Hi Salvatore, > The following vulnerabilities were published for davical. > > CVE-2019-18345[0]: > | Reflected Cross-Site Scripting (XSS) vulnerability > > CVE-2019-18346[1]: > | A CSRF issue was discovered in DAViCal through 1.1.8. If an > | authenticated user visits an attacker-controlled webpage, the attacker > | can send arbitrary requests in the name of the user to the > | application. If the attacked user is an administrator, the attacker > | could for example add a new admin user. > > > CVE-2019-18347[2]: > | A stored XSS issue was discovered in DAViCal through 1.1.8. It does > | not adequately sanitize output of various fields that can be set by > | unprivileged users, making it possible for JavaScript stored in those > | fields to be executed by another (possibly privileged) user. Affected > | database fields include Username, Display Name, and Email. > > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
I've just uploaded davical 1.1.9.2-1 to unstable, which (to the best of our knowledge) contains complete fixes for all three CVEs, along with a few other things that have accumulated since the last regular release. In order to provide a more targeted fix for Debian (old-)stable, I've cherry-picked the four relevant commits onto a "buster" branch and turned them into a quilt patch. The result can be inspected here: https://gitlab.com/fsfs/davical/compare/master...buster Unfortunately, I am unfamiliar with the security team procedures and I will be AFK for ten days from Saturday. If there's anything else I can still do until then, like making sure the patch fits onto the stretch and jessie versions as well, or upload fixed packages (how exactly? I've only ever uploaded to unstable and -backports...) please tell and send pointers to more info! Florian

