Date: Sat, 10 Nov 2012 06:42:01 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, Michel Alexandre Salim <michel+fdr@...vestre.me>, Richard Jones <richard@...hanicalcat.net>, Ralf Schlatterbeck <rsc@...tux.com> Subject: CVE Request -- roundup: Multiple XSS flaws plus other security related fixes corrected in upstream 1.4.20 version Hello Kurt, Steve, vendors, Roundup upstream has released new upstream 1.4.20 version, correcting multiple cross-site scripting (XSS) flaws (and couple of other security related issues):  http://pypi.python.org/pypi/roundup  https://bugzilla.redhat.com/show_bug.cgi?id=722672 More from  (plus relevant tickets inlined too, where possible to find out): --------------------------------------------------------- [A] * issue2550729: Fix password history display for anydbm backend, thanks to Ralf Hemmecke for reporting. (Ralf)  http://issues.roundup-tracker.org/issue2550729 [B] * issue2550684 Fix XSS vulnerability when username contains HTML code, thanks to Thomas Arendsen Hein for reporting and patch. (Ralf)  http://issues.roundup-tracker.org/issue2550684 [C] * issue2550711 Fix XSS vulnerability in @action parameter, thanks to "om" for reporting. (Ralf)  http://issues.roundup-tracker.org/issue2550711 [D] * Fix wrong execute permissions on some files, thanks to Cheer Xiao for the patch. (Ralf) [E] * Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for reporting. (Ralf) [F] * Mark cookies HttpOnly and -- if https is used -- secure. Fixes issue2550689, but is untested if this really works in browsers. Thanks to Joseph Myers for reporting. (Ralf)  http://issues.roundup-tracker.org/issue2550689 [G] * Fix another XSS with the ok- and error message, see issue2550724. We solve this differently from the proposals in the bug-report by not allowing any html-tags in ok/error messages anymore. Thanks to David Benjamin for the bug-report and to Ezio Melotti for several proposed fixes. (Ralf)  http://issues.roundup-tracker.org/issue2550724 Cc-ed Ralf Schlatterbeck on this post too to clarify, if issues [A] and [D] would also have security implications / IOW if those would be security flaws too. Ralf please clarify. Thank you, Jan. Could you allocate CVE ids for these (once clarified)? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