Bug#866722: marked as done (ntopng: CVE-2017-7416)

[Debian Bug Tracking System]

Your message dated Wed, 27 Dec 2017 01:19:36 +0000
with message-id <e1eu0nc-00082j...@fasolo.debian.org>
and subject line Bug#866722: fixed in ntopng 3.2+dfsg1-1
has caused the Debian Bug report #866722,
regarding ntopng: CVE-2017-7416
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866722: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866722
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: ntopng
Version: 2.4+dfsg1-3
Severity: important
Tags: security upstream fixed-upstream

Hi,

the following vulnerability was published for ntopng.

CVE-2017-7416[0]:
| ntopng before 3.0 allows XSS because GET and POST parameters are
| improperly validated.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7416
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7416

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: ntopng
Source-Version: 3.2+dfsg1-1

We believe that the bug you reported is fixed in the latest version of
ntopng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 866...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <cave...@debian.org> (supplier of updated ntopng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Dec 2017 01:13:57 +0100
Source: ntopng
Binary: ntopng ntopng-data
Architecture: source all amd64
Version: 3.2+dfsg1-1
Distribution: unstable
Urgency: medium
Maintainer: Ludovico Cavedon <cave...@debian.org>
Changed-By: Ludovico Cavedon <cave...@debian.org>
Description:
 ntopng     - High-Speed Web-based Traffic Analysis and Flow Collection Tool
 ntopng-data - High-Speed Web-based Traffic Analysis and Flow Collection Tool (d
Closes: 854694 866722 878123 878129
Changes:
 ntopng (3.2+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version 3.2 (Closes: #878129, #866722, #878123).
   * Update watch file for github.
   * Use pkg-info.mk for parsing changelog and remove legacy SVN code.
   * Remove no longer necessary lines from repackging script.
   * Keep internal libluajit, as upstream pacthed it.
   * Do not remove UserGuide.*, and register UserGuide.pdf with doc-base and
     include it in the desktop file Documentation entry.
   * Make sure we rebuild the minified files from the upstream tarball.
   * Update copyright file.
   * Remove patches applied upstream:
     - Added-fixes-to-avoid-users-to-be-manipulated-with-in.patch
     - Avoid-access-after-free.patch
     - Avoid-access-to-unintialized-memory.patch
     - CVE-2017-7458.patch
     - CVE-2017-7459.patch
     - Check-for-presence-of-crsf-in-admin-scripts.patch
     - gcc-7.patch
   * Refresh patches.
   * Fix Documentation entry in systemd service file (Closes: #854694).
   * Replace priority extra with optional.
   * Make sure ntopng-add-user.sh is executable.
   * Update list of documentation/README files and move them into ntopng-data.
   * Build-Depend on libcap-dev.
   * Build-Depend on debhelper >= 9.20160709 instead of dh-systemd.
   * Bump Standards-Version to 4.1.2.
