Your message dated Wed, 10 Oct 2007 08:47:22 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#443901: fixed in phpgedview 4.1.e+4.1.1-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: phpgedview
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpgedview.
CVE-2007-5051[0]:
| Multiple cross-site scripting (XSS) vulnerabilities in PhpGedView
| 4.1.1 allow remote attackers to inject arbitrary web script or HTML
| via the (1) box_width, (2) PEDIGREE_GENERATIONS, and (3) rootid
| parameters in ancestry.php, and the (4) newpid parameter in
| timeline.php. NOTE: the provenance of this information is unknown; the
| details are obtained solely from third party information.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
I checked this issue and the mentioned variables are not
sanitized before displayed.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5051
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpRKxmSEjSWf.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: phpgedview
Source-Version: 4.1.e+4.1.1-2
We believe that the bug you reported is fixed in the latest version of
phpgedview, which is due to be installed in the Debian FTP archive:
phpgedview-languages_4.1.e+4.1.1-2_all.deb
to pool/main/p/phpgedview/phpgedview-languages_4.1.e+4.1.1-2_all.deb
phpgedview-places_4.1.e+4.1.1-2_all.deb
to pool/main/p/phpgedview/phpgedview-places_4.1.e+4.1.1-2_all.deb
phpgedview-themes_4.1.e+4.1.1-2_all.deb
to pool/main/p/phpgedview/phpgedview-themes_4.1.e+4.1.1-2_all.deb
phpgedview_4.1.e+4.1.1-2.diff.gz
to pool/main/p/phpgedview/phpgedview_4.1.e+4.1.1-2.diff.gz
phpgedview_4.1.e+4.1.1-2.dsc
to pool/main/p/phpgedview/phpgedview_4.1.e+4.1.1-2.dsc
phpgedview_4.1.e+4.1.1-2_all.deb
to pool/main/p/phpgedview/phpgedview_4.1.e+4.1.1-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated phpgedview package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 10 Oct 2007 10:08:42 +0200
Source: phpgedview
Binary: phpgedview-places phpgedview-languages phpgedview phpgedview-themes
Architecture: source all
Version: 4.1.e+4.1.1-2
Distribution: unstable
Urgency: medium
Maintainer: Thijs Kinkhorst <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
phpgedview - Web-based genealogy viewer and editor
phpgedview-languages - Language modules for PhpGedView
phpgedview-places - Place names and maps for PhpGedView
phpgedview-themes - PhpGedView themes
Closes: 443901
Changes:
phpgedview (4.1.e+4.1.1-2) unstable; urgency=medium
.
* Fix cross site scripting (XSS) issues, thanks Nico Golde for
helping to research the patch (CVE-2007-5051, closes: #443901).
Files:
41e6c72327d33a402644d92b21249ff0 1114 web optional phpgedview_4.1.e+4.1.1-2.dsc
a384d49c22c67b1d6e4771a6e2036970 9755 web optional
phpgedview_4.1.e+4.1.1-2.diff.gz
c035cd43842757a347165c96b6690c65 5020070 web optional
phpgedview_4.1.e+4.1.1-2_all.deb
ae8e0cc73d1824859a2bb8c8ae96d5bb 920372 web optional
phpgedview-themes_4.1.e+4.1.1-2_all.deb
27605bca7a9ddf2e6c2aabe6f67783ae 2301162 web optional
phpgedview-places_4.1.e+4.1.1-2_all.deb
c27770bf4be33b49ea906b5a8bb11d78 1903424 web optional
phpgedview-languages_4.1.e+4.1.1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRwyNvmz0hbPcukPfAQKnCgf9EkX6jlkDd+fKQgwM+OGVHa+NgfqdUKfp
dPDWW50tFQfMkLitAJUwSRQ+OGRuB4eAhNa5QQmmaMADxYcg43Yl8wEO0AeCmvRw
/uTRKo9+XpM8zNnB7sfG6sRKNblMlye5F7B8ZEty+BuzPGN2kQip6BYM/vUuItc6
jh2qmx8Yp1ebAUBkDDatH9T0KOAqUHxXYHN0OIpaTwvXfDBZjh+pYx0LM7raO+dn
mvSjDM7Nlyyzei34n5Qcu/NV9vQgh+JiG5GvKXKYYWVFHqiKQmN3wpvUyHMjEITe
lJFV5X1uF1knUjrUosJBRkSNxqQXzCLQYGo9nHnp2IiOEPRLMMHDow==
=9UBR
-----END PGP SIGNATURE-----
--- End Message ---
