Your message dated Mon, 16 Jul 2012 18:47:20 +0000
with message-id <e1sqqkg-0001x4...@franck.debian.org>
and subject line Bug#681323: fixed in libjs-swfupload 2.2.0.1+ds1-2
has caused the Debian Bug report #681323,
regarding libjs-swfupload: XSS via ExternalInterface.call
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
681323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libjs-swfupload
Version: 2.2.0.1+ds1-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
libjs-swfupload contains a XSS security vulnarability that allows attackers to
inject javascript code into the context of the current webpage.
As a Flash applet can be loaded directly (with parameters in the URL), the Flash
applet allows for reflected cross-site scripting. For sites where the applet is
hosted on the same domain as the main website, this is a serious security
concern.
More information can be found here:
http://code.google.com/p/swfupload/issues/detail?id=376
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libjs-swfupload
Source-Version: 2.2.0.1+ds1-2
We believe that the bug you reported is fixed in the latest version of
libjs-swfupload, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 681...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christian Welzel <gaw...@camlann.de> (supplier of updated libjs-swfupload
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Jul 2012 14:52:12 +0200
Source: libjs-swfupload
Binary: libjs-swfupload
Architecture: source all
Version: 2.2.0.1+ds1-2
Distribution: unstable
Urgency: high
Maintainer: Christian Welzel <gaw...@camlann.de>
Changed-By: Christian Welzel <gaw...@camlann.de>
Description:
libjs-swfupload - javascript library to use Flash's upload functionality
Closes: 681323
Changes:
libjs-swfupload (2.2.0.1+ds1-2) unstable; urgency=high
.
* Security fix for XSS in ExternalCall (Closes: 681323)
Checksums-Sha1:
484137d7dd00e60cc1068d1995337abe619fd480 1301 libjs-swfupload_2.2.0.1+ds1-2.dsc
1eca6e29d8c9932cfd347984d7263ef3d64ad44e 3836
libjs-swfupload_2.2.0.1+ds1-2.debian.tar.gz
472f5ba9e4abef3aa4865fcaab78e120d04052eb 61796
libjs-swfupload_2.2.0.1+ds1-2_all.deb
Checksums-Sha256:
a786ac9a9e96c19d799648b5bda22cf2120a14f5f864b77d5559d7989722d0c8 1301
libjs-swfupload_2.2.0.1+ds1-2.dsc
8f0a68ecae5189e5aabdf01baf88ff8913835b194d8ba42eaf7dba3c71557f5f 3836
libjs-swfupload_2.2.0.1+ds1-2.debian.tar.gz
8fbd913f177b6232f5f2289708cec2e0e66b0a51f4f70bcc2def019f4dd5868e 61796
libjs-swfupload_2.2.0.1+ds1-2_all.deb
Files:
e0cc3ed2bd1f000780b6f9a8bfc60bde 1301 web optional
libjs-swfupload_2.2.0.1+ds1-2.dsc
fe3ac7a78f5dfc1c7614263c9504c8dc 3836 web optional
libjs-swfupload_2.2.0.1+ds1-2.debian.tar.gz
735a706e873043554aa4a79884bb5156 61796 web optional
libjs-swfupload_2.2.0.1+ds1-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlAEYDEACgkQHYflSXNkfP8g/QCeNgqgB5DWeqFuMoXXaLhMdKZx
4WsAoJjACZtlPXPB5916sFrVRj1N8LcX
=+SZG
-----END PGP SIGNATURE-----
--- End Message ---
