Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1

2017-05-05 Thread Laurent Destailleur (eldy) 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

I request permission to upload a fix of package php-tcpdf to fix security bug 
CVE-2015-3935 #814030
https://sourceforge.net/p/tcpdf/bugs/1005/

Fix is as simple as the following patch. Non regression tested with success on 
package "dolibarr" and "phpmyadmin".


Description: Set default value of K_TCPDF_CALLS_IN_HTML to false.
Author: Laurent Destailleur 
Forwarded: not-needed
Last-Update: 2013-07-29
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/config/tcpdf_config.php
+++ b/config/tcpdf_config.php
@@ -210,7 +210,7 @@
  * If true allows to call TCPDF methods using HTML syntax
  * IMPORTANT: For security reason, disable this feature if you are printing 
user HTML content.
  */
-define('K_TCPDF_CALLS_IN_HTML', true);
+define('K_TCPDF_CALLS_IN_HTML', false);
 
 /**
  * If true and PHP version is greater than 5, then the Error() method throw 
new exception instead of terminating the execution.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.0-46-generic (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Bug#729538: [dolibarr] which module were in extended description

2013-11-27 Thread Laurent Destailleur (eldy) 
Control: tag -1 +pending

Le 14/11/2013 01:57, Filipus Klutiero a écrit :
 Package: dolibarr
 Version: 3.3.4-3
 Severity: minor

 The extended description contains:
 Only the features that you need are visible, depending on which
 module were activated. 

 The persons in which module were activated disagree. module should
 read modules.

 By the way, please use a complete sentence to introduce the list
 (Most common used modules are: ).



-- 
Eldy (Laurent Destailleur).

EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Dolibarr (Project leader): http://www.dolibarr.org
To make a donation for Dolibarr project via Paypal: cont...@destailleur.fr
AWStats (Author) : http://awstats.sourceforge.net
To make a donation for AWStats project via Paypal: cont...@destailleur.fr
AWBot (Author) : http://awbot.sourceforge.net
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net

Bug#728235: info

2013-11-06 Thread Laurent Destailleur (eldy) 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Le 05/11/2013 14:18, Henri Salo a écrit :
 Confirmed. Maintainer do you know reason for this already or do you need help?

 ---
 Henri Salo
Thanks.
No need for help:  I have found the trouble and I will (or raphael will)
push a fix soon.

- -- 
Eldy (Laurent Destailleur).

EMail: e...@destailleur.fr
Web: http://www.destailleur.fr

Dolibarr (Project leader): http://www.dolibarr.org
To make a donation for Dolibarr project via Paypal: cont...@destailleur.fr
AWStats (Author) : http://awstats.sourceforge.net
To make a donation for AWStats project via Paypal: cont...@destailleur.fr
AWBot (Author) : http://awbot.sourceforge.net
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSel+TAAoJEPwrU5wOxNNPiScH+gIFuKA6jFE0QIxox0bHW97o
LAl68fABVWPUFC3tYdocxV7NylfwSSrSIt8S09BrjpCge6cPAtC+9NTyj76t0u7W
CP7alaLX5EHTMfZD82XWfdjwuTmNJZu/L2N65DnuQg7A7XKIh41RUtum8j+gSJm0
W5wAAHmkzy338ZT6W5cg3vmQbh/8/nG5OflcEzCzFJMVKxdFZlBP/tkQqOjlbkhi
xF1+7My1Zdk/sVJFEgyXKe3/3ANwnWq8XDfHPsd7aZl49c7JkZ1QTbs09q2otmbM
0kPBJka7Ab3xTRQY7UCq8mTNYpcvRdmhVvZmspDEEGJWJ3tQBjAw2Nh7lClIf38=
=T8EX
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#378960: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities

2006-07-21 Thread Laurent Destailleur (Eldy) 

Charles Fry a écrit :

Hi Laurent,

Can you please comment on these vulnerabilities, especially
CVE-2006-3681?

This vulnerability is true.


 Are these fixed in 6.6? When do you expect to release
6.6?
  
