugs.debian.org

Subject: Bug#611940: fixed in magpierss 0.72-5+lenny1

Date: Tue, 22 Feb 2011 01:56:46 +0000

Source: magpierss
Source-Version: 0.72-5+lenny1

We believe that the bug you reported is fixed in the latest version of
magpierss, which is due to be installed in the Debian FTP archive:

magpierss_0.72-5+lenny1.diff.gz
  to main/m/magpierss/magpierss_0.72-5+lenny1.diff.gz
magpierss_0.72-5+lenny1.dsc
  to main/m/magpierss/magpierss_0.72-5+lenny1.dsc
magpierss_0.72-5+lenny1_all.deb
  to main/m/magpierss/magpierss_0.72-5+lenny1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcelo Jorge Vieira (metal) <metal@alucinados.com> (supplier of updated magpierss package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 20 Feb 2011 22:12:00 -0300
Source: magpierss
Binary: magpierss
Architecture: source all
Version: 0.72-5+lenny1
Distribution: oldstable-proposed-updates
Urgency: low
Maintainer: Marcelo Jorge Vieira (metal) <metal@alucinados.com>
Changed-By: Marcelo Jorge Vieira (metal) <metal@alucinados.com>
Description: 
 magpierss  - provides an XML-based RSS parser in PHP
Closes: 611940
Changes: 
 magpierss (0.72-5+lenny1) oldstable-proposed-updates; urgency=low
 .
   * Fixing CVE-2011-0740 (Closes: #611940)
 .
     Cross-site scripting (XSS) vulnerability in
     scripts/magpie_slashbox.php and scripts/simple_smarty.php
Checksums-Sha1: 
 e50954bd6ac6742dcc6a3d921a38dd9d51f26b36 1826 magpierss_0.72-5+lenny1.dsc
 bf72c157f4667d7a0ee447a2ed4fa51675d16eb8 3795 magpierss_0.72-5+lenny1.diff.gz
 b34c4ba4c0394193e95fae8c864c201409efe939 31720 magpierss_0.72-5+lenny1_all.deb
Checksums-Sha256: 
 fb5b631d9a32d0e5f0ec7d56bcd97ce2f06fdb1a3edd16332508dbdd46c1b0d3 1826 magpierss_0.72-5+lenny1.dsc
 604f0ea4c4cea2236cbaf0cb2304f02bb16f7cd2ac76b160a61191b487ea1ccb 3795 magpierss_0.72-5+lenny1.diff.gz
 cb8b59436c56e0a92703bc7aa04b8c21021c1be444720ccac2279b0c82487ecb 31720 magpierss_0.72-5+lenny1_all.deb
Files: 
 59528c499f86ac6b07825497cb8d1448 1826 web optional magpierss_0.72-5+lenny1.dsc
 08a94916155f579783955a54bec29381 3795 web optional magpierss_0.72-5+lenny1.diff.gz
 710d0acc0863c25a9ea8684f730f07af 31720 web optional magpierss_0.72-5+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJNYrC1AAoJEAGffgcyZKXEuRwP/2ofxMOtaYpRY2tFKMmQvNKx
bXCSQp9kw67P1IKOJa5+FEgmdMm0qN3hzwxt2V4euJLbfECrtfGqcgIujI5iSwe/
0G1l93PTBk0ZuqX/Q86lkKOK0soAk0km6AV0VklaDJQbTmPCssv5li+QH0OHlXdB
YoLFl//oM86sTZqE1fTZQMrGKwhfjeDCMKSaMI0sdqB0WZ/WzAszNLB9TlNdBU9r
1UXRquGURZaqm+53MzrOwW6AdeboP2+j641XfF4tICLk0u0nd1/iGW+sNRYcQEZr
OVaR6TG8+4gv38xWKXn8oM6TBKStg0wZh7kmANq9VYJt7NYNyqQKUJs+gfaR4v4H
sLty44OA9q0iuc9XvIEVOEh9k75kClG0aJFzBy/xgK0qkHSceD5JOD8LdC9JB0xO
gvLpDDKO4Gz8q6fSUA703aDy46+pl05Nsw74uyNf4lPv3OzOL3XrFpRJaiCe0fJ5
qtniGXU29i9BAfx4l/auxkIkUuBPddCwNQ8E4M31RHo0CnvFGEoM9htS9Tf0Y++v
laQv7uOVTfP1LrVJQ7MW71iGRu0UJc5obxLwRkZJVmpamVx2zLSvWjtz7YO3idzt
YA4YytXiCAhYTEPPnPrp0Wt8NT4efOlk15pL3gfqQROOBds+aCUNBYhgGbhJDQ8a
R9u0QF+tzRSwYCp0xZ41
=NgXJ
-----END PGP SIGNATURE-----

Message #60 received at 611940-close@bugs.debian.org (full text, mbox, reply):