   * Use EtherOUI.txt file from libwireshark-data.
   * Update source lintian-overrides about source-is-missing false positives
     for js files.
   * Add missing symlink to fontawesome-webfont.woff2.
Checksums-Sha1:
 deae5edfbbc2f29822079696451a04599a4cec72 2219 ntopng_3.2+dfsg1-1.dsc
 99b9930d6165ceb25334203febfef873c0215802 21113479 ntopng_3.2+dfsg1.orig.tar.gz
 8668e884b5c7395364f1627dd21219c437bda404 26824 ntopng_3.2+dfsg1-1.debian.tar.xz
 beca4d42d675a4f3d14002c0e27395a9618fc5e9 17483400 
ntopng-data_3.2+dfsg1-1_all.deb
 bd3f0be12b4e133ef701345bba96419fa79aa861 3676108 
ntopng-dbgsym_3.2+dfsg1-1_amd64.deb
 00f1871dac13421b2919ab129d00277fae9e9740 10173 
ntopng_3.2+dfsg1-1_amd64.buildinfo
 941a8514c3026bf0611dd403a1355b43d348fe8f 530940 ntopng_3.2+dfsg1-1_amd64.deb
Checksums-Sha256:
 04c26c686b6f121ff3cffb0cbecb59967571fc16491421ed027ba96ea7bf4bfe 2219 
ntopng_3.2+dfsg1-1.dsc
 b909d0fcc9e0bacba76d806f8fae7be7ff8a72e062f12006aae3063ef5df9c3f 21113479 
ntopng_3.2+dfsg1.orig.tar.gz
 244df6e71208b39891a94dcefbdbb66a1aebf4b10ad12548393739c356cf64a5 26824 
ntopng_3.2+dfsg1-1.debian.tar.xz
 f1c9e2382c4c2b8e7195e91feaf8263178f03b964d381bd612c3738ec920321a 17483400 
ntopng-data_3.2+dfsg1-1_all.deb
 bd593bb6cb32b20a1a6834cc224ccbf8cfb088f4dae28f6c21952ea360df94a5 3676108 
ntopng-dbgsym_3.2+dfsg1-1_amd64.deb
 368065bc38cdaebd31f900a09fac966d33273e4c3749f00c9b255beb0a39569c 10173 
ntopng_3.2+dfsg1-1_amd64.buildinfo
 c099e1ce0ff555f97e155f45e3e2bda7ade42f7e8ab2cb2ed64bc0cc6e455024 530940 
ntopng_3.2+dfsg1-1_amd64.deb
Files:
 38147a11a1cb459ea354c1d000c29bfd 2219 net optional ntopng_3.2+dfsg1-1.dsc
 9a66eab4e37f0331fede7e9e527de514 21113479 net optional 
ntopng_3.2+dfsg1.orig.tar.gz
 2ddd6b2b9fa28b4e0149f7f5ccb19e5f 26824 net optional 
ntopng_3.2+dfsg1-1.debian.tar.xz
 1014250b77ee64346bee260b84e16209 17483400 net optional 
ntopng-data_3.2+dfsg1-1_all.deb
 47ae15d2228bcf581471b5469afa347e 3676108 debug optional 
ntopng-dbgsym_3.2+dfsg1-1_amd64.deb
 f065648910be63f698178e90e22e6df4 10173 net optional 
ntopng_3.2+dfsg1-1_amd64.buildinfo
 7bb6eac0a4da86152da6596c99f2beb0 530940 net optional 
ntopng_3.2+dfsg1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEExi9RJLiVCtv386tME8C1Zno4sLAFAlpC7hsACgkQE8C1Zno4
sLBOrxAAkQWQ5T72BIaaRxN4nTwIgEftdbmLAUR3cy46Y1mlcPGhoWVRdRrZVtLj
FGzH+Mlwu0HLxO9c4ykL78XUMjyHHXpR4yvP/QRYIfYcHGA1zUl1AvjkKXaJdzR5
S+MFRQDmDBa8LUyx1lnXqwTkJ9KfjuHOQsG0V/ddBCHuxtxc2NYEeiO0tlZTPp2S
NkT3kmtIQku/LrX91w5ZxyDcZ7fMAxH1t07d9BXvF1R//V7CfC6uBmiix6I22ehb
SR31m30R+oAIM9QNPeOb3sMt2xqB8e7qHQgLvPj+vH6mnNY43faq3z/p91oMwHVh
vzt+HFVyxwWA30carSOhKWDcl66kbTHPdYUKYzBPoljK95S4nYrQoFJz0sNAsa7r
HaYoFWvw1Videgw95XV/qA5QfMkZSOfBW/ETDmRHWDUERK00iiAAdu8Hw5TPUtUj
U4r9mZ/PcKI6oHORT/qaBsAm6XRSyDZ6wIFZkIFMgTkSdHQvpt/hM/rQiIR4Ou1G
JEMmvrmvW34cH8YOY+WOwumEmdBs4Yr2ColLoeBtmh/GGvAWYefscvJ2A+pzeSWr
Gu66t5B2SqkviwwNDyb4XdajRtP88f6utKaDFUdeSAtXrOc4pGRNHrQg7l4wcbyV
iuNkq1G2DmMWT77t1yyC1KpFQhfdEiyM8XbSkS9uPOVMdRly+Bw=
=kX3L
-----END PGP SIGNATURE-----

--- End Message ---