Your message dated Wed, 20 Sep 2006 03:32:04 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#388149: fixed in firefox-sage 1.3.6-3
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: firefox-sage
Severity: grave
Tags: security
Justification: user security hole
A vulnerability has been found in sage:
Multiple cross-site scripting (XSS) vulnerabilities in Sage 1.3.6
allow remote attackers to inject arbitrary web script or HTML via
JavaScript in a content:encoded element within an item element in an
RSS feed, as demonstrated by four example content:encoded elements
that use XMLHttpRequest to read arbitrary local files, aka "Cross
Context Scripting."
See e.g. http://www.gnucitizen.org/blog/cross-context-scripting-with-sage for
details.
Please mention the CVE id in the changelog.
There is also an open bug against sage about arbitrary Javascript execution, but
I don't know whether this is the same issue:
http://mozdev.org/bugs/show_bug.cgi?id=13744
--- End Message ---
--- Begin Message ---
Source: firefox-sage
Source-Version: 1.3.6-3
We believe that the bug you reported is fixed in the latest version of
firefox-sage, which is due to be installed in the Debian FTP archive:
firefox-sage_1.3.6-3.diff.gz
to pool/main/f/firefox-sage/firefox-sage_1.3.6-3.diff.gz
firefox-sage_1.3.6-3.dsc
to pool/main/f/firefox-sage/firefox-sage_1.3.6-3.dsc
firefox-sage_1.3.6-3_all.deb
to pool/main/f/firefox-sage/firefox-sage_1.3.6-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alan Woodland <[EMAIL PROTECTED]> (supplier of updated firefox-sage package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 19 Sep 2006 19:14:12 +0100
Source: firefox-sage
Binary: firefox-sage
Architecture: source all
Version: 1.3.6-3
Distribution: unstable
Urgency: low
Maintainer: Alan Woodland <[EMAIL PROTECTED]>
Changed-By: Alan Woodland <[EMAIL PROTECTED]>
Description:
firefox-sage - lightweight RSS and Atom feed reader for Firefox
Closes: 388149
Changes:
firefox-sage (1.3.6-3) unstable; urgency=low
.
* HTML is nolonger permitted in RSS feeds. Fixed a bug whereby HTML
could be injected into output even if HTML option was turned off.
Fixed: (Closes: #388149)
CVE-2006-4711
CVE-2006-4712
Files:
6bc521a734082dce732e0df5b8d3fdba 597 web optional firefox-sage_1.3.6-3.dsc
cf24d1763f9037767d2a1a6b4f8b6b5c 12003 web optional
firefox-sage_1.3.6-3.diff.gz
beb17e6ade8893789b295c1a9d36fc57 146148 web optional
firefox-sage_1.3.6-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFEGci1FNW1LDdr0IRAiFOAJ9ik0Y9DlfWSuJqYMmXZKVW1/5MnwCfVlfP
3PHl8O+8Af+H2v6lpD76Fus=
=O9hC
-----END PGP SIGNATURE-----
--- End Message ---
