DSA 1937-1: New gforge packages fix cross-site scripting  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1937-1 security@debian.org
http://www.debian.org/security/ Steffen Joeris
November 21, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : gforge
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-3303


It was discovered that gforge, collaborative development tool, is prone
to a cross-site scripting attack via the helpname parameter. Beside
fixing this issue, the update also introduces some additional input
sanitising. However, there are no known attack vectors.


For the stable distribution (lenny), these problem have been fixed in
version 4.7~rc2-7lenny2.

The oldstable distribution (etch), these problems have been fixed in
version 4.5.14-22etch12.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 4.8.1-3.


We recommend that you upgrade your gforge packages.


Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.diff.gz
Size/MD5 checksum: 203139 67406308953934e8d68ca1cd97154023
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12.dsc
Size/MD5 checksum: 953 2176dd5939538d180d60637d77260f19
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14.orig.tar.gz
Size/MD5 checksum: 2161141 e85f82eff84ee073f80a2a52dd32c8a5

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.5.14-22etch12_all.deb
Size/MD5 checksum: 705438 d40c97c6f0d0823b966b48b9b1b7eb6f
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch12_all.deb
Size/MD5 checksum: 80534 c86b0696f707df2df400ef46838a2505
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.5.14-22etch12_all.deb
Size/MD5 checksum: 1011566 644f57ac3a902d69369806763b29e484
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.5.14-22etch12_all.deb
Size/MD5 checksum: 104034 43bb51625ea030e4bca2a1753720acd0
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_4.5.14-22etch12_all.deb
Size/MD5 checksum: 86598 801eb1462e783877698f8181e93c7d37
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.5.14-22etch12_all.deb
Size/MD5 checksum: 87402 9601350198b4a1c4946b26cbfc0089f0
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_4.5.14-22etch12_all.deb
Size/MD5 checksum: 88868 9c73567d60ede088fe7c952c0d575a22
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.5.14-22etch12_all.deb
Size/MD5 checksum: 82348 ad231cb698733f3c3ce6cb65357aacee
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.5.14-22etch12_all.deb
Size/MD5 checksum: 86318 448d7f114da5ef2188aa56f8dcd130f4
http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_4.5.14-22etch12_all.deb
Size/MD5 checksum: 95726 d6557e0016666a5e9c53f38fed49c322
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.5.14-22etch12_all.deb
Size/MD5 checksum: 88766 c78075b8eab9c9b3ead54716d10cf370
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.5.14-22etch12_all.deb
Size/MD5 checksum: 89386 2837d3a26850e5622294eb44aa49f3e2
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.5.14-22etch12_all.deb
Size/MD5 checksum: 212746 1c48e12e5e61d5f56edd0de46884af52
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.5.14-22etch12_all.deb
Size/MD5 checksum: 76334 4e63c7735c92764d82dfdf4f742be2cb


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.dsc
Size/MD5 checksum: 1487 0b1ce8a3757f45818006361e1eeb8140
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2.diff.gz
Size/MD5 checksum: 104727 3ce01d7387d05990a61a28e831a62f7b
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2.orig.tar.gz
Size/MD5 checksum: 10225404 bd24808ce79363d4c7c529778f6f5324

Architecture independent packages:

http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 100794 9e7c73b64c1929858089717fc32585b2
http://security.debian.org/pool/updates/main/g/gforge/gforge_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 92854 e9c5d38f5fc5a51fe417b38b6c359702
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmcvs_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 129406 053272d5f4440d75825890ddd6bf5169
http://security.debian.org/pool/updates/main/g/gforge/gforge-common_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 1112528 77f4e8dc932777a36cf941a1bd5b10a8
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-mediawiki_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 213574 14405a0cb843748ba77c691eaa60d4b6
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 101554 3aa3bb38dfc4a8bb3834f3397b03c688
http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 97364 7a73fb6cd3af0addda1076f68b4ceaa7
http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-postgresql_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 95108 3dac1b4c78f967488693d3efb8b9f1b0
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 88522 ffb28f911b5b5a638376cfaa598dc443
http://security.debian.org/pool/updates/main/g/gforge/gforge-plugin-scmsvn_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 122034 565dcc6c8acccfa4c6ae12121b774fa6
http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache2_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 1397340 47fdfdfda7355f12fe807d9f01e79d5c
http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 231012 3a6ff0778f890ca32ec7c8fae97ef996
http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 94622 b533f09eedfd0b9f29dd07d4f9e64e06
http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 106930 fcd1127a7c6c19ccf3c2a4a4931eb598
http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-courier_4.7~rc2-7lenny2_all.deb
Size/MD5 checksum: 88790 428a7b29217a916f004c085507128f88


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksHem4ACgkQ62zWxYk/rQc8OwCeL/MYC9AWieVtnpBrtzn8Z79L
EqQAnjfyotsvfsH2Y6qJ1aC4g9+K1xTU
=UVaP
-----END PGP SIGNATURE-----
"

DSA 1919-1: New smarty packages fix several vulnerabilitiesThe Big Reunion Festival gets ready to party

This entry was posted on 8:44 AM .