Your message dated Thu, 10 Apr 2025 12:35:06 +0200
with message-id <[email protected]>
and subject line Re: geshi: CVE-2025-2123
has caused the Debian Bug report #1102218,
regarding geshi: CVE-2025-2123
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1102218: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102218
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: geshi
Version: 1.0.9.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/GeSHi/geshi-1.0/issues/159
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for geshi.
CVE-2025-2123[0]:
| A vulnerability, which was classified as problematic, has been found
| in GeSHi up to 1.0.9.1. Affected by this issue is the function
| get_var of the file /contrib/cssgen.php of the component CSS
| Handler. The manipulation of the argument default-
| styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to
| cross site scripting. The attack may be launched remotely. The
| exploit has been disclosed to the public and may be used.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-2123
https://www.cve.org/CVERecord?id=CVE-2025-2123
[1] https://github.com/GeSHi/geshi-1.0/issues/159
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: geshi
Source-Version: 1.0.8.4-2
Hi Sylvain
On Thu, Apr 10, 2025 at 11:42:22AM +0200, Sylvain Beucler wrote:
> Hi,
>
> On Sun, 06 Apr 2025 16:13:42 +0200 Salvatore Bonaccorso <[email protected]>
> wrote:
> > CVE-2025-2123[0]:
> > | A vulnerability, which was classified as problematic, has been found
> > | in GeSHi up to 1.0.9.1. Affected by this issue is the function
> > | get_var of the file /contrib/cssgen.php of the component CSS
> > | Handler. The manipulation of the argument default-
> > | styles/keywords-1/keywords-2/keywords-3/keywords-4/comments leads to
> > | cross site scripting. The attack may be launched remotely. The
> > | exploit has been disclosed to the public and may be used.
> cssgen.php is not shipped in the binary packages since #685324 (1.0.8.4-2)
> and even patched out in the source since 1.0.9.1-1.
>
> I believe we're <not-affected> here :)
> WDTY?
Thanks a lot for the analysis!
Have commited
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25ca46256d9e36c03466903c2e95d7adcfa0bf90
to the security tracker!
Regards,
Salvatore
--- End Message ---