From: Marcelo Jorge Vieira (metal) <metal@alucinados.com>

To: 611940-close@bugs.debian.org

Subject: Bug#611940: fixed in magpierss 0.72-8+squeeze1

Date: Wed, 23 Feb 2011 07:56:26 +0000

Source: magpierss
Source-Version: 0.72-8+squeeze1

We believe that the bug you reported is fixed in the latest version of
magpierss, which is due to be installed in the Debian FTP archive:

libphp-magpierss_0.72-8+squeeze1_all.deb
  to main/m/magpierss/libphp-magpierss_0.72-8+squeeze1_all.deb
magpierss_0.72-8+squeeze1.diff.gz
  to main/m/magpierss/magpierss_0.72-8+squeeze1.diff.gz
magpierss_0.72-8+squeeze1.dsc
  to main/m/magpierss/magpierss_0.72-8+squeeze1.dsc
magpierss_0.72-8+squeeze1_all.deb
  to main/m/magpierss/magpierss_0.72-8+squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 611940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marcelo Jorge Vieira (metal) <metal@alucinados.com> (supplier of updated magpierss package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 21 Feb 2011 17:15:19 -0300
Source: magpierss
Binary: libphp-magpierss magpierss
Architecture: source all
Version: 0.72-8+squeeze1
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Marcelo Jorge Vieira (metal) <metal@alucinados.com>
Changed-By: Marcelo Jorge Vieira (metal) <metal@alucinados.com>
Description: 
 libphp-magpierss - provides an XML-based RSS parser in PHP
 magpierss  - transitional dummy package for libphp-magpierss
Closes: 611940
Changes: 
 magpierss (0.72-8+squeeze1) stable-proposed-updates; urgency=low
 .
   * Fixing CVE-2011-0740 (Closes: #611940)
 .
     Cross-site scripting (XSS) vulnerability in
     scripts/magpie_slashbox.php and scripts/simple_smarty.php
Checksums-Sha1: 
 d4af0a87db3715c4af37b5b3e046f1a298cf6e86 1880 magpierss_0.72-8+squeeze1.dsc
 1dd404b735394ef7537d51b6af44f2bb529c4f87 5509 magpierss_0.72-8+squeeze1.diff.gz
 1e57bb86aff5ee08cf341d28fabc829a45a5944c 32540 libphp-magpierss_0.72-8+squeeze1_all.deb
 bd9d6ff0a2747ca09fdc514767e61e6af1b04bf0 6046 magpierss_0.72-8+squeeze1_all.deb
Checksums-Sha256: 
 881bfda0b5f54815d0fcd5363dc2b60f1136b8b2f0c56156f89ad98ade1594cf 1880 magpierss_0.72-8+squeeze1.dsc
 bee0f84ffefd3cc9f1eddfa340b1dc867f849c8a92c3a8e661895a28d952bb1c 5509 magpierss_0.72-8+squeeze1.diff.gz
 ca6823201c4e9bc9c06c68b21be2f34365eec813fbb8748ac251e82bf29a12b8 32540 libphp-magpierss_0.72-8+squeeze1_all.deb
 04152171e76910c9a2eace176b6c35a5ac4a9d3b939d98f7a5f181585a3cd1dc 6046 magpierss_0.72-8+squeeze1_all.deb
Files: 
 b72c920eb59d95dd45953755998a7a3c 1880 php optional magpierss_0.72-8+squeeze1.dsc
 c5e67fb3759c1421cf581c47bbeedd98 5509 php optional magpierss_0.72-8+squeeze1.diff.gz
 bec32228407ea5f70850b8e5430af8d1 32540 php optional libphp-magpierss_0.72-8+squeeze1_all.deb
 f4269f4a609205b0720264415a2687d7 6046 php optional magpierss_0.72-8+squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIbBAEBCAAGBQJNYuwPAAoJEAGffgcyZKXEUjQP+MlZYh8zRgxli4cep0sKPpPM
odDMkcDUUewAKSrSDtrmO90ranJKdYYij6h9IgCZua5Vy0DrvBaRbqULxO9GUsN/
TD7t2t6Aq09xtucrQwIV/qO/9ra175B4oF5RCa6hEjcqzkD956AM7wWJm2WlT5lO
7LYChgimN4mXpsXOBTbt8RQoHSNITi0IWS3ACIMurbgRRKOCV7FCeXi28255Mpma
irH8HWAR4p/FlgsHUKXKe8ZjdRN/hiJc9xk8qTziZKefgb1hlGO1Qt0N3qnp2egz
DleP6B8y5qC6KjLWFC9/zC8UQSmCs03lWE7sRHRrz78AZDVK4tgq1P0EupsRWu9w
KHRkKH4MJ+OQHtOvyfPRnE6s7OCNwtVYZWBPsBOJ7y2npJn0l+m1cFyPICEreyOb
Fs/a+qEsvhXLWji/SkyNOSaNFrHNPNI9ne2uJDAQPzG71/msm5xlz/d0lR7zHXRv
CvN+x0i2gf/4i3SX3FV3pmEWjZ92rwaZYnGtg+qh8cp9H41bMurkqdaSCrbnvTT7
2jQkeE4ZWXVvmai2RctQrRRVRsjkn6LpeAHCXq8q3urmSwuQdtjxies3x2Pzn78v
LgHZ1ETRgCKkdr73vEAG148d1yqY4cCut4dH8/yhtBsRpjAFoty81sGmVgmfLsxe
6bmAwZj59r1Gq+bIRDw=
=/soc
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.