Bug#861926: jessie-pu: package php-tcpdf/6.0.093+dfsg-1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu I request permission to upload a fix of package php-tcpdf to fix security bug CVE-2015-3935 #814030 https://sourceforge.net/p/tcpdf/bugs/1005/ Fix is as simple as the following patch. Non regression tested with success on package "dolibarr" and "phpmyadmin". Description: Set default value of K_TCPDF_CALLS_IN_HTML to false. Author: Laurent DestailleurForwarded: not-needed Last-Update: 2013-07-29 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/config/tcpdf_config.php +++ b/config/tcpdf_config.php @@ -210,7 +210,7 @@ * If true allows to call TCPDF methods using HTML syntax * IMPORTANT: For security reason, disable this feature if you are printing user HTML content. */ -define('K_TCPDF_CALLS_IN_HTML', true); +define('K_TCPDF_CALLS_IN_HTML', false); /** * If true and PHP version is greater than 5, then the Error() method throw new exception instead of terminating the execution. -- System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-46-generic (SMP w/8 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
Bug#729538: [dolibarr] which module were in extended description
Control: tag -1 +pending Le 14/11/2013 01:57, Filipus Klutiero a écrit : Package: dolibarr Version: 3.3.4-3 Severity: minor The extended description contains: Only the features that you need are visible, depending on which module were activated. The persons in which module were activated disagree. module should read modules. By the way, please use a complete sentence to introduce the list (Most common used modules are: ). -- Eldy (Laurent Destailleur). EMail: e...@destailleur.fr Web: http://www.destailleur.fr Dolibarr (Project leader): http://www.dolibarr.org To make a donation for Dolibarr project via Paypal: cont...@destailleur.fr AWStats (Author) : http://awstats.sourceforge.net To make a donation for AWStats project via Paypal: cont...@destailleur.fr AWBot (Author) : http://awbot.sourceforge.net CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
Bug#728235: info
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 05/11/2013 14:18, Henri Salo a écrit : Confirmed. Maintainer do you know reason for this already or do you need help? --- Henri Salo Thanks. No need for help: I have found the trouble and I will (or raphael will) push a fix soon. - -- Eldy (Laurent Destailleur). EMail: e...@destailleur.fr Web: http://www.destailleur.fr Dolibarr (Project leader): http://www.dolibarr.org To make a donation for Dolibarr project via Paypal: cont...@destailleur.fr AWStats (Author) : http://awstats.sourceforge.net To make a donation for AWStats project via Paypal: cont...@destailleur.fr AWBot (Author) : http://awbot.sourceforge.net CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSel+TAAoJEPwrU5wOxNNPiScH+gIFuKA6jFE0QIxox0bHW97o LAl68fABVWPUFC3tYdocxV7NylfwSSrSIt8S09BrjpCge6cPAtC+9NTyj76t0u7W CP7alaLX5EHTMfZD82XWfdjwuTmNJZu/L2N65DnuQg7A7XKIh41RUtum8j+gSJm0 W5wAAHmkzy338ZT6W5cg3vmQbh/8/nG5OflcEzCzFJMVKxdFZlBP/tkQqOjlbkhi xF1+7My1Zdk/sVJFEgyXKe3/3ANwnWq8XDfHPsd7aZl49c7JkZ1QTbs09q2otmbM 0kPBJka7Ab3xTRQY7UCq8mTNYpcvRdmhVvZmspDEEGJWJ3tQBjAw2Nh7lClIf38= =T8EX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#378960: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities
Charles Fry a écrit : Hi Laurent, Can you please comment on these vulnerabilities, especially CVE-2006-3681? This vulnerability is true. Are these fixed in 6.6? When do you expect to release 6.6? It is fixed in 6.6. I have just launched the beta start for 6.6 meanings code in current 6.6 package will not change (except for bug corrections found during beta). Beta last about 2 month. I also updated the AWStats security page to report this vulnerability code: http://awstats.sourceforge.net/awstats_security_news.php It is the hole #3 in this page. thanks, Charles -Original Message- From: Alec Berryman [EMAIL PROTECTED] Subject: [Pkg-awstats-devel] Bug#378960: awstats: CVE-2006-3681 CVE-2006-3682: multiple vulnerabilities Date: Wed, 19 Jul 2006 22:32:54 -0400 To: Debian Bug Tracking System [EMAIL PROTECTED] Reply-To: Alec Berryman [EMAIL PROTECTED], [EMAIL PROTECTED] Package: awstats Version: 6.5-2 Severity: serious Tags: security -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2006-3681: Multiple cross-site scripting (XSS) vulnerabilities in awstats.pl in AWStats 6.5 build 1.857 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) refererpagesfilter, (2) refererpagesfilterex, (3) urlfilterex, (4) urlfilter, (5) hostfilter, or (6) hostfilterex parameters, a different set of vectors than CVE-2006-1945. CVE-2006-3682: awstats.pl in AWStats 6.5 build 1.857 and earlier allows remote attackers to obtain the installation path via the (1) year, (2) pluginmode or (3) month parameters. I have not verified either vulnerability. The original advisory [1] has sample exploits. This is not the same as #364443 or #365909. Sarge is probably affected. Please mention the CVEs in your changelog. Thanks, Alec [1] http://pridels.blogspot.com/2006/04/awstats-65x-multiple-vuln.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEvutWAud/2YgchcQRAnO4AJkBYfNZSWE6zHKPGArOpX3eNnH9AwCfYtf7 5nTPB7EkA5xCCZLPv6xgF7I= =AN2l -END PGP SIGNATURE- ___ Pkg-awstats-devel mailing list [EMAIL PROTECTED] http://lists.alioth.debian.org/mailman/listinfo/pkg-awstats-devel -- Laurent Destailleur. --- EMail: [EMAIL PROTECTED] Web: http://www.destailleur.fr IM: IRC=Eldy, Jabber=Eldy AWStats (Author) : http://awstats.sourceforge.net Dolibarr (Contributor) : http//www.dolibarr.com CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net AWBot (Author) : http://awbot.sourceforge.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#364443: [Fwd: [CVE-2006-1945]: Cross-site scripting allows script injection in awstats 6.5 and earlier]
Charles Fry a écrit : Hi Eldy, I assume that you already know about this, but I wanted to make sure. Even better, I'd love to have a patch to fix it, so that we can patch up Debian. :-) thanks, Charles - Forwarded message from Micah Anderson [EMAIL PROTECTED] - CVE-2006-1945 says: Cross-site scripting (XSS) vulnerability in awstats.pl in AWStats 6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the config parameter. http://pridels.blogspot.com/2006/04/awstats-65-vuln.html This flaw exists because input passed to config paremeter in awstats.pl isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Also doing XSS vuln. check attacker will get full path disclosure. Yes i was aware. 1) For the path exposure, to fix it, you can change print If not, you can run \$dir\tools\awstats_configure.pl\\nfrom command line, or create it manually.${tagbr}\n; by print If not, you can run \awstats_configure.pl\\nfrom command line, or create it manually.${tagbr}\n; 2) For the XSS,i don't think it's true (I can't see how it can be true). The full query string is in 6.5 sanitized by the line $QueryString = CleanFromCSSA($QueryString); meaning there is never any javascript on generated web pages coming from url parameters. So i can't see how a user can force AWStats to build pages that contains XSS code coming from this parameters when this parameters can't contains nor absolutely required to execute javascript. If I want to fix this hole, i have to add the sanitizing command $QueryString = CleanFromCSSA($QueryString); but this already done in 6.5. So i don't know how to fix this (if there is a hole). I didn't find anywhere a way to exploit this announce. This affects version 6.5 (build 1.857) and earlier. - End forwarded message - -- Laurent Destailleur. --- EMail: [EMAIL PROTECTED] Web: http://www.destailleur.fr IM: IRC=Eldy, Jabber=Eldy AWStats (Author) : http://awstats.sourceforge.net Dolibarr (Contributor) : http//www.dolibarr.com CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net AWBot (Author) : http://awbot.sourceforge.net