Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting
From: white () debian org (Steffen Joeris)
Date: Sat, 21 Nov 2009 16:30:22 +1100 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1937-1                  security () debian org
http://www.debian.org/security/                      Steffen Joeris
November 21, 2009                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : gforge
Vulnerability  : insufficient input sanitising
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2009-3303


It was discovered that gforge, collaborative development tool, is prone
to a cross-site scripting attack via the helpname parameter. Beside
fixing this issue, the update also introduces some additional input
sanitising. However, there are no known attack vectors.


For the stable distribution (lenny), these problem have been fixed in
version 4.7~rc2-7lenny2.

The oldstable distribution (etch), these problems have been fixed in
version 4.5.14-22etch12.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.8.1-3.


We recommend that you upgrade your gforge packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.diff.gz
    Size/MD5 checksum:   203139 67406308953934e8d68ca1cd97154023
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.dsc
    Size/MD5 checksum:      953 2176dd5939538d180d60637d77260f19
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
    Size/MD5 checksum:  2161141 e85f82eff84ee073f80a2a52dd32c8a5

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch12_all.deb
    Size/MD5 checksum:   705438 d40c97c6f0d0823b966b48b9b1b7eb6f
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    80534 c86b0696f707df2df400ef46838a2505
  http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch12_all.deb
    Size/MD5 checksum:  1011566 644f57ac3a902d69369806763b29e484
  http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch12_all.deb
    Size/MD5 checksum:   104034 43bb51625ea030e4bca2a1753720acd0
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    86598 801eb1462e783877698f8181e93c7d37
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    87402 9601350198b4a1c4946b26cbfc0089f0
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    88868 9c73567d60ede088fe7c952c0d575a22
  http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    82348 ad231cb698733f3c3ce6cb65357aacee
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    86318 448d7f114da5ef2188aa56f8dcd130f4
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    95726 d6557e0016666a5e9c53f38fed49c322
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    88766 c78075b8eab9c9b3ead54716d10cf370
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    89386 2837d3a26850e5622294eb44aa49f3e2
  http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch12_all.deb
    Size/MD5 checksum:   212746 1c48e12e5e61d5f56edd0de46884af52
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch12_all.deb
    Size/MD5 checksum:    76334 4e63c7735c92764d82dfdf4f742be2cb


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.dsc
    Size/MD5 checksum:     1487 0b1ce8a3757f45818006361e1eeb8140
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.diff.gz
    Size/MD5 checksum:   104727 3ce01d7387d05990a61a28e831a62f7b
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
    Size/MD5 checksum: 10225404 bd24808ce79363d4c7c529778f6f5324

Architecture independent packages:

  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   100794 9e7c73b64c1929858089717fc32585b2
  http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    92854 e9c5d38f5fc5a51fe417b38b6c359702
  http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   129406 053272d5f4440d75825890ddd6bf5169
  http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:  1112528 77f4e8dc932777a36cf941a1bd5b10a8
  http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   213574 14405a0cb843748ba77c691eaa60d4b6
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   101554 3aa3bb38dfc4a8bb3834f3397b03c688
  http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    97364 7a73fb6cd3af0addda1076f68b4ceaa7
  http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    95108 3dac1b4c78f967488693d3efb8b9f1b0
  http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    88522 ffb28f911b5b5a638376cfaa598dc443
  http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   122034 565dcc6c8acccfa4c6ae12121b774fa6
  http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:  1397340 47fdfdfda7355f12fe807d9f01e79d5c
  http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   231012 3a6ff0778f890ca32ec7c8fae97ef996
  http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    94622 b533f09eedfd0b9f29dd07d4f9e64e06
  http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:   106930 fcd1127a7c6c19ccf3c2a4a4931eb598
  http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny2_all.deb
    Size/MD5 checksum:    88790 428a7b29217a916f004c085507128f88


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksHem4ACgkQ62zWxYk/rQc8OwCeL/MYC9AWieVtnpBrtzn8Z79L
EqQAnjfyotsvfsH2Y6qJ1aC4g9+K1xTU
=UVaP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA 1937-1] New gforge packages fix cross-site scripting Steffen Joeris (Nov 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]