It is fixed in 6.6. I have just launched the beta start for 6.6 meanings 
code in current 6.6 package will not change (except for bug corrections 
found during beta).

Beta last about 2 month.

I also updated the AWStats security page to report this vulnerability code:
http://awstats.sourceforge.net/awstats_security_news.php
It is the hole #3 in this page.


thanks,
Charles

-Original Message-
  

From: Alec Berryman [EMAIL PROTECTED]
Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681
CVE-2006-3682: multiple vulnerabilities
Date: Wed, 19 Jul 2006 22:32:54 -0400
To: Debian Bug Tracking System [EMAIL PROTECTED]
Reply-To: Alec Berryman [EMAIL PROTECTED], [EMAIL PROTECTED]

Package: awstats
Version: 6.5-2
Severity: serious
Tags: security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2006-3681: Multiple cross-site scripting (XSS) vulnerabilities in
awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers
to inject arbitrary web script or HTML via the (1) refererpagesfilter,
(2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5)
hostfilter, or (6) hostfilterex parameters, a different set of vectors
than CVE-2006-1945.

CVE-2006-3682: awstats.pl in AWStats 6.5 build 1.857 and earlier allows
remote attackers to obtain the installation path via the (1) year, (2)
pluginmode or (3) month parameters.

I have not verified either vulnerability.  The original advisory [1]
has sample exploits.

This is not the same as #364443 or #365909.  Sarge is probably affected.

Please mention the CVEs in your changelog.

Thanks,

Alec

[1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7
5nTPB7EkA5xCCZLPv6xgF7I=
=AN2l
-END PGP SIGNATURE-


___
Pkg-awstats-devel mailing list
[EMAIL PROTECTED]
http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel



  



--
Laurent Destailleur.
---
EMail: [EMAIL PROTECTED]
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy

AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#364443: [Fwd: [CVE-2006-1945]: Cross-site scripting allows script injection in awstats 6.5 and earlier]

2006-04-26 Thread Laurent Destailleur (Eldy) 

Charles Fry a écrit :

Hi Eldy,

I assume that you already know about this, but I wanted to make sure.
Even better, I'd love to have a patch to fix it, so that we can patch up
Debian. :-)

thanks,
Charles

- Forwarded message from Micah Anderson [EMAIL PROTECTED] -

CVE-2006-1945 says:

Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5
and earlier allows remote attackers to inject arbitrary web script or
HTML via the config parameter.

http://pridels.blogspot.com/2006/04/awstats-65-vuln.html

This flaw exists because input passed to config paremeter in
awstats.pl isn't properly sanitised before being returned to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity. Also
doing XSS vuln. check attacker will get full path disclosure.



Yes i was aware.

1) For the path exposure, to fix it, you can change

   print If not, you can run
\$dir\tools\awstats_configure.pl\\nfrom command line, or create it
manually.${tagbr}\n;

by

   print If not, you can run \awstats_configure.pl\\nfrom
command line, or create it manually.${tagbr}\n;


2) For the XSS,i don't think it's true (I can't see how it can be true).
The full query string is in 6.5 sanitized by the line
$QueryString = CleanFromCSSA($QueryString);
meaning there is never any javascript on generated web pages coming from
url parameters. So i can't see how a user can force AWStats to build
pages that contains XSS code coming from this parameters when this
parameters can't contains  nor  absolutely required to execute javascript.
If I want to fix this hole, i have to add the sanitizing command
$QueryString = CleanFromCSSA($QueryString); but this already done in
6.5. So i don't know how to fix this (if there is a hole). I didn't find
anywhere a way to exploit this announce.



This affects version 6.5 (build 1.857) and earlier.

- End forwarded message -





--
Laurent Destailleur.
---
EMail: [EMAIL PROTECTED]
Web: http://www.destailleur.fr
IM: IRC=Eldy, Jabber=Eldy

AWStats (Author) : http://awstats.sourceforge.net
Dolibarr (Contributor) : http//www.dolibarr.com
CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
AWBot (Author) : http://awbot.sourceforge.net