Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

hyperestraier: CVE-2006-3671: cross-site request forgery

Related Vulnerabilities: CVE-2006-3671  

Source

Debian Bug report logs - #379060
hyperestraier: CVE-2006-3671: cross-site request forgery

version graph

Package: hyperestraier; Maintainer for hyperestraier is KURASHIKI Satoru <lurdan@gmail.com>; Source for hyperestraier is src:hyperestraier (PTS, buildd, popcon).

Reported by: Alec Berryman <alec@thened.net>

Date: Thu, 20 Jul 2006 22:18:09 UTC

Severity: serious

Tags: fixed-upstream, security

Found in version hyperestraier/1.2.5-1

Fixed in version hyperestraier/1.3.3-1

Done: Fumitoshi UKAI <ukai@debian.or.jp>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Fumitoshi UKAI <ukai@debian.or.jp>:
Bug#379060; Package hyperestraier. (full text, mbox, link).

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Fumitoshi UKAI <ukai@debian.or.jp>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: hyperestraier: CVE-2006-3671: cross-site request forgery
Date: Thu, 20 Jul 2006 17:54:17 -0400
Package: hyperestraier
Version: 1.2.5-1
Severity: serious
Tags: security fixed-upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3671: "Cross-site request forgery (CSRF) vulnerability in the
communicate function in estmaster.c for Hyper Estraier before 1.3.3
allows remote attackers to perform unauthorized actions as other users
via unknown vectors."

This is fixed upstream in 1.3.3; see [1] for more details.

hyperestraier is not in sarge.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://sourceforge.net/project/shownotes.php?release_id=432119

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEv/uJAud/2YgchcQRAi0jAJwK652ImkDgjr3Om/zwiKKqz2TwOACfcBGa
G5SJXE1REWz3/KU/enR91y4=
=5Qzf
-----END PGP SIGNATURE-----

Reply sent to Fumitoshi UKAI <ukai@debian.or.jp>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. (full text, mbox, link).

Message #10 received at 379060-close@bugs.debian.org (full text, mbox, reply):

From: Fumitoshi UKAI <ukai@debian.or.jp>
To: 379060-close@bugs.debian.org
Subject: Bug#379060: fixed in hyperestraier 1.3.3-1
Date: Sat, 22 Jul 2006 17:17:18 -0700
Source: hyperestraier
Source-Version: 1.3.3-1

We believe that the bug you reported is fixed in the latest version of
hyperestraier, which is due to be installed in the Debian FTP archive:

hyperestraier_1.3.3-1.diff.gz
  to pool/main/h/hyperestraier/hyperestraier_1.3.3-1.diff.gz
hyperestraier_1.3.3-1.dsc
  to pool/main/h/hyperestraier/hyperestraier_1.3.3-1.dsc
hyperestraier_1.3.3-1_i386.deb
  to pool/main/h/hyperestraier/hyperestraier_1.3.3-1_i386.deb
hyperestraier_1.3.3.orig.tar.gz
  to pool/main/h/hyperestraier/hyperestraier_1.3.3.orig.tar.gz
libestraier-dev_1.3.3-1_i386.deb
  to pool/main/h/hyperestraier/libestraier-dev_1.3.3-1_i386.deb
libestraier-java_1.3.3-1_i386.deb
  to pool/main/h/hyperestraier/libestraier-java_1.3.3-1_i386.deb
libestraier-ruby1.8_1.3.3-1_i386.deb
  to pool/main/h/hyperestraier/libestraier-ruby1.8_1.3.3-1_i386.deb
libestraier8_1.3.3-1_i386.deb
  to pool/main/h/hyperestraier/libestraier8_1.3.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 379060@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fumitoshi UKAI <ukai@debian.or.jp> (supplier of updated hyperestraier package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Jul 2006 08:27:40 +0900
Source: hyperestraier
Binary: hyperestraier libestraier-java libestraier8 libestraier-dev libestraier-ruby1.8
Architecture: source i386
Version: 1.3.3-1
Distribution: unstable
Urgency: high
Maintainer: Fumitoshi UKAI <ukai@debian.or.jp>
Changed-By: Fumitoshi UKAI <ukai@debian.or.jp>
Description: 
 hyperestraier - a full-text search system for communities
 libestraier-dev - a full-text search system Libraries [development]
 libestraier-java - Hyper Estraier Node API Libraries for Java
 libestraier-ruby1.8 - Hyper Estraier Node API Libraries for Ruby
 libestraier8 - a full-text search system Libraries [runtime]
Closes: 367374 368906 376897 377743 379060
Changes: 
 hyperestraier (1.3.3-1) unstable; urgency=high
 .
   * New upstream release
     fix CVE-2006-3671: cross-site request forgery
     closes: Bug#379060
     new bindaddr configuration parameter in _conf
     closes: Bug#368906
   * debian/hyperestraier.init: fix to exit successfully when NO_START=1
     closes: Bug#367374, Bug#377743
   * debia/control: remove pphtml from Recommends, since it is not available
       any more.
     closes: Bug#376897
Files: 
 bcf3035e63a7429658c83fb4be12a9b3 992 text optional hyperestraier_1.3.3-1.dsc
 d2c544f48b8b92a62d7028c68736ce40 899649 text optional hyperestraier_1.3.3.orig.tar.gz
 8a4c8dbd95a9484b1a196031f23ff276 34147 text optional hyperestraier_1.3.3-1.diff.gz
 3ee16bf9976e904669eeec5d23467c96 389338 text optional hyperestraier_1.3.3-1_i386.deb
 2a946ab20b328ace68af322397a1f565 94934 text optional libestraier8_1.3.3-1_i386.deb
 373e1070b74f406f78f287e7421f9052 134166 text optional libestraier-dev_1.3.3-1_i386.deb
 fc667a3fa040c5908bfd09309966f4b3 78784 text optional libestraier-ruby1.8_1.3.3-1_i386.deb
 6f500b73437672b2d35b89c96f4b28e7 92980 libs optional libestraier-java_1.3.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEwrvj9D5yZjzIjAkRAi0bAJ9ssujUMTw7ZaTS17glgqGNQiOQ+wCgtpS6
sVqaCEHywSEXDtUF52iiyMg=
=arX5
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 02:39:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 15:50:31 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started