Your message dated Thu, 03 Apr 2025 08:46:39 +0000
with message-id <[email protected]>
and subject line Bug#1101885: fixed in icingaweb2-module-reporting 1.0.4-1
has caused the Debian Bug report #1101885,
regarding icingaweb2-module-reporting: CVE-2025-27406
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1101885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101885
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: icingaweb2-module-reporting
Version: 1.0.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for icingaweb2-module-reporting.
CVE-2025-27406[0]:
| Icinga Reporting is the central component for reporting related
| functionality in the monitoring web frontend and framework Icinga
| Web 2. A vulnerability present in versions 0.10.0 through 1.0.2
| allows to set up a template that allows to embed arbitrary
| Javascript. This enables the attacker to act on behalf of the user,
| if the template is being previewed; and act on behalf of the
| headless browser, if a report using the template is printed to PDF.
| This issue has been resolved in version 1.0.3 of Icinga Reporting.
| As a workaround, review all templates and remove suspicious
| settings.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27406
https://www.cve.org/CVERecord?id=CVE-2025-27406
[1]
https://github.com/Icinga/icingaweb2-module-reporting/security/advisories/GHSA-7qvq-54vm-r7hx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: icingaweb2-module-reporting
Source-Version: 1.0.4-1
Done: David Kunz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
icingaweb2-module-reporting, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Kunz <[email protected]> (supplier of updated
icingaweb2-module-reporting package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 02 Apr 2025 13:19:43 +0200
Source: icingaweb2-module-reporting
Architecture: source
Version: 1.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: David Kunz <[email protected]>
Changed-By: David Kunz <[email protected]>
Closes: 1099373 1101885
Changes:
icingaweb2-module-reporting (1.0.4-1) unstable; urgency=medium
.
* Adding Portuguese debconf translations from Américo Monteiro
(Closes: #1099373).
* Standardization of the control for icingaweb2 modules.
* Merging upstream version 1.0.4 closing CVE-2025-27406
(Closes: #1101885).
Checksums-Sha1:
1641118904a40edb8ca2127ecb7b2235a47b2c61 1449
icingaweb2-module-reporting_1.0.4-1.dsc
39e1379c84b8d8c44a0ab46b8467ba885c2b792d 39424
icingaweb2-module-reporting_1.0.4.orig.tar.xz
b22bac53d0d55781cd9c7157178637e151bb38c3 4820
icingaweb2-module-reporting_1.0.4-1.debian.tar.xz
eb03090fbfd5d1c961aaf532739205e11768a670 5186
icingaweb2-module-reporting_1.0.4-1_amd64.buildinfo
Checksums-Sha256:
862432a6d8d1cf52a0d87b6651d735e33a97d32e77b568a48204cf8c24356274 1449
icingaweb2-module-reporting_1.0.4-1.dsc
1d2a6b53b542997b170c1fd1ed68384230d9ce7ff3d2b37abdd6411e7f4a2b11 39424
icingaweb2-module-reporting_1.0.4.orig.tar.xz
4903a781e404a65869464be04456711588cbb3a55dfa63def9abfd688c2d5e5d 4820
icingaweb2-module-reporting_1.0.4-1.debian.tar.xz
1da4c24bcb1971a56deab57745dec929fe30d029a350b6bfc795834f04181ad6 5186
icingaweb2-module-reporting_1.0.4-1_amd64.buildinfo
Files:
09c32359b611b5552443c822a2cdc57a 1449 admin optional
icingaweb2-module-reporting_1.0.4-1.dsc
4b8ff779557884f6338bb6d92d948422 39424 admin optional
icingaweb2-module-reporting_1.0.4.orig.tar.xz
ccf9aa92bf962ec656bd6638d16ca887 4820 admin optional
icingaweb2-module-reporting_1.0.4-1.debian.tar.xz
025ae264d88228e5d77f61773c28949b 5186 admin optional
icingaweb2-module-reporting_1.0.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSQD23K0grRgZ+eimrWSi+uCV73mQUCZ+4/UAAKCRDWSi+uCV73
mZgoAQCqhisjQrXEzgk/QYpsGsUyU5YsEPkeKnexXyapyLf20gEAhd3S/N2rdLgt
pRWikec6xrDhy0ehUc887Lned+rGhAA=
=pIKl
-----END PGP SIGNATURE-----
pgpKphjsuLyPd.pgp
Description: PGP signature
--- End Message ---
