Your message dated Fri, 04 Jan 2008 21:17:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#456148: fixed in libjfreechart-java 1.0.9-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libjfreechart-java
Severity: important
Tags: security
Hi
The following CVE[0] has been issued against libjfreechart-java.
CVE-2007-6306:
Multiple cross-site scripting (XSS) vulnerabilities in the image map
feature in JFreeChart 1.0.8 allow remote attackers to inject arbitrary
web script or HTML via the (1) chart name or (2) chart tool tip text; or
the (3) href, (4) shape, or (5) coords attribute of a chart area.
A potential patch can be found here[1][2], not quite sure, if there is
more.
Please mention the CVE id in the changelog, when you fix this issue.
Thanks for your efforts.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6306
[1]:
http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/trunk/source/org/jfree/chart/entity/ChartEntity.java?r1=662&r2=661&pathrev=662
[2]:
http://jfreechart.svn.sourceforge.net/viewvc/jfreechart/trunk/source/org/jfree/chart/imagemap/ImageMapUtilities.java?r1=662&r2=661&pathrev=662
--- End Message ---
--- Begin Message ---
Source: libjfreechart-java
Source-Version: 1.0.9-1
We believe that the bug you reported is fixed in the latest version of
libjfreechart-java, which is due to be installed in the Debian FTP archive:
libjfreechart-java-doc_1.0.9-1_all.deb
to pool/main/libj/libjfreechart-java/libjfreechart-java-doc_1.0.9-1_all.deb
libjfreechart-java_1.0.9-1.diff.gz
to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1.diff.gz
libjfreechart-java_1.0.9-1.dsc
to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1.dsc
libjfreechart-java_1.0.9-1_all.deb
to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9-1_all.deb
libjfreechart-java_1.0.9.orig.tar.gz
to pool/main/libj/libjfreechart-java/libjfreechart-java_1.0.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Varun Hiremath <[EMAIL PROTECTED]> (supplier of updated libjfreechart-java
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 05 Jan 2008 01:08:58 +0530
Source: libjfreechart-java
Binary: libjfreechart-java-doc libjfreechart-java
Architecture: source all
Version: 1.0.9-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <[EMAIL PROTECTED]>
Changed-By: Varun Hiremath <[EMAIL PROTECTED]>
Description:
libjfreechart-java - Chart library for Java
libjfreechart-java-doc - Chart library for Java - documentation
Closes: 456148
Changes:
libjfreechart-java (1.0.9-1) unstable; urgency=high
.
[ Varun Hiremath ]
* New upstream release
* This release fixes the following security issue:
+ Multiple cross-site scripting vulnerabilities in the image map
feature allow remote attackers to inject arbitrary web script or HTML
via several attributes (CVE-2007-6306; Closes: #456148).
* Fix debian/watch to include letters also in upstream version.
* Make some minor fixes in debian/orig-tar.sh file.
* debian/control: Bumped up Standards-Version to 3.7.3
.
[ Michael Koch ]
* Use uscan SourceForge helper in watch file.
Files:
a76c253b3c9ab70a66d58ac122278132 1110 libs optional
libjfreechart-java_1.0.9-1.dsc
38c83ca75c50564337d585799819fc95 1351748 libs optional
libjfreechart-java_1.0.9.orig.tar.gz
a58e395ecf4ea91a02b777262f5af633 4072 libs optional
libjfreechart-java_1.0.9-1.diff.gz
dc4e4f6f3de6b15ef911e9e129f9bc63 1307878 libs optional
libjfreechart-java_1.0.9-1_all.deb
aa5eb879a78f4c1c0e7d585cde06a3a3 5790130 doc optional
libjfreechart-java-doc_1.0.9-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHfp8aWSOgCCdjSDsRAnbTAJ0buBjaUrZGzNy6a2u5GsIyRvqRzQCglGs1
c9uKZxzaXQE3bf5aBeDfUEg=
=cvmc
-----END PGP SIGNATURE-----
--- End Message ---
