Your message dated Sun, 21 Oct 2007 09:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#445477: fixed in jspwiki 2.5.139-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: jspwiki
Severity: important
Hi
There are three CVEs assigned against jspwiki, could you please check,
if the Debian versions are affected?
CVE-2007-5121:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5121
Cross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allows
remote attackers to inject arbitrary web script or HTML via the redirect
parameter to wiki-3/Login.jsp and unspecified other components.
CVE-2007-5120:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5120
Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103
and 2.5.139-beta allow remote attackers to inject arbitrary web script
or HTML via the (1) group and (2) members parameters in (a)
NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4)
edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the
(7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in
(d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2
parameters in (f) Diff.jsp; and the (13) changenote parameter in (g)
PageInfo.jsp.
CVE-2007-5119:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5119
JSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain
sensitive information (full path) via an invalid integer in the version
parameter to the default URI under attach/Main/.
Thanks for your efforts
Cheers
Steffen
--- End Message ---
--- Begin Message ---
Source: jspwiki
Source-Version: 2.5.139-1
We believe that the bug you reported is fixed in the latest version of
jspwiki, which is due to be installed in the Debian FTP archive:
jspwiki_2.5.139-1.diff.gz
to pool/main/j/jspwiki/jspwiki_2.5.139-1.diff.gz
jspwiki_2.5.139-1.dsc
to pool/main/j/jspwiki/jspwiki_2.5.139-1.dsc
jspwiki_2.5.139-1_all.deb
to pool/main/j/jspwiki/jspwiki_2.5.139-1_all.deb
jspwiki_2.5.139.orig.tar.gz
to pool/main/j/jspwiki/jspwiki_2.5.139.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kalle Kivimaa <[EMAIL PROTECTED]> (supplier of updated jspwiki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 21 Oct 2007 08:00:00 +0300
Source: jspwiki
Binary: jspwiki
Architecture: source all
Version: 2.5.139-1
Distribution: unstable
Urgency: low
Maintainer: Kalle Kivimaa <[EMAIL PROTECTED]>
Changed-By: Kalle Kivimaa <[EMAIL PROTECTED]>
Description:
jspwiki - WikiWikiWeb clone written in Java
Closes: 430066 435780 437111 437113 445350 445477
Changes:
jspwiki (2.5.139-1) unstable; urgency=low
.
* New upstream release. Closes: #430066.
* Upstream fixed the XSS CVE's. Closes: #445477.
* Updated French translation. Closes: #435780.
* Updated German translation. Closes: #437111.
* Updated Portugese translation. Closes: #445350.
* Fixed debconf typos. Closes: #437113.
* doc/Templates.txt has been removed from the upstream.
* Fixed the tomcat.policy.
* Added the new security options to the jspwiki.properties.
* Added empty userdatabase and groupdatabase xml files.
Files:
3925e00b08497cbb2abdf6b0cffb1fb4 700 web optional jspwiki_2.5.139-1.dsc
046c655536963e81d692e24f66bd242f 8236344 web optional
jspwiki_2.5.139.orig.tar.gz
d3d8296b0851a9b2f4d7f9f16fc8b176 33358 web optional jspwiki_2.5.139-1.diff.gz
1a47afacdbd89366866d35e34b34e44f 5093062 web optional jspwiki_2.5.139-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHGwXukuYKi19tgBURArLSAJ4u0pIOlTxsoUJBISYturvRdy9v+gCgryW3
PUnplnyuxb1wXR8Y4dxdnGs=
=ePls
-----END PGP SIGNATURE-----
--- End Message ---
